CVE-2023–33534: Account takeover through CSRF vulnerability

@ro0taddict
4 min readJul 27, 2023

I found a CSRF vulnerability on a Wireless Router | ZLTS10G with a software version S10G_3.11.6. This hardware is manufactured by SZTONED / Guanzhou Tozed Kangwei Intelligent Technology, a Chinese company, but the software was maintained by Globe Telecoms, a Telco provider in the Philippines.

This version of software has no CRSF protection.

CSRF is a type of attack that occurs when a malicious website, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include all cookies including session cookies. Therefore, if the user is authenticated to the site, the site cannot distinguish between legitimate authorized requests and forged authenticated requests.

Steps to replicate:

Step 1. Access and login to the admin panel of this router. Note that the default user for this type of device is “user” and the password is @l03e1t3. For this testing, I have changed the user to “admin” and password as “password”.

Step 2. Go to the “Account Management” dashboard under Advance Settings > Maintenance > Management.

Step 3. Attempt to change the password. Before selecting “Save Changes” button, capture the request through Burp. Use any password. In the image below, I used “ victimpass “ as a password.

Step 4. Click the “Save Changes” button. While the request is captured in burp, right-click the request and select “Engagement Tools” then “Generate PoC”. Note that this function is only available in Burp Pro. You may also copy the PoC script below . Drop the captured request in Burp.

Step 5. Use a possible new password. This is the password that the attacker will use so when the attack is performed the admin dashboard/application will change the password to whatever the attacker’s choosing.

Step 6. In the image below, I used “ attackerpass “ . Get the base64 of “ attackerpass “ and put this in a script(crsrf poc).

Step 7. Save the file as a HTML file on the local machine. In an actual attack, this file is located in a server that is controlled by the attacker.

Step 8. While a target victim user, in this case, the “admin” user is logged in to the application, double click the “csrf.html” poc and monitor the Burp request. You will see a successful change password process in the HTTP request/response.

Step 9. Log out from the admin page. Attempt to login using “ attackerpass “ password and you will see a successful login.

Remediation:

  • Implement Anti-CSRF tokens
  • Use Same-Site Cookie Attribute
  • If state-changing functions, consider a user interaction, e.g. prompt the user to enter their existing password or OTP to proceed.
  • Please refer to the OWASP CSRF cheatsheet for comprehensive checklist to implement the mitigation or the remediation of the vulnerability.

After reporting the issue to Globe Telecoms, the author was informed that a fix is now available which is the software version 3.11.9.

References:

http://www.sztozed.com/en/contents/58/87.html
https://portswigger.net/web-security/csrf
https://owasp.org/www-community/attacks/csrf

--

--