CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities

Title: CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities
Advisory ID: ZSL-2014-5203
Type: Local/Remote
Impact: Security Bypass, Exposure of Sensitive Information, Cross-Site Scripting, DoS
Risk: (3/5)
Release Date: 25.10.2014
Summary
The CBN CH6640E/CG6640E Wireless Gateway is designed for your home, home office, or small business/enterprise. It can be used in households with one or more computers capable of wireless connectivity for remote access to the wireless gateway.
Description
The CBN modem gateway suffers from multiple vulnerabilities including authorization bypass information disclosure, stored XSS, CSRF and denial of service.
Vendor
Compal Broadband Networks (CBN), Inc. - http://www.icbn.com.tw
Affected Version
Model: CH6640 and CH6640E
Hardware version: 1.0
Firmware version: CH6640-3.5.11.7-NOSH
Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01
DOCSIS mode: DOCSIS 3.0
Tested On
Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7
Vendor Status
N/A
PoC
cbn_mv.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://cxsecurity.com/issue/WLB-2014100162
[2] http://www.exploit-db.com/exploits/35075/
[3] http://osvdb.org/show/osvdb/113836
[4] http://osvdb.org/show/osvdb/113837
[5] http://osvdb.org/show/osvdb/113838
[6] http://osvdb.org/show/osvdb/113839
[7] http://osvdb.org/show/osvdb/113840
[8] http://osvdb.org/show/osvdb/113841
[9] http://osvdb.org/show/osvdb/113842
[10] http://osvdb.org/show/osvdb/113843
[11] http://packetstormsecurity.com/files/128860
[12] http://www.securityfocus.com/bid/70762
[13] http://xforce.iss.net/xforce/xfdb/98328
[14] http://xforce.iss.net/xforce/xfdb/98329
[15] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8653
[16] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8654
[17] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8655
[18] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8656
[19] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-8657
[20] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8653
[21] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8654
[22] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8655
[23] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8656
[24] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8657
Changelog
[25.10.2014] - Initial release
[28.10.2014] - Added reference [1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11] and [12]
[30.10.2014] - Added reference [13] and [14]
[07.11.2014] - Added reference [15], [16], [17], [18], [19], [20], [21], [22], [23] and [24]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk