#VU8051 Hardcoded backdoor in NVG599
Published: August 31, 2017 / Updated: August 31, 2017
Vulnerability identifier: #VU8051
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-798
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
NVG599
NVG599
Software vendor:
Arris
Arris
Description
The vulnerability allows a remote attacker to gain elevated privileges on the target device.
The weakness exist due to running of HTTPS server on port 49955 with default credentials. A remote attacker can authenticate on port 49955 with the username "tech" and an empty password and gain root access to the device.
The weakness exist due to running of HTTPS server on port 49955 with default credentials. A remote attacker can authenticate on port 49955 with the username "tech" and an empty password and gain root access to the device.
Remediation
Using Burpsuite or some other application, which lets you customize web requests, submit the following request from to the gateway’s external IP address from outside of the LAN.
POST /caserver HTTP/1.1
Host: FIXMYMODEM
Authorization: Basic dGVjaDo=
User-Agent: Fixmymodem
Connection: Keep-Alive
Content-Length: 77
appid=001&set_data=fixit;chmod 000 /var/caserver/caserver;fixit