lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACP8YJnadmCp3yi7FsqoL2Kcr6P7iekWYcnX-6qVWmBtb4c5SA@mail.gmail.com> Date: Tue, 7 Mar 2017 18:46:26 +0530 From: Indrajith AN <indu.an444@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Bypassing Authentication on iball Baton Routers Title: ==== iball Baton 150M Wireless router - Authentication Bypass Credit: ====== Name: Indrajith.A.N Website: https://www.indrajithan.com Date: ==== 07-03-2017 Vendor: ====== iball Envisioning the tremendous potential for innovative products required by the ever evolving users in computing and digital world, iBall was launched in September 2001 and which is one of the leading networking company Product: ======= iball Baton 150M Wireless-N ADSI.2+ Router Product link: http://www.iball.co.in/Product/150M-Wireless-N-Broadband-Router/539 Abstract: ======= iball Baton 150M Router's login page is insecurely developed that any attacker could bypass the admin's authentication just by tweaking the password.cgi file. Affected Version: ============= Firmware Version : 1.2.6 build 110401 Rel.47776n Hardware Version : iB-WRA150N v1 00000001 Exploitation-Technique: =================== Remote Severity Rating: =================== 9 Details: ======= Any attacker can escalate his privilege to admin using this vulnerability. Proof Of Concept: ================ 1) Navigate to Routers Login page which is usually IPV4 default Gateway IP, i.e 172.20.174.1 2) Now just append password.cgi to the URL i.e http://172.20.174.1/password.cgi 3) Right-click and View Source code which disclsus the username, password and user role of the admin in the comment section 4) Successfully logged in using the disclosed credentials. Reference: ========= Video POC : https://drive.google.com/file/d/0B6715xUqH18MS1J5Sk13emFkQmc/view?usp=sharing Disclosure Timeline: ====================================== Vendor Notification: March 5, 2017 ----- Indrajith.A.N _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists