DIGISOL DG-HR1400 权限许可和访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1123788 漏洞类型 权限许可和访问控制问题
发布时间 2017-03-18 更新时间 2019-10-23
CVE编号 CVE-2017-6896 CNNVD-ID CNNVD-201703-580
漏洞平台 Hardware CVSS评分 6.5
|漏洞来源
https://www.exploit-db.com/exploits/41633
https://cxsecurity.com/issue/WLB-2017030189
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201703-580
|漏洞详情
DIGISOL DG-HR1400是印度DIGISOL SYSTEMS公司的一款无线宽带家用路由器。 DIGISOL DG-HR1400 1.00.02版本无线路由器中存在提权漏洞。攻击者可通过更改Base64编码的会话cookie值利用该漏洞将用户权限提升至管理员权限。
|漏洞EXP
Title:
======

Cookie based privilege escalation in DIGISOL DG-HR1400 1.00.02 wireless router.

CVE Details:
============
CVE-2017-6896

Reference:
========== 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6896
https://vuldb.com/sv/?id.97954
https://www.indrajithan.com/DIGISOL_router_previlage_escaltion


Credit:
======

Name: Indrajith.A.N
Website: https://www.indrajithan.com

Date:
====

13-03-2017

Vendor:
======

DIGISOL router is a product of Smartlink Network Systems Ltd. is one of India's leading networking company. It was established in the year 1993 to prop the Indian market in the field of Network Infrastructure.

Product:
=======

DIGISOL DG-HR1400 is a wireless Router


Product link: http://wifi.digisol.com/datasheets/DG-HR1400.pdf

Abstract details:
=================

privilege escalation vulnerability in the DIGISOL DG-HR1400 wireless router enables an attacker escalate his user privilege to an admin just by modifying the Base64encoded session cookie value 

Affected Version:
=============

<=1.00.02


Exploitation-Technique:
===================

Remote


Severity Rating:
===================

8


Proof Of Concept :
==================

1) Login to the router as a User where router sets the session cookie value to VVNFUg== (Base64 encode of "USER")
2) So Encode "ADMIN" to base64 and force set the session cookie value to QURNSU4= 
3) Refresh the page and you are able to escalate your USER privileges to ADMIN.


Disclosure Timeline:
======================================
Vendor Notification: 13/03/17
|参考资料

来源:www.indrajithan.com
链接:https://www.indrajithan.com/DIGISOL_router_previlage_escaltion
来源:drive.google.com
链接:https://drive.google.com/file/d/0B6715xUqH18MX29uRlpaSVJ4OTA/view?usp=sharing