Software Engineering Institute

PLDT provides SpeedSurf 504AN, firmware version GAN9.8U26-4-TX-R6B018-PH.EN, and the Kasda KW58293, to customers for internet access. These devices contains multiple vulnerabilities.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-5991

The form2WlanSetup.cgi page does not properly authenticate that administrative actions are being performed on purpose. An attacker may lure a user behind the router to click a malicious link when performs administrative actions such as changing the device's network settings.

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2015-5992

The form2WlanSetup.cgi page contains an "ssid" parameter which is vulnerable to cross-site scripting.

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2015-5993

The form2ping.cgi page may be used to send PING requests. An attacker may use this page to inject a large string (more than 1874 characters) in the parameter "ipaddr" with a POST request which may cause a denial of service on the router. The router requires manual rebooting to recover.

CWE-798: Use of Hard-coded Credentials

Both modems contain a hard-coded account named adminpldt with a hard-coded password. For more information, please see VU#950576.

The reporter also states that the BaudTec (300Mbps WLAN ADSL2+ Router) with firmware version RNR4_A72T_PLD_0.19 may also be vulnerable to the above vulnerabilities.

The CVSS score below is based on CVE-2015-5991.

A remote attacker may utilize these credentials to gain administrator access to the device. A remote attacker may also be able to cause a denial of service.

The CERT/CC is currently unaware of a practical solution to this problem.