U-SPEED N300 Router Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Router, specifically in firmware version 1.0.0. The router's administrative API endpoints lack proper CSRF protection, such as anti-CSRF tokens or stringent Origin/Referer validation. This oversight allows attackers to create malicious webpages that send forged HTTP requests to configuration endpoints. If an authenticated administrator visits the compromised webpage, the router mistakenly processes the request as a legitimate administrative action, using the administrator's valid session cookie.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in router settings, such as WiFi network credentials or Telnet service configurations. Additionally, it could cause a denial-of-service for legitimate users by disrupting normal router functions.

Reproduction

To reproduce this vulnerability, an attacker must create a webpage that sends a forged HTTP request to one of the vulnerable router's administrative API endpoints, such as '/api/setWlan' or '/api/telnet'. The request should include the necessary data for the targeted configuration change, such as new WiFi network details or Telnet service modifications. When an authenticated administrator visits the malicious webpage, the router will process the forged request as if it were a legitimate administrative action, due to the absence of proper CSRF protection.

Remediation

To address this vulnerability, U-SPEED should implement anti-CSRF tokens on all state-changing API endpoints and enforce strict validation of Origin and Referer headers. Additionally, the SameSite=Strict attribute should be applied to session cookies.