Информационная безопасность
[RU] switch to English


Дополнительная информация

  Уязвимости безопасности в ADSL-маршрутизаторе ZTE Callisto 821+

  CSRF vulnerabilities in Callisto 821+R3 ADSL Router

  Vulnerabilities in Callisto 821+R3 ADSL Router

  Multiple DoS, CSRF and XSS vulnerabilities in ADSL modem Callisto 821+

  Multiple CSRF and XSS vulnerabilities in ADSL modem Callisto 821+

From:MustLive <mustlive_(at)_websecurity.com.ua>
Date:25 октября 2015 г.
Subject:Vulnerabilities in Callisto 821+R3 ADSL Router


Hello 3APA3A!

In 2011 I wrote 22 advisories about vulnerabilities in Callisto 821+ ADSL Router (http://seclists.org/fulldisclosure/2011/Aug/1). Because vendor ignored in 2011 all my letters and subsequent my public disclosure of vulnerabilities and new devices are vulnerable as well, so in August I disclosed vulnerabilities in Callisto 821+R3 ADSL Router.

These are Brute Force and Cross-Site Request Forgery vulnerabilities. And there are many other vulnerabilities (in control panel).

SecurityVulns ID: 11700.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: Callisto 821+R3, Firmware Version: ZXDSL 831IIV7.5.1a_E09_UA. This model with other firmware and also other models of Callisto also must be vulnerable.

----------
Details:
----------

Similar Predictable Resource Location, BF and CSRF vulnerabilities, as in Callisto 821+ and other network devices of this and other vendors. The control panel of router is placed at default path with default login and password. Which allows for local users (which have access to PC or via LAN) and also for remote users via Internet (via CSRF vulnerabilities or if remote access is opened) to get access to control panel and change modem's settings. This also will be in handy for conducting of remote login attack.

Brute Force (WASC-11):

In login form http://192.168.1.1 there is no protection against Brute Force attacks. Which allows to pick up password (if it was changed from default), as at local attack, as at attack via Internet (if remote access is opened).

Cross-Site Request Forgery (WASC-09):

Lack of protection against Brute Force (such as captcha) also leads to possibility of conducting of CSRF attacks, which I wrote about in the article Attacks on unprotected login forms (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-Ap
ril/007773.html
). It allows to conduct remote login. Which will be in handy at conducting of attacks on different CSRF and XSS vulnerabilities in control panel.

Note, that CSRF attack on html-form for remote login is possible only when settings of ADSL router are not changed. Because after changes instead of html-form for authentication the Basic Authentication is used. Then it's needed to use method of CSRF attack on Basic Authentication, when the remote login will occur without showing of dialog window.

Callisto 821+R3 CSRF.html

<img src="http://admin:[email protected]">

<img src="http://admin:[email protected]">

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7916/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород