NuCom NC-WR644GACV File Download Vulnerability

2018-07-03T00:00:00
ID OPENVAS:1361412562310141263
Type openvas
Reporter Copyright (C) 2018 Greenbone Networks GmbH
Modified 2020-05-08T00:00:00

Description

NuCom WR644GACV devices before STA006 allow an attacker to download the configuration file without credentials. By downloading this file, an attacker can access the admin password, WPA key, and any config information of the device.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# NuCom NC-WR644GACV File Download Vulnerability
#
# Authors:
# Christian Kuersteiner <christian.kuersteiner@greenbone.net>
#
# Copyright:
# Copyright (C) 2018 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

CPE = "cpe:/h:nucom:nc-wr644gacv";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.141263");
  script_version("2020-05-08T08:34:44+0000");
  script_tag(name:"last_modification", value:"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)");
  script_tag(name:"creation_date", value:"2018-07-03 11:17:10 +0200 (Tue, 03 Jul 2018)");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");

  script_cve_id("CVE-2018-8755");

  script_tag(name:"qod_type", value:"exploit");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("NuCom NC-WR644GACV File Download Vulnerability");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2018 Greenbone Networks GmbH");
  script_family("General");
  script_dependencies("gb_nucom_device_detect.nasl");
  script_mandatory_keys("nucom_device/detected");

  script_tag(name:"summary", value:"NuCom WR644GACV devices before STA006 allow an attacker to download the
configuration file without credentials. By downloading this file, an attacker can access the admin password, WPA
key, and any config information of the device.");

  script_tag(name:"impact", value:"Unauthenticated attackers may obtain the admin password and other sensitive
information which may lead to further attacks.");

  script_tag(name:"vuldetect", value:"Sends a crafted HTTP GET request and checks the response.");

  script_tag(name:"solution", value:"Update to STA006 or later.");

  script_xref(name:"URL", value:"https://blog.nivel4.com/investigaciones/vulnerabilidad-en-los-dispositivos-nucom-wr644gacv/");

  exit(0);
}

include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");

if (!port = get_app_port(cpe: CPE, service: "www"))
  exit(0);

if (!get_app_location(cpe: CPE, port: port, nofork: TRUE))
  exit(0);

url = '/cgi-bin/config_download.cgi?action=download';

if (http_vuln_check(port: port, url: url, pattern: 'Content-Disposition: attachment; filename="default.cfg"',
                    check_header: TRUE)) {
  report = http_report_vuln_url(port: port, url: url);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);