exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SingTel / Aztech DSL8900GR(AC) Authentication Bypass

SingTel / Aztech DSL8900GR(AC) Authentication Bypass
Posted Nov 11, 2017
Authored by cort

SingTel / Aztech DSL8900GR(AC) router suffers from an authentication bypass vulnerability.

tags | exploit, bypass
SHA-256 | c17fab0fd15d4389903e54eaeb90195ec34a38b1329807cf39f2d1a52fd30edd

SingTel / Aztech DSL8900GR(AC) Authentication Bypass

Change Mirror Download
Credit: Cort
Date: 5 Aug 2017
CVE: Not assigned
Vendor: Aztech (https://www.aztech.com) / SingTel (https://www.singtel.com/)
Product: Aztech DSL8900GR(AC) router
Versions Affected: firmware 340.6.1-007 (latest available as of 9 Nov 2017)
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Fix: Not available.

Introduction
===
The Aztech DSL8900GR(AC) router is distributed by SingTel (largest ISP in Singapore) with their business broadband package. It does not appear to be available for direct sales.

The web admin interface for the router is protected by http basic access authentication, but it was found that this only applies to the main menu page. By directly visiting the pages used for the actual configurations (eg. DNS server settings page), no passwords are requested, and configuration changes can be successfully applied without authentication.

While only the DSL8900GR(AC) was tested, other models of Aztech routers distributed by SingTel were observed to have an identical web admin interface and are potentially affected in the same way.


Technical Description
===
The attack can be carried out by a local user without admin priviledges by directly visiting the configuration pages for the web admin interface. For example, visiting http://192.168.1.254/rtroutecfg.cmd?action=viewcfg will allow the user to view and change static routes on the router without requiring any authentication.

The attack can also be remotely triggered without local access, by getting a local user to visit a malicious webpage or click on a link. The router accepts configurations change command via HTTP GET without authentication.

The vulnerability can be exploited to change DNS servers, static routes, wifi passwords, and reboot the router. This can be used to spoof websites, capture traffic, or shutdown networks.

All configuration changes accessible through the web admin interface are likely to be affected, but only the previously mentioned changes were tested.


Proof of Concept (Local Attack)
===
1) Connect to the router's network (eg. via wifi AP).

2) Visit http://192.168.1.254/rtroutecfg.cmd?action=viewcfg using any browser. No username or password is requested.

3) Change route using the web interface. It can be easily verified that the route change has been effected by the router.


Proof of Concept (Remote Attack)
===
1) Create a webpage containing the following HTML and place it anywhere on the internet.

<iframe src="http://192.168.1.254/aztech_lancfg2.cgi?lanDnsSecondary=1.2.3.4">
</iframe>

2) Get a user on the router's network to visit the webpage. The user does not require admin priviledges.

3) The secondary DNS has now been changed to "1.2.3.4". This example is generally harmless, but other more dangerous changes can be made in the same way.


Solutions
===
No known workaround.

Patch was expected to complete testing by 30 Sep 2017, but there was subsequently no communications from the vendor on the patch status.


Timeline
===
2017-08-05 Discovery by Cort. Initial vendor (Aztech) notification (no response).
2017-08-12 Second notification to vendor (no response).
2017-08-17 Third notification to vendor (no response).
2017-08-21 Notified SingCert, who in turn notified Aztech and SingTel.
2017-09-06 Patch testing expected to be completed by 30 Sep 2017 (according to SingCert).
2017-10-05 SingCert checking on status of patch. No response on status.
2017-11-05 Contacted SingCert to check on status of patch (no response).
2017-11-11 Public disclosure of vulnerability due to lack of response from vendor.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close