Vulnerabilities > CVE-2017-14244 - Forced Browsing vulnerability in Iball Ib-Wra150N Firmware Fwiblr7011A1.0.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An authentication bypass vulnerability on iBall Baton ADSL2+ Home Router FW_iB-LR7011A_1.0.2 devices potentially allows attackers to directly access administrative router settings by crafting URLs with a .cgi extension, as demonstrated by /info.cgi and /password.cgi.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| Hardware | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Directory Indexing An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
- Forceful Browsing An attacker employs forceful browsing to access portions of a website that are otherwise unreachable through direct URL entry. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.
Exploit-Db
| description | iBall ADSL2+ Home Router - Authentication Bypass. CVE-2017-14244. Webapps exploit for Hardware platform |
| file | exploits/hardware/webapps/42740.txt |
| id | EDB-ID:42740 |
| last seen | 2017-09-18 |
| modified | 2017-09-18 |
| platform | hardware |
| port | |
| published | 2017-09-18 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/42740/ |
| title | iBall ADSL2+ Home Router - Authentication Bypass |
| type | webapps |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/144240/iball-bypass.txt |
| id | PACKETSTORM:144240 |
| last seen | 2017-09-19 |
| published | 2017-09-19 |
| reporter | Gem George |
| source | https://packetstormsecurity.com/files/144240/iBall-ADSL2-Home-Router-Authentication-Bypass.html |
| title | iBall ADSL2+ Home Router Authentication Bypass |
Seebug
bulletinFamily exploit description ### Exploit Title: iBall ADSL2+ Home Router Authentication Bypass Vulnerability * CVE: CVE-2017-14244 * Date: 15-09-2017 * Exploit Author: Gem George * Author Contact: https://www.linkedin.com/in/gemgrge * Vulnerable Product: iBall ADSL2+ Home Router WRA150N https://www.iball.co.in/Product/ADSL2--Home-Router/746 * Firmware version: FW_iB-LR7011A_1.0.2 * Vendor Homepage: https://www.iball.co.in * Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass ### Vulnerability Details iBall ADSL2+ Home Router does not properly authenticate when pages are accessed through cgi version. This could potentially allow a remote attacker access sensitive information and perform actions such as reset router, downloading backup configuration, upload backup etc. ### How to reproduce Suppose 192.168.1.1 is the router IP and one of the valid page in router is is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi ### Example URLs: * http://192.168.1.1/info.cgi – Status and details * http://192.168.1.1/upload.cgi – Firmware Upgrade * http://192.168.1.1/backupsettings.cgi – perform backup settings to PC * http://192.168.1.1/pppoe.cgi – PPPoE settings * http://192.168.1.1/resetrouter.cgi – Router reset * http://192.168.1.1/password.cgi – password settings id SSV:96644 last seen 2017-11-19 modified 2017-10-11 published 2017-10-11 reporter Root source https://www.seebug.org/vuldb/ssvid-96644 title iBall ADSL2+ Home Router Authentication Bypass Vulnerability(CVE-2017-14244) bulletinFamily exploit description ### Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability * CVE: CVE-2017-14243 * Date: 15-09-2017 * Exploit Author: Gem George * Author Contact: https://www.linkedin.com/in/gemgrge * Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem * Firmware version: WA3002G4-0021.01 * Vendor Homepage: http://www.utstar.com/ * Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass ### Vulnerability Details The CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source. ### How to reproduce Suppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi ### Example URLs: * http://192.168.1.1/info.cgi – Status and details * http://192.168.1.1/upload.cgi – Firmware Upgrade * http://192.168.1.1/backupsettings.cgi – perform backup settings to PC * http://192.168.1.1/pppoe.cgi – PPPoE settings * http://192.168.1.1/resetrouter.cgi – Router reset * http://192.168.1.1/password.cgi – password settings id SSV:96645 last seen 2017-11-19 modified 2017-10-11 published 2017-10-11 reporter Root source https://www.seebug.org/vuldb/ssvid-96645 title UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass(CVE-2017-14243)