UTStarcom UTStar WA3002G4 ADSL Broadband Modem 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1124238 漏洞类型 授权问题
发布时间 2017-09-15 更新时间 2019-10-23
CVE编号 CVE-2017-14243 CNNVD-ID CNNVD-201709-269
漏洞平台 Hardware CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/42739
https://cxsecurity.com/issue/WLB-2017090139
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201709-269
|漏洞详情
UTStarcom UTStar WA3002G4 ADSL Broadband Modem是美国UTStarcom公司的一款调制解调器。 UTStar WA3002G4 ADSL Broadband Modem WA3002G4-0021.01版本中存在身份验证绕过漏洞。攻击者可利用该漏洞访问管理设置并获取明文证书。
|漏洞EXP
# Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability
# CVE: CVE-2017-14243
# Date: 15-09-2017
# Exploit Author: Gem George
# Author Contact: https://www.linkedin.com/in/gemgrge
# Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem
# Firmware version: WA3002G4-0021.01
# Vendor Homepage: http://www.utstar.com/
# Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass


Vulnerability Details
======================
The CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source. 

How to reproduce
===================
Suppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is  http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi

Example URLs:
* http://192.168.1.1/info.cgi – Status and details
* http://192.168.1.1/upload.cgi – Firmware Upgrade
* http://192.168.1.1/backupsettings.cgi – perform backup settings to PC
* http://192.168.1.1/pppoe.cgi – PPPoE settings
* http://192.168.1.1/resetrouter.cgi – Router reset
* http://192.168.1.1/password.cgi – password settings

POC
=========
* https://www.youtube.com/watch?v=-wh1Y_jXMGk


 -----------------------Greetz----------------------
++++++++++++++++++ www.0seccon.com ++++++++++++++++++
 Saran,Jithin,Dhani,Vignesh,Hemanth,Sudin,Vijith,Joel
|参考资料

来源:MISC
链接:https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass