Vulnerabilities > CVE-2013-5006 - Credentials Management vulnerability in Westerndigital MY NET N750, MY NET N900 and MY NET N900C

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
westerndigital
CWE-255
nessus
exploit available

Summary

main_internet.php on the Western Digital My Net N600 and N750 with firmware 1.03.12 and 1.04.16, and the N900 and N900C with firmware 1.05.12, 1.06.18, and 1.06.28, allows remote attackers to discover the cleartext administrative password by reading the "var pass=" line within the HTML source code.

Vulnerable Configurations

Part Description Count
Hardware
Westerndigital
3

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionWestern Digital My Net Wireless Routers - Password Disclosure. CVE-2013-5006. Webapps exploit for hardware platform
idEDB-ID:27288
last seen2016-02-03
modified2013-08-02
published2013-08-02
reporterKyle Lovett
sourcehttps://www.exploit-db.com/download/27288/
titleWestern Digital My Net Wireless Routers - Password Disclosure

Nessus

NASL familyCGI abuses
NASL idWD_MY_NET_PASSWORD_DISCLOSURE.NASL
descriptionThe web server for the Western Digital My Net router identified is affected by an information disclosure vulnerability. The admin password is stored in plaintext as the value for
last seen2020-06-01
modified2020-06-02
plugin id69370
published2013-08-15
reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/69370
titleWestern Digital My Net Router main_internet.php Admin Credential Disclosure
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(69370);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/27");

  script_cve_id("CVE-2013-5006");
  script_bugtraq_id(61361);
  script_xref(name:"EDB-ID", value:"27288");

  script_name(english:"Western Digital My Net Router main_internet.php Admin Credential Disclosure");
  script_summary(english:"Tries to retrieve admin credentials");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an application that is affected by an
information disclosure vulnerability.");
  script_set_attribute(attribute:"description", value:
"The web server for the Western Digital My Net router identified is
affected by an information disclosure vulnerability.  The admin password
is stored in plaintext as the value for 'var pass'.  This can be found
in the source code for the 'main_internet.php' page.  An
unauthenticated, remote attacker could gain access to the login
credentials by sending a request to an affected device.

Note that in order for this issue to be exploited, UPnP and remote
administrative access must be enabled.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2013/Jul/132");
  script_set_attribute(attribute:"see_also", value:"http://www.wdc.com/wdproducts/updates/?family=wdfmynetn900");
  script_set_attribute(attribute:"solution", value:
"Users of N900 and N900C devices should update the firmware to version
1.07.16 or later.  For other affected devices, please refer to the
vendor for upgrade options.  Some sources suggest disabling remote
administrative access and disable UPnP as possible mitigation steps in
the event no upgrade option is available.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-5006");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/05/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/15");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:wdc:mynet_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 8080);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:8080, embedded:TRUE);
url = "/main_internet.php";

res = http_send_recv3(
  method : "GET",
  port   : port,
  item   : url,
  exit_on_fail : TRUE
);

# Does it look like My Net
if (
  "<title>WESTERN DIGITAL, INC. | WIRELESS ROUTER | HOME" >!< res[2] &&
  'LoginSubmit: function' >!< res[2]
) audit(AUDIT_NOT_DETECT, "A Western Digital My Net router", port);


if ('var pass="' >< res[2])
{
  # Extract Admin password
  pass = "";
  pat = 'var pass="([^"]*)"';
  match = eregmatch(pattern:pat, string:res[2]);
  if (!isnull(match))
  {
    pass = match[1];
    # Mask all but first and last character
    pass = pass[0] + crap(data:"*", length:6) + pass[strlen(pass)-1];
  }

  if (report_verbosity > 0)
  {
    header = 'Nessus was able to verify the issue with the following URL';
    trailer = 'And was able to determine the admin password is : "'+pass+'".' +
      '\n\nNote : All but the first and last characters have been masked.';

    report = get_vuln_report(
      items   : url,
      port    : port,
      header  : header,
      trailer : trailer
    );
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, "Western Digital My Net", build_url(port:port, qs:url));

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/122640/wdmynetn-disclose.txt
idPACKETSTORM:122640
last seen2016-12-05
published2013-08-01
reporterKyle Lovett
sourcehttps://packetstormsecurity.com/files/122640/Western-Digital-My-Net-Password-Disclosure.html
titleWestern Digital My Net Password Disclosure

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:80902
last seen2017-11-19
modified2014-07-01
published2014-07-01
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-80902
titleWestern Digital My Net Wireless Routers - Password Disclosure