sábado, 22 de diciembre de 2018

[stringbleed] y ahora que ? ...Passwords Leaks ( CVE-2018-203580 a CVE-2018-20401)

OK, ( Stringbleed )
Y AHORA QUÉ ?.


Con la posibilidad de hacer muy fácilmente una lectura completa de la información que nos entrega SNMP, en los modelos antes presentados es posible obtener en texto plano distintas credenciales.

A continuación presentare los equipos que nos devuelven credenciales para acceder al panel web de esto dispositivos. Me refiero al aplicativo web para la gestión y administración remota del dispositivo. 





OIDs, PASSWORD LEAKS

WEB Interface

Para obtener las credenciales del panel de administración web de los equipos, solo es necesario consultar los siguientes OIDs.

Username :    iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
Password:      iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0

A continuación los equipos que exponen estas credenciales (ademas en texto plano)


VENDORMODELOoid: 1.3.6.1.2.1.1.1.0 (sysdescr)
AmbitDDW2600Ambit Wireless CableModem <<HW_REV: 4.25; VENDOR: Ambit; BOOTR: 5.1.1b; SW_REV: 5.100.1009; MODEL: DDW2600>>
DDW2602Ambit Wireless CableModem <<HW_REV: 4.25; VENDOR: Ambit; BOOTR: 5.1.1b; SW_REV: 5.105.1003; MODEL: DDW2602>>
T60C926AMBIT PacketCable 1.0 Embedded MTA <<HW_REV: 2.22; VENDOR: Ambit; BOOTR: 2.1.6l; SW_REV: 4.64.1012; MODEL: T60C926>>
U10C019Ambit Wireless CableModem <<HW_REV: 4.10; VENDOR: Ambit; BOOTR: 2.1.6d; SW_REV: 5.66.1026; MODEL: U10C019>>
Arris Interactive, L.L.C.DG950AARRIS DOCSIS 3.0 / Touchstone Wideband Gateway <<HW_REV: 3; VENDOR: Arris Interactive, L.L.C.; BOOTR: 2.3.1; SW_REV: 7.10.145; MODEL: DG950A>>
DG950SARRIS EuroDOCSIS 3.0 / Touchstone Wideband Gateway <<HW_REV: 3; VENDOR: Arris Interactive, L.L.C.; BOOTR: 2.3.1; SW_REV: 7.10.145.EURO; MODEL: DG950S>>
BnmuxBCW700J"BCW700J <<HW_REV: 1.0; VENDOR: Bnmux; BOOTR: 2.3.0; SW_REV: 5.20.7; MODEL: BCW700J>>"
BCW710JBCW710J <<HW_REV: 1.01; VENDOR: Bnmux; BOOTR: 2.4.0alpha14; SW_REV: 5.30.6a; MODEL: BCW710J>>
BCW710J2BCW710J2 <<HW_REV: 1.30; VENDOR: Bnmux; BOOTR: 2.4.0alpha14; SW_REV: 5.30.16; MODEL: BCW710J2>>
CastleNetCBV38Z4ECCBV38Z4EC <<HW_REV: 1.0; VENDOR: CastleNet; BOOTR: 2.3.0; SW_REV: 125.553mp1.39219mp1.899.007; MODEL: CBV38Z4EC>>
CBV38Z4ECNITCBV38Z4ECNIT <<HW_REV: 1.0; VENDOR: CastleNet; BOOTR: 2.3.0; SW_REV: 125.553mp1.39219mp1.899.005ITT; MODEL: CBV38Z4ECNIT>>
CBW383G4JCBW383G4J <<HW_REV: 1.01; VENDOR: CastleNet; BOOTR: 2.4.0alpha14; SW_REV: 37.556mp5.008; MODEL: CBW383G4J>>
CBW38G4JCBW38G4J <<HW_REV: 1.0; VENDOR: CastleNet; BOOTR: 2.3.0; SW_REV: 37.553mp1.008; MODEL: CBW38G4J>>
ciscoDPC2320Cisco DPC2320 DOCSIS 2.0 Data Gateway <<HW_REV: 1.0; VENDOR: Cisco; BOOTR: 2.3.1_D2R2(S); SW_REV: dpc2300r2-v202r1244101-150420a-v6; MODEL: DPC2320>>
ComtrendCM-6200unCM-6200un <<HW_REV: 1.0; VENDOR: Comtrend; BOOTR: 2.3.1beta2; SW_REV: 123.447.007; MODEL: CM-6200un>>
CM-6300nCM-6300n <<HW_REV: 1.0; VENDOR: Comtrend; BOOTR: 2.3.0; SW_REV: 123.553mp1.005; MODEL: CM-6300n>>
D-LinkDCM-604DCM-604 <<HW_REV: C1; VENDOR: D-Link; BOOTR: 2.3.0; SW_REV: DCM604_C1_ViaCabo_1.04_20130606; MODEL: DCM-604>>
DCM-704D-Link Wireless Voice Gateway <<HW_REV: B3; VENDOR: D-Link; BOOTR: 2.4.0alpha14; SW_REV: EU_DCM-704_1.10; MODEL: DCM-704>>
iNovo BroadbandIB-8120-W21iNovo IB-8120-W21 <<HW_REV: 1.0; VENDOR: iNovo Broadband; BOOTR: 2.3.1; SW_REV: 139.4410mp1.004200.002; MODEL: IB-8120-W21>>
IB-8120-W21E1iNovo IB-8120-W21E1 <<HW_REV: 1.0; VENDOR: iNovo Broadband; BOOTR: 2.3.0; SW_REV: 139.4410mp1.3921132mp1.899.004404.004; MODEL: IB-8120-W21E1>>
JiuzhouBCM93383WRGJiuzhou reference design <<HW_REV: V1.0; VENDOR: Jiuzhou; BOOTR: 2.4.0; SW_REV: V3.0.7; MODEL: BCM93383WRG>>
KaonmediaCG2001-AN22A"Kaonmedia cablemodem reference design <<HW_REV: V0.6; VENDOR: Kaonmedia; BOOTR: 2.4.0mp1; SW_REV: 1.2.1; MODEL: CG2001-AN22A>"
CG2001-UDBNAKaonmedia cablemodem reference design <<HW_REV: v1.0; VENDOR: Kaonmedia; BOOTR: 2.4.0mp1; SW_REV: 3.0.8; MODEL: CG2001-UDBNA>>
CG2001-UN2NAKaonmedia cablemodem reference design <<HW_REV: v1.0; VENDOR: Kaonmedia; BOOTR: 2.4.0mp1; SW_REV: 3.0.8; MODEL: CG2001-UN2NA>>
ARRIS Group, Inc.SBG6580-2Retail: <<HW_REV: 3; VENDOR: ARRIS Group, Inc.; BOOTR: 2400; SW_REV: D30GW-SEAEAGLE-1.5.2.5-GA-00-NOSH; MODEL: SBG6580-2>>
Motorola CorporationSBG901<<HW_REV: 1; VENDOR: Motorola Corporation; BOOTR: 2.2.0; SW_REV: SBG901-2.10.1.1-GA-00-581-NOSH; MODEL: SBG901>>
SBG941<<HW_REV: 1; VENDOR: Motorola Corporation; BOOTR: 2.2.0; SW_REV: SBG941-2.11.0.0-GA-07-624-NOSH; MODEL: SBG941>>
SVG1202<<HW_REV: 1; VENDOR: Motorola Corporation; BOOTR: 2.3.1; SW_REV: SVG1202-2.1.0.0-GA-14-LTSH; MODEL: SVG1202>>
mplusCBC383ZCBC383Z <<HW_REV: 1.0; VENDOR: mplus; BOOTR: 2.4.0mp1; SW_REV: CBC383Z_mplus_MDr026; MODEL: CBC383Z>>
NET&SYSMNG2120JNET&SYS DOCSIS 2.0 Cable Modem <<HW_REV: 4.10; VENDOR: NET&SYS; BOOTR: 2.1.6d; SW_REV: 5.76.1006c; MODEL: MNG2120J>>
MNG6300Netwave Docsis 3.0 Cable Modem MNG6300 <<HW_REV: 2.0; VENDOR: Net&Sys; BOOTR: 2.4.0alpha14; SW_REV: 5.83.6305jrc2; MODEL: MNG6300>>
NETGEARC3000-100NASNETGEAR Wireless Cable Gateway <<HW_REV: C278T00-01; VENDOR: NETGEAR; BOOTR: 2.4.0alpha18; SW_REV: V1.01.11F01; MODEL: C3000-100NAS>>
CGD24G-100NASNetgear Wireless Cable Modem Gateway <<HW_REV: V1.0; VENDOR: Netgear; BOOTR: 2.1.7k; SW_REV: V4.4.8R073-RG; MODEL: CGD24G-100NAS>>
CGD24G-1CHNASNetgear Wireless Cable Modem Gateway <<HW_REV: V1.0; VENDOR: Netgear; BOOTR: 2.1.7l; SW_REV: V4.4.6R04.1-RG; MODEL: CGD24G-1CHNAS>>
NETWAVE Networks, Inc.MNG6200MNG6200 <<HW_REV: 1.01; VENDOR: NETWAVE Networks, Inc.; BOOTR: 2.4.0alpha14; SW_REV: C4835805jrc12FU121413.cpr; MODEL: MNG6200>>
S-A WebSTARDPC2100S-A WebSTAR DPC2100 Series DOCSIS Cable Modem Ethernet+USB <<HW_REV: 2.1; VENDOR: S-A; BOOTR: 2.1.6d; SW_REV: v2.0.2r1256-060303; MODEL: DPC2100R2>>
SkyworthCM5100Skyworth DOCSIS 3.0 Cable Modem <<HW_REV: V2.1; VENDOR: Skyworth; BOOTR: 2.4.0mp1; SW_REV: V1.1.0; MODEL: CM5100>
CM5100-440Skyworth DOCSIS 3.0 Cable Modem <<HW_REV: V2.1; VENDOR: Skyworth; BOOTR: 2.4.0mp1; SW_REV: V1.2.1; MODEL: CM5100-440>
CM5100-511Skyworth DOCSIS 3.0 Wireless CableModem <<HW_REV: 1.1; VENDOR: Skyworth; BOOTR: 2.4.0mp1; SW_REV: 4.1.0.14; MODEL: CM5100-511>
CM5100-GHD00Skyworth DOCSIS 3.0 Cable Modem <<HW_REV: V2.1; VENDOR: Skyworth; BOOTR: 2.4.0mp1; SW_REV: V1.2.2; MODEL: CM5100-GHD00>
CM5100.g2Skyworth DOCSIS 3.0 Wireless CableModem <<HW_REV: V5.11; VENDOR: Skyworth; BOOTR: 2.4.0mp1; SW_REV: 4.1.0.17; MODEL: CM5100.g2>
TechnicolorCGA0111
Technicolor CGA0111 Wireless/Voice Gateway <<HW_REV: 1.0; VENDOR: Technicolor; BOOTR: 2.4.0; SW_REV: CGA0111E-ES-13-E23E-c8000r5712-170217-0829-TRU; MODEL: CGA0111>
CWA0101Technicolor CWA0101 Wireless Gateway <<HW_REV: 1.0; VENDOR: Technicolor; BOOTR: 2.4.0; SW_REV: CWA0101E-A23E-c7000r5712-170315-SKC; MODEL: CWA0101>
DPC3928SL
Cisco DPC3928SL DOCSIS 3.0 1-PORT Voice Gateway <<HW_REV: 1.0; VENDOR: Technicolor; BOOTR: 2.4.0; SW_REV: D3928SL-PSIP-13-A010-c3420r55105-170214a; MODEL: DPC3928SL>>
TC7110.ARTechnicolor CableHome Gateway <<HW_REV: 1.0; VENDOR: Technicolor; BOOTR: 2.3.1; SW_REV: STD3.38.03; MODEL: TC7110.AR>>
TC7110.BTechnicolor CableHome Gateway <<HW_REV: 2.0; VENDOR: Technicolor; BOOTR: 2.3.1; SW_REV: STC8.62.02; MODEL: TC7110.B>>
TC7110.DTechnicolor CableHome Gateway <<HW_REV: 1.0; VENDOR: Technicolor; BOOTR: 2.3.1; SW_REV: STDB.79.02; MODEL: TC7110.d>>
TC7200.d1ITechnicolor TC7200.d1I Wireless Gateway <<HW_REV: 1.0; VENDOR: Technicolor; BOOTR: 2.4.0; SW_REV: TC7200.d1IE-N23E-c7000r5712-170406-HAT; MODEL: TC7200.d1I>
TC7200.TH2v2BFC cablemodem reference design <<HW_REV: 01.00; VENDOR: Technicolor; BOOTR: 2.4.0.r2; SW_REV: SC05.00.22; MODEL: TC7200.TH2v2>>
TEKNOTELCBW700NCBW700N <<HW_REV: 1.0; VENDOR: TEKNOTEL; BOOTR: 2.3.1; SW_REV: 81.447.392110.729.024; MODEL: CBW700N>>
ThomsonDWG849Thomson CableHome Gateway <<HW_REV: 1.0; VENDOR: Thomson; BOOTR: 2.1.7i; SW_REV: STC0.01.16; MODEL: DWG849>>
DWG850-4Thomson CableHome Gateway <<HW_REV: 2.1; VENDOR: Thomson; BOOTR: 2.1.7i; SW_REV: ST9C.05.25; MODEL: DWG850-4>>
DWG855Thomson CableHome Gateway <<HW_REV: 2.1.; VENDOR: Thomson; BOOTR: 2.1.7i; SW_REV: ST80.20.26; MODEL: DWG855>>
TWG870Thomson Wireless PacketCable Gateway E-MTA <<HW_REV: 1.1; VENDOR: Thomson; BOOTR: 2.3.0; SW_REV: STB2.01.36; MODEL: TWG870>>
UbeeDVW2108Ubee PacketCable 1.5 W-EMTA <<HW_REV: 3.10.1; VENDOR: Ubee; BOOTR: 9.1.1a; SW_REV: 6.28.1017; MODEL: DVW2108>>
DVW2110Ubee PacketCable 1.5 W-EMTA <<HW_REV: 3.10.1; VENDOR: Ubee; BOOTR: 9.1.1b; SW_REV: 6.28.2012; MODEL: DVW2110>>
Zoom Telephonics, Inc.5352"Ethernet/Wireless Cable Modem/Router <<HW_REV: A0; VENDOR: Zoom Telephonics, Inc.; BOOTR: 2.4.0alpha14; SW_REV: v5.5.8.6Y; MODEL: 5352>>"

Fuerte: https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv


Get credentials (web interface)

POC 1: 


# SysDesc



# User


# Pass





POC 2:

[Password] Interface WEB:



[PasswordInterface Web and Wireless




# [tool] Object Identifier Mapper. v0.0.1 beta

Automatizando la búsqueda y obtención de credenciales:




CVEs:

CVE-2018-20380
CVE-2018-20381
CVE-2018-20382
CVE-2018-20383
CVE-2018-20384
CVE-2018-20385
CVE-2018-20386
CVE-2018-20387
CVE-2018-20388
CVE-2018-20389
CVE-2018-20390
CVE-2018-20391
CVE-2018-20392
CVE-2018-20393
CVE-2018-20394
CVE-2018-20395
CVE-2018-20396
CVE-2018-20397
CVE-2018-20398
CVE-2018-20399
CVE-2018-20400
CVE-2018-20401


Saludos,
@Capitan_alfa

1 comentario: