lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 9 Mar 2017 13:22:36 +0530
From: Indrajith AN <indu.an444@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Bypassing Authentication on iball Baton Routers

Title:
====
iball Baton 150M Wireless router - Authentication Bypass

Credit:
======
Name: Indrajith.A.N
Website: https://www.indrajithan.com

CVE Details:
=========
CVE-2017-6558

Date:
====
07-03-2017

Vendor:
======
iball Envisioning the tremendous potential for innovative products required
by the ever evolving users in computing and digital world, iBall was
launched in September 2001 and which is one of the leading networking
company

Product:
=======
iball Baton 150M Wireless-N ADSI.2+ Router

Product link:
=============
http://www.iball.co.in/Product/150M-Wireless-N-Broadband-Router/539

Abstract:
=======
iball Baton 150M Router's login page is insecurely developed that any
attacker could bypass the admin's authentication just by tweaking the
password.cgi file.

Affected Version:
=============
Firmware Version : 1.2.6 build 110401 Rel.47776n
Hardware Version : iB-WRA150N v1 00000001

Exploitation-Technique:
===================
Remote

Severity Rating:
===================
9

Details:
=======
Any attacker can escalate his privilege to admin using this vulnerability.

Proof Of Concept:
================
1) Navigate to Routers Login page which is usually IPV4 default Gateway IP,
i.e 172.20.174.1

2) Now just append password.cgi to the URL i.e
http://172.20.174.1/password.cgi

3) Force wget to view content of the CGI file, We can see the (hidden tag)
in the comment section which contians the updated Username, Role and
Password.

4) Successfully logged in using the disclosed credentials.


Disclosure Timeline:
======================================
Vendor Notification: March 5, 2017

-----
Indrajith.A.N
Application Security Analyst.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ