155 lines
No EOL
6.4 KiB
Text
155 lines
No EOL
6.4 KiB
Text
Document Title:
|
|
===============
|
|
Zhone ADSL2+ 4P Bridge & Router (Broadcom) - Multiple Vulnerabilities
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
http://www.vulnerability-lab.com/get_content.php?id=1591
|
|
|
|
Download: http://www.zhone.com/support/downloads/cpe/6218-I2/6218-I2_R030220_AnnexA.zip
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2015-09-03
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1591
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
8.8
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
At Zhone, Bandwidth Changes Everything™ is more than just a tag line. It is our focus, our fundamental belief and philosophy in
|
|
developing carrier and enterprise-grade fiber access solutions for our customers ensuring bandwidth is never a constraint in the future!
|
|
|
|
(Copy of the Vendor Homepage: http://www.zhone.com/support/ )
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
An independent vulnerability laboratory researcher discovered multiple remote vulnerabilities in the official Zhone ADSL2+ 4 Port Wireless Bridge & Router (Broadcom).
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2015-09-03: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
Zhone
|
|
Product: Zhone ADSL2+ 4 Port Bridge (Broadcom) & Zhone ADSL2+ 4 Port Router (Broadcom) 6218-I2-xxx - FW: 03.02.20
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
High
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
An authentication bypass vulnerability has been discovered in the official in the official Zhone ADSL2+ 4 Port Wireless Bridge & Router (Broadcom).
|
|
The vulnerability allows remote attackers to bypass the authentication procedure to compromise the hardware device or service interface.
|
|
|
|
The first vulnerability is located in the session validation when processing to request via GET (outside the network) the `pvccfg.cgi`,`dnscfg.cgi`
|
|
and `password.cgi` files. Thus can results in a reconfiguration by the attacker to compromise the hardware device.
|
|
|
|
The second vulnerability is located in the backupsettings.conf file access rights. Remote attackers can easily request via curl the backupsettings
|
|
of the hardware device. Thus can result in an easy take-over of the hardware device via an information disclosure by accessing the backupsettings.conf.
|
|
|
|
The security risk of both vulnerabilities are estimated as high with a cvss (common vulnerability scoring system) count of 8.8. Exploitation of the access
|
|
privilege issue requires no privilege application user account or user interaction. Successful exploitation of the bug results in hardware device compromise.
|
|
|
|
Request Method(s):
|
|
[+] GET
|
|
|
|
Vulnerable Model(s):
|
|
[+] Zhone ADSL2+ 4 Port Bridge (Broadcom)
|
|
[+] Zhone ADSL2+ 4 Port Router (Broadcom)
|
|
|
|
Affected Firmware:
|
|
[+] 03.02.20
|
|
|
|
Product Name:
|
|
[+] 6218-I2-xxx
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
The vulnerabilities can be exploited by remote attackers without privilege device user account or user interaction.
|
|
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
|
|
|
PoC: #1
|
|
http://[LOCALHOST]:?/pvccfg.cgi
|
|
http://[LOCALHOST]:?/dnscfg.cgi
|
|
http://[LOCALHOST]:?/password.cgi (In addition to text storage of sensitive information!)
|
|
|
|
Note: The links above can be accessed without any authentication in the interface!
|
|
|
|
|
|
PoC: #2
|
|
curl "http://<IP>/backupsettings.conf" -H "Authorization: Basic dXNlcjp1c2Vy" ("dXNlcjp1c2Vy" = "user:user" in base64)
|
|
|
|
Note: Obtaining backup DSL router configurations by an users account authentication!
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
The security risk of the both vulnerabilities in the bridge and wireless router interface is estimated as high. (CVSS 8.8)
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Mahmoud Khaled - [mahmoud_khld@yahoo.com]
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
|
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
|
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
|
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
|
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
|
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
|
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
|
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
|
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
|
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
|
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY - RESEARCH TEAM
|
|
SERVICE: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com
|
|
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt |