Ubee EVW3226 Cable Modem/Router Unauthenticated Backup File Disclosure Vulnerability

A vulnerability exists in the Ubee EVW3226 cable modem/router in firmware versions through 1.0.20. The device improperly manages backup configuration files, storing them in the web root after generation for download. These files remain accessible without authentication until the next reboot. A remote attacker on the local network can directly request the 'Configuration_file.cfg' to obtain the backup archive. The unencrypted backup files contain sensitive information, including the plaintext admin password, which can lead to full compromise of the device.

Impact

Exploitation of this vulnerability allows for unauthorized access to the device's backup files, which contain sensitive information such as the admin password. This access can be used to gain full control over the router.

Reproduction

The vulnerability can be reproduced by requesting the 'Configuration_file.cfg' from the device's web server without authentication. This can be done using a simple HTTP GET request. Alternatively, if the backup file has already been downloaded, the same file can be uploaded to the device through the configuration restore function, which is also vulnerable to exploitation.