lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 18 Mar 2017 15:41:08 +0530
From: Indrajith AN <indu.an444@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Cookie based privilege escalation in DIGISOL DG-HR1400 1.00.02
 wireless router.

Title:
======

Cookie based privilege escalation in DIGISOL DG-HR1400 1.00.02 wireless router.

CVE Details:
============
CVE-2017-6896

Reference:
==========

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6896
https://vuldb.com/sv/?id.97954
https://www.indrajithan.com/DIGISOL_router_previlage_escaltion


Credit:
======

Name: Indrajith.A.N
Website: https://www.indrajithan.com

Date:
====

13-03-2017

Vendor:
======

DIGISOL router is a product of Smartlink Network Systems Ltd. is one
of India's leading networking company. It was established in the year
1993 to prop the Indian market in the field of Network Infrastructure.

Product:
=======

DIGISOL DG-HR1400 is a wireless Router


Product link: http://wifi.digisol.com/datasheets/DG-HR1400.pdf

Abstract details:
=================

privilege escalation vulnerability in the DIGISOL DG-HR1400 wireless
router enables an attacker escalate his user privilege to an admin
just by modifying the Base64encoded session cookie value

Affected Version:
=============

<=1.00.02


Exploitation-Technique:
===================

Remote


Severity Rating:
===================

8


Proof Of Concept 1:
==================

1) Login to the router as a User where router sets the session cookie
value to VVNFUg== (Base64 encode of "USER")
2) So Encode "ADMIN" to base64 and force set the session cookie value
to QURNSU4=
3) Refresh the page and you are able to escalate your USER privileges to ADMIN.

Proof Of Concept 2:
==================
https://drive.google.com/file/d/0B6715xUqH18MX29uRlpaSVJ4OTA/view?usp=sharing


Disclosure Timeline:
======================================
Vendor Notification: 13/03/17

-- 
Indrajith



-- 
Indrajith

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ