| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 18 Mar 2017 15:41:08 +0530 From: Indrajith AN <indu.an444@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Cookie based privilege escalation in DIGISOL DG-HR1400 1.00.02 wireless router. Title: ====== Cookie based privilege escalation in DIGISOL DG-HR1400 1.00.02 wireless router. CVE Details: ============ CVE-2017-6896 Reference: ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6896 https://vuldb.com/sv/?id.97954 https://www.indrajithan.com/DIGISOL_router_previlage_escaltion Credit: ====== Name: Indrajith.A.N Website: https://www.indrajithan.com Date: ==== 13-03-2017 Vendor: ====== DIGISOL router is a product of Smartlink Network Systems Ltd. is one of India's leading networking company. It was established in the year 1993 to prop the Indian market in the field of Network Infrastructure. Product: ======= DIGISOL DG-HR1400 is a wireless Router Product link: http://wifi.digisol.com/datasheets/DG-HR1400.pdf Abstract details: ================= privilege escalation vulnerability in the DIGISOL DG-HR1400 wireless router enables an attacker escalate his user privilege to an admin just by modifying the Base64encoded session cookie value Affected Version: ============= <=1.00.02 Exploitation-Technique: =================== Remote Severity Rating: =================== 8 Proof Of Concept 1: ================== 1) Login to the router as a User where router sets the session cookie value to VVNFUg== (Base64 encode of "USER") 2) So Encode "ADMIN" to base64 and force set the session cookie value to QURNSU4= 3) Refresh the page and you are able to escalate your USER privileges to ADMIN. Proof Of Concept 2: ================== https://drive.google.com/file/d/0B6715xUqH18MX29uRlpaSVJ4OTA/view?usp=sharing Disclosure Timeline: ====================================== Vendor Notification: 13/03/17 -- Indrajith -- Indrajith _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists