[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass Vulnerability

Author
Gem George
Risk
[
Security Risk High
]
0day-ID
0day-ID-28571
Category
web applications
Date add
18-09-2017
CVE
CVE-2017-14243
Platform
hardware
# Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability
# CVE: CVE-2017-14243
# Exploit Author: Gem George
# Author Contact: https://www.linkedin.com/in/gemgrge
# Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem
# Firmware version: WA3002G4-0021.01
# Vendor Homepage: http://www.utstar.com/
# Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass
 
 
Vulnerability Details
======================
The CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source. 
 
How to reproduce
===================
Suppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is  http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi
 
Example URLs:
* http://192.168.1.1/info.cgi – Status and details
* http://192.168.1.1/upload.cgi – Firmware Upgrade
* http://192.168.1.1/backupsettings.cgi – perform backup settings to PC
* http://192.168.1.1/pppoe.cgi – PPPoE settings
* http://192.168.1.1/resetrouter.cgi – Router reset
* http://192.168.1.1/password.cgi – password settings
 
POC
=========
* https://www.youtube.com/watch?v=-wh1Y_jXMGk

#  0day.today [2024-12-26]  #