74 lines
No EOL
1.7 KiB
Text
74 lines
No EOL
1.7 KiB
Text
Title:
|
|
====
|
|
iball Baton 150M Wireless router - Authentication Bypass
|
|
|
|
Credit:
|
|
======
|
|
Name: Indrajith.A.N
|
|
Website: https://www.indrajithan.com
|
|
|
|
Date:
|
|
====
|
|
07-03-2017
|
|
|
|
Vendor:
|
|
======
|
|
iball Envisioning the tremendous potential for innovative products required
|
|
by the ever evolving users in computing and digital world, iBall was
|
|
launched in September 2001 and which is one of the leading networking
|
|
company
|
|
|
|
Product:
|
|
=======
|
|
iball Baton 150M Wireless-N ADSI.2+ Router
|
|
|
|
Product link:
|
|
http://www.iball.co.in/Product/150M-Wireless-N-Broadband-Router/539
|
|
|
|
Abstract:
|
|
=======
|
|
iball Baton 150M Router's login page is insecurely developed that any
|
|
attacker could bypass the admin's authentication just by tweaking the
|
|
password.cgi file.
|
|
|
|
Affected Version:
|
|
=============
|
|
Firmware Version : 1.2.6 build 110401 Rel.47776n
|
|
Hardware Version : iB-WRA150N v1 00000001
|
|
|
|
Exploitation-Technique:
|
|
===================
|
|
Remote
|
|
|
|
Severity Rating:
|
|
===================
|
|
9
|
|
|
|
Details:
|
|
=======
|
|
Any attacker can escalate his privilege to admin using this vulnerability.
|
|
|
|
Proof Of Concept:
|
|
================
|
|
1) Navigate to Routers Login page which is usually IPV4 default Gateway IP,
|
|
i.e 172.20.174.1
|
|
|
|
2) Now just append password.cgi to the URL i.e
|
|
http://172.20.174.1/password.cgi
|
|
|
|
3) Right-click and View Source code which disclsus the username, password
|
|
and user role of the admin in the comment section
|
|
|
|
4) Successfully logged in using the disclosed credentials.
|
|
|
|
Reference:
|
|
=========
|
|
1. https://www.youtube.com/watch?v=8GZg1IuSfCs
|
|
2. https://www.techipick.com/exploiting-router-authentication-through-web-interface
|
|
|
|
Disclosure Timeline:
|
|
======================================
|
|
Vendor Notification: March 5, 2017
|
|
|
|
-----
|
|
Indrajith.A.N |