Sign-up

ID

VAR-201801-0073


CVE

CVE-2014-6437


TITLE

Aztech Modem Routers Information Disclosure Vulnerability

Trust: 0.9

sources: CNVD: CNVD-2018-04209 // BID: 69808

DESCRIPTION

Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices allow remote attackers to obtain sensitive device configuration information via vectors involving the ROM file. plural Aztech ADSL The device contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. AztechModemRouters is a Modem and router all-in-one product from Aztech Group of Singapore. An information disclosure vulnerability exists in AztechModemRouters. An attacker could exploit the vulnerability to gain access to sensitive information and facilitate further attacks. Aztech Modem Routers are prone to an information-disclosure vulnerability. PRODUCT DESCRIPTION The Aztech ADSL family of modems/routes are shipped to residential and SOHO users that desires speed from 150-300mbps rate. This modem/router also supports IEEE802.11b/g/n as a Wireless LAN Access point. The vulnerable model numbers are: DSL5018EN (1T1R) (Shipped with Globe Telecom in the Philippines), DSL705E and DSL705EU. Vendor reference: http://www.aztech.com/prod_adsl_dsl5018en_1t1r.html 1. Denial of Service (DoS) The CGI script that resets the WAN connectivity of the modem can be called directly from the web server with no authentication. Sending a crafted HTTP GET request to the router via /cgi-bin/AZ_Retrain.cgi will allow an attacker to execute code that could potentially lead to Denial of Service (DoS) attack and may terminate or all established Internet connections in the network. Proof of Concept for this vulnerability Send a GET request to the cgi-bin/AZ_Retrain.cgi to reset the WAN connection: http://x.arpa.ph/fjpf/aztech-exploits/azreset.txt 2. Broken Session Management A successful authentication of a privilege (admin) ID in the web portal allows any attacker in the network to hijack and reuse the existing session in order to trick and allow the web server to execute administrative commands. The command may be freely executed from any terminal in the network as long as the session of the privilege ID is valid. Proof of Concept for this vulnerability 1. From computer A, open a web browser and login to the modem/router's web portal using the administrator ID. 2. From computer B, open a terminal session and make a POST request to the router: http://x.arpa.ph/fjpf/aztech-exploits/azpass.txt 3. File and Data Exposure The router's configuration file contains the hardware information as well as all of the user's credentials. This includes the customer's name and WAN account, the TR-069 credential of the telecom company and the web portal's admin username and password. A malicious attacker can send a direct GET request to the cgi-bin/userromfile.cgi script and download the ROM file. Although the ROM file is a ciphered text, this can be deciphered using a weak substitution technique (ROT 24) which could potentially lead to data exposure. Proof of Concept for this vulnerability a. Send a GET request to the router using cgi-bin/userromfile.cgi via curl: http://x.arpa.ph/fjpf/aztech-exploits/azgetconf.txt b. Decipher the downloaded rommfile.cfg using Caesar cipher. 4. Web Parameter Tampering Some of the router's restricted and disabled settings can be acquired by checking the hidden fields in forms. Most of these settings can be manipulated by intercepting the data and manipulating the values upon submission. The below example shows how we manipulated the Access Control List in order to enable Telnet in the WAN section of the control panel before submitting the data. Proof of Concept for this vulnerability a. Open a web browser and redirect traffic to localhost:8080. b. Open burb proxy and intercept traffic coming from the browser. c. Login to the router's web portal and go to the page where the protected values are located. d. Find the reference to the hidden values in the form and modify it. e. Submit the request to the router. Refresh the browser to see the modified protected values. Screenshots: http://x.arpa.ph/fjpf/aztech-exploits/aztech.img.tgz The following CVE's precedes the above and were found as fixed: CVE-2008-6588 _ Aztech ADSL2/2+ 4-port router has a default "isp" account with a default "isp" password, which allows remote attackers to obtain access if this default is not changed. CVE-2008-6554 _ cgi-bin/script in Aztech ADSL2/2+ 4-port router 3.7.0 build 070426 allows remote attackers to execute arbitrary commands via shell metacharacters in the query string. CVE-2007-4733 _ The Aztech DSL600EU router, when WAN access to the web interface is disabled, does not properly block inbound traffic on TCP port 80, which allows remote attackers to connect to the web interface by guessing a TCP sequence number, possibly involving spoofing of an ARP packet, a related issue to CVE-1999-0077. Researchers: Federick Joe Fajardo / fjpfajardo(at)ph.ibm.com, Lorenzo Miguel Flores / floresl(at)ph.ibm.com

Trust: 2.61

sources: NVD: CVE-2014-6437 // JVNDB: JVNDB-2014-008489 // CNVD: CNVD-2018-04209 // BID: 69808 // VULHUB: VHN-74381 // PACKETSTORM: 128254

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-04209

AFFECTED PRODUCTS

vendor:aztechmodel:adsl dsl5018en \scope:eqversion: -

Trust: 1.6

vendor:aztechmodel:dsl705euscope:eqversion: -

Trust: 1.6

vendor:aztechmodel:dsl705escope:eqversion: -

Trust: 1.6

vendor:aztech groupmodel:dsl5018enscope: - version: -

Trust: 0.8

vendor:aztech groupmodel:dsl705escope: - version: -

Trust: 0.8

vendor:aztech groupmodel:dsl705euscope: - version: -

Trust: 0.8

vendor:aztechmodel:modem routersscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2018-04209 // JVNDB: JVNDB-2014-008489 // CNNVD: CNNVD-201410-1207 // NVD: CVE-2014-6437

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-6437
value: CRITICAL

Trust: 1.0

NVD: CVE-2014-6437
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2018-04209
value: LOW

Trust: 0.6

CNNVD: CNNVD-201410-1207
value: MEDIUM

Trust: 0.6

VULHUB: VHN-74381
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-6437
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-04209
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-74381
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2014-6437
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-04209 // VULHUB: VHN-74381 // JVNDB: JVNDB-2014-008489 // CNNVD: CNNVD-201410-1207 // NVD: CVE-2014-6437

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-74381 // JVNDB: JVNDB-2014-008489 // NVD: CVE-2014-6437

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-1207

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201410-1207

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-008489

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-74381

PATCH
title:Top Pageurl:http://www.aztech.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-008489

EXTERNAL IDS
db:NVDid:CVE-2014-6437
Trust: 3.5
db:BIDid:69808
Trust: 2.6
db:PACKETSTORMid:128254
Trust: 2.6
db:JVNDBid:JVNDB-2014-008489
Trust: 0.8
db:CNNVDid:CNNVD-201410-1207
Trust: 0.7
db:CNVDid:CNVD-2018-04209
Trust: 0.6
db:EXPLOIT-DBid:39314
Trust: 0.1
db:VULHUBid:VHN-74381
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-04209 // 
            
            
            
            VULHUB: VHN-74381 // 
            
            
            
            BID: 69808 // 
            
            
            
            JVNDB: JVNDB-2014-008489 // 
            
            
            
            PACKETSTORM: 128254 // 
            
            
            
            CNNVD: CNNVD-201410-1207 // 
            
            
            
            NVD: CVE-2014-6437

REFERENCES
url:http://packetstormsecurity.com/files/128254/aztech-dsl5018en-dsl705e-dsl705eu-dos-broken-session-management.html
Trust: 2.5
url:http://www.securityfocus.com/bid/69808
Trust: 2.3
url:http://www.securityfocus.com/archive/1/533489/100/0/threaded
Trust: 1.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-6437
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-6437
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/533489/100/0/threaded
Trust: 0.6
url:https://nvd.nist.gov/vuln/detail/cve-2014-6435
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-6436
Trust: 0.1
url:http://www.aztech.com/prod_adsl_dsl5018en_1t1r.html
Trust: 0.1
url:http://x.arpa.ph/fjpf/aztech-exploits/aztech.img.tgz
Trust: 0.1
url:http://x.arpa.ph/fjpf/aztech-exploits/azpass.txt
Trust: 0.1
url:http://x.arpa.ph/fjpf/aztech-exploits/azgetconf.txt
Trust: 0.1
url:http://x.arpa.ph/fjpf/aztech-exploits/azreset.txt
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-04209 // 
            
            
            
            VULHUB: VHN-74381 // 
            
            
            
            JVNDB: JVNDB-2014-008489 // 
            
            
            
            PACKETSTORM: 128254 // 
            
            
            
            CNNVD: CNNVD-201410-1207 // 
            
            
            
            NVD: CVE-2014-6437

CREDITS
Eric Fajardo
Trust: 0.9
sources:
            
            
            BID: 69808 // 
            
            
            
            CNNVD: CNNVD-201410-1207

SOURCES
db:CNVDid:CNVD-2018-04209
db:VULHUBid:VHN-74381
db:BIDid:69808
db:JVNDBid:JVNDB-2014-008489
db:PACKETSTORMid:128254
db:CNNVDid:CNNVD-201410-1207
db:NVDid:CVE-2014-6437

LAST UPDATE DATE
2024-11-23T22:07:05.593000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-04209date:2018-03-05T00:00:00
db:VULHUBid:VHN-74381date:2018-10-09T00:00:00
db:BIDid:69808date:2014-09-23T00:01:00
db:JVNDBid:JVNDB-2014-008489date:2018-02-15T00:00:00
db:CNNVDid:CNNVD-201410-1207date:2018-01-22T00:00:00
db:NVDid:CVE-2014-6437date:2024-11-21T02:14:23.020

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-04209date:2018-03-05T00:00:00
db:VULHUBid:VHN-74381date:2018-01-12T00:00:00
db:BIDid:69808date:2014-09-15T00:00:00
db:JVNDBid:JVNDB-2014-008489date:2018-02-15T00:00:00
db:PACKETSTORMid:128254date:2014-09-15T19:44:56
db:CNNVDid:CNNVD-201410-1207date:2014-09-15T00:00:00
db:NVDid:CVE-2014-6437date:2018-01-12T17:29:00.397