Sagem Fast 3304-V2 - Authentication Bypass (1)

EDB-ID:

32859

CVE:





Platform:

Hardware

Date:

2014-04-14


# Title              : Sagem F@st 3304-V2 Authentication Bypass
# Vendor             : http://www.sagemcom.com
# Severity           : High
# Tested on          : Firefox, Google Chrome, Internet Explorer
# Tested Router      : Sagem F@st 3304-V2 (3304, 3464, 3504 may also be affected)
# Date               : 2014-09-04
# Author             : Yassine Aboukir
# Contact            : Yaaboukir@gmail.com
# Blog               : http://linkedin.com/pub/yassine-aboukir/43/900/1b3
-----------

# Vulnerability description: : Sagem Fast is an ADSL Router using a web management interface in order to change configuration settings. The router is vulnerable to an authentification bypass bug which allows unprivileged users to modify the preconfigured root password then log in with administrator permissions. 
The default URL to access to the web management interface is http://192.168.1.1 but this attack can also be performed by an axternal attacker who connects to the router's public IP address.

# Exploit :
The vulnerability can be exploited by running javascript code in the web browser bar which allows to access password change page without having permession to do so.
--- Using Chrome, Internet Explorer browser :
You first need to access the router login page http://192.168.1.1/(without loging in) 
Then execute the following javascript in the URL bar : javascript:mimic_button('goto: 9096..')

--- Using Firefox : 
Because running javascript in the url bar has been disabled in Mozilla Firefox, we will try another way :
You first need to access the router login page http://192.168.1.1/(without loging in) 

1st Method : 
You have to bookmark the javascript: link before it can be executed.
---- Show all Bookmarks (Ctrl+Shift+B)
---- Select folder (e.g. Bookmarks Toolbar)
---- Click Organize-> New bookmark .. and enter javascript:mimic_button('goto: 9096..') in the address field.

2nd Method :
The web console tool (CTRL + SHIFT + K), in which you can interpret javascript expressions in real time using the command line provided by the Web Console.