CVE-2014-9222 Misfortune Cookie Vulnerability Authentication Bypass

Introduction

AllegroSoft RomPager 4.34 and earlier used in certain devices has a vulnerability which can be exploited to bypass authentication using a crafted cookie.

Device Identification

Identify vulnerable devices using shodan query:

"RomPager/4.07" "EXT:"

Exploit

Each firmware has a specific "number" and "offset" value which can be obtained from: https://github.com/threat9/routersploit/blob/master/routersploit/modules/exploits/routers/multi/misfortune_cookie.py

For TP-Link TD-8816  router with firmware V6_100907 the number is 107369788 and offset is 1. To disable the authentication of this router, cookie to be sent is C107369788=A\x00. For TP-Link TD-8840T V3_110221 number and offset are 107369764 and 5, so cookie would be C107369764=AAAAA\x00.

Intercept the request request sent by login page in BurpSuite Proxy and add the cookie corresponding to the firmware as given in figure below.


Click on Hex tab and edit the value corresponding to 0 from its ASCII value 0x30 to 0x00.


Forward the request in BurpSuite proxy. Now onwards, device will log in without prompting for credentials.

To enable authentication either reboot the device or send a request with cookie C107369788=A\x01

Video



Comments

Popular posts from this blog

Extract / Create Cramfs File System from Ubuntu 20.04

Dump memory to file from U-Boot console using Memory Display (md) log

Firmadyne Installation & Emulation of Firmware