CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities

2014-10-25T00:00:00
ID ZSL-2014-5203
Type zeroscience
Reporter Gjoko Krstic
Modified 2014-10-25T00:00:00

Description

Title: CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities
Advisory ID: ZSL-2014-5203
Type: Local/Remote
Impact: Security Bypass, Exposure of Sensitive Information, Cross-Site Scripting, DoS
Risk: (3/5)
Release Date: 25.10.2014

Summary

The CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway.

Description

The CBN modem gateway suffers from multiple vulnerabilities including authorization bypass information disclosure, stored XSS, CSRF and denial of service.

Vendor

Compal Broadband Networks (CBN), Inc. - <http://www.icbn.com.tw>

Affected Version

Model: CH6640 and CH6640E
Hardware version: 1.0
Firmware version: CH6640-3.5.11.7-NOSH
Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01
DOCSIS mode: DOCSIS 3.0

Tested On

Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7

Vendor Status

N/A

PoC

cbn_mv.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://cxsecurity.com/issue/WLB-2014100162>
[2] <http://www.exploit-db.com/exploits/35075/>
[3] <http://osvdb.org/show/osvdb/113836>
[4] <http://osvdb.org/show/osvdb/113837>
[5] <http://osvdb.org/show/osvdb/113838>
[6] <http://osvdb.org/show/osvdb/113839>
[7] <http://osvdb.org/show/osvdb/113840>
[8] <http://osvdb.org/show/osvdb/113841>
[9] <http://osvdb.org/show/osvdb/113842>
[10] <http://osvdb.org/show/osvdb/113843>
[11] <http://packetstormsecurity.com/files/128860>
[12] <http://www.securityfocus.com/bid/70762>
[13] <http://xforce.iss.net/xforce/xfdb/98328>
[14] <http://xforce.iss.net/xforce/xfdb/98329>
[15] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8653>
[16] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8654>
[17] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8655>
[18] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8656>
[19] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8657>
[20] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8653>
[21] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8654>
[22] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8655>
[23] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8656>
[24] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8657>

Changelog

[25.10.2014] - Initial release
[28.10.2014] - Added reference [1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11] and [12]
[30.10.2014] - Added reference [13] and [14]
[07.11.2014] - Added reference [15], [16], [17], [18], [19], [20], [21], [22], [23] and [24]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;