Category Archives: Linux

iBall Baton ADSL2+ Home Router, UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass

Hi, I hope you have already gone through my first router exploitation writing Exploiting Router Authentication through Web Interface (CVE-2017-6558). Once again researching in router exploitation, I found similar bug in two other products iBall Baton ADSL2+ Home Router & UTStar WA3002G4 ADSL Broadband Modem that allowed me to bypass admin panel authentication. Both of these products are from two different vendors, but the vulnerability is same.

I was looking to find some methods to bypass authentication of commonly using routers in my country. First I came to open iBall Baton ADSL2+ Home Router admin page. The admin panel is protected by password authentication. I know some routers use CGI scripts like PayPal use in their websites. I tried to access common pages in the router by appending .cgi at the end of URL. Luckily I got the page info.cgi opened without asking authentication. I got few other pages also which can be accessed in the same way.

Steps

  1. Suppose 192.168.1.1 is the router IP, then the password reset page is http://192.168.1.1/password.html by default
  2. This page is a protected page which can be bypassed by changing URL extension as http://192.168.1.1/password.cgi

In the case of UTStar, the source code of password.cgi page contains the usernames and corresponding passwords in plain text. We can use this password to login admin panel!

Some pages we can directly access:

  • http://192.168.1.1/info.cgi – Status and details
  • http://192.168.1.1/upload.cgi – Firmware Upgrade
  • http://192.168.1.1/backupsettings.cgi – perform backup settings to PC
  • http://192.168.1.1/pppoe.cgi – PPPoE settings
  • http://192.168.1.1/resetrouter.cgi – Router reset
  • http://192.168.1.1/password.cgi – password settings

Products Affected

  • UTStar WA3002G4 ADSL Broadband Modem – Firmware Version: WA3002G4-0021.01
  • iBall Baton ADSL2+ Home Router – Firmware version: FW_iB-LR7011A_1.0.2

 

Identified and Reported by
Gem George


Exploiting Router Authentication through Web Interface

The “iBall Baton 150M Wireless Router Authentication Bypass Vulnerability” is the one I found when I was studying in the college. I was simply browsing the router pages to see if there is any way to get authorized page without username/password. Somehow I noticed a web request is sending to a .cgi page. I guessed there is some page in cgi extension instead of html. So I tried an existing known page password.html with password.cgi. Luckily I got the authentication bypassed and showed password reset page. Later I identified all existing pages can be accessed in this way without username/password. While checking the source code of password reset page, I found the passwords of each login accounts in clear text! Clearly it is a critical vulnerability iBall router.

Routers such as D-Link , Linksys etc. whose web interface uses CGI scripts. We can easily access and change these routers configuration bypassing authentication. CGI is one method by which a web server can obtain data from (or send data to) databases, documents, and other programs, and present that data to viewers via the web. The authentication bypass vulnerability is powerful as anyone can change router configuration, such as changing passwords, resetting router etc. through any web browser. The steps are mentioned below:

First we need the router IP, which is usually IPV4 Default Gateway IP. We can find this using ipconfig /all command from cmd or checking details of network adapter connected to network from Network and Sharing Center.

Most common default router IPs are 192.168.0.1, 192.168.1.1 etc. Suppose the router IP is 192.168.1.1, we change the URL format of any web page to ends with .cgi.

Ie, we change

http://192.168.1.1/password.html

to

http://192.168.1.1/password.cgi

Watch this video demonstration for more details. This video shows mainly:

  1. Accessing router configuration without username and password
  2. Finding usernames and passwords which are hidden inside page source

Watch video: https://youtu.be/8GZg1IuSfCs

Some other pages we can directly access like this are:

http://192.168.1.1/upload.cgi

http://192.168.1.1/resetrouter.cgi

http://192.168.1.1/pppoe.cgi

http://192.168.1.1/info.cgi

Identified and Reported by
Gem George


How to unlock and view Facebook profile picture in full size

Facebook is allowing users for the option to lock full size view of profile picture from public. It can also possible to lock full size view from friends by changing privacy to “Only Me”.

Its easy to find whether profile picture is locked for full size. Simply mouse over the profile picture, the cursor will change to “hand”. Now click to see full size image. If it is locked, there will be no change in cursor. Even we right click and take image location URL and open it in a new tab, we will not get its actual size.

There are few browser applications to unlock and view profile pictures in their original size. We need install those apps.
But the following simple trick will unlock its size limitation and helps to view in full size. This method does not need to install any apps.

Steps:

1. Open the profile of the person whose profile picture you want to see in its original size.

2. Right click and copy its image URL

3. Take a new tab and paste it in the address bar. The URL will look like this

https://fbcdn-profile-a.akamaihd.net/hprofile-ak-xpa1/v/t1.0-1/c2.100.716.716/s200x200/10482496_10152300259746890_5258561475610608030_n.jpg?oh=ea254c8351b4f032068759a8e7b01f87&oe=54B927AA&__gda__=1421412635_d3911b9ce1354a6c2b4b6fe7b5cc055c

4. Now remove the red coloured code from the URL and hit enter

 

Now you will see the full sized image of the profile picture

Note: The above URL is just for demo and will not work. It doesn’t belongs to any existing Fb profile