CVE 2022-40055
This post sheds light on CVE-2022-40055.
- Vulnerable device: GPON ONT: Titanium 2122A found HERE
- Software Version: T2122-V1.26EXL
- Hardware Version: C40-210
Description:
The web login interface of this router contains a limit for number of times a user can try invalid passwords. The default limit is set to 3 after which the login is locked for a minute. Attackers can bypass this limitation on frontend by manipulating the cookie value.
The login page also suffers with weak captcha implementation. Attacker can easily repeat a login request with same captcha value, thus making the brute force possible.
Vulnerability
The file /cgi-bin/login.asp holds the variable loginTimes
var loginTimes = 0;
The function SET_C_T sets the cookie
function SET_C_T(name, value, time) { var strsec = getsec(time); var exp = new Date(); exp.setTime(exp.getTime() + strsec*1); document.cookie = name + "="+ escape (value) + ";expires=" + exp.toGMTString()+";path=/;"; }
Once the password is submitted, a AJAX call is made to server and a response is received of the same. The received response is then checked for various parameters. One such parameter is 'Privilege' (result.Privilege)
result.Privilege is set to 0 in case of a wrong password. The value of loginTimes variable is increased by 1, and SET_C_T function is called to set the cookie with loginTimes.
This is clearly visible in below code.
else if ( '0' == result.Privilege )
{
loginTimes += 1;
SET_C_T("loginTimes", loginTimes, "s60");
$('#errmsg').text('You already login incorrectly for ' + loginTimes + ' time!');
}
For each wrong password entered the value of loginTimes variable gets incremented by 1 and so does the cookie.
In case user entered the wrong password three times, the webpage will be locked for a minute. The number of invalid attempts are checked by reading the value of cookie loginTimes
if( (GET_C("loginTimes") != "") && (typeof(GET_C("loginTimes")) != "undefined") )
loginTimes = parseInt(GET_C("loginTimes"));
if ( loginTimes >= 3 )
{
$('#errmsg').text('Login three times fail, Webpage locked,please login after 1 minute!');
return false;
}
Exploiting
Since the value of cookie loginTimes is read to count the number of times user has entered invalid passwords. This cookie can be easily modified through Web developer tools console or by Burp.
Fixing the value of cookie to a negative number like -99999 will give an attacker unlimited number of attempts to try brute force attacks via the web interface, as shown in below PoC
Since the cookie can be altered an attacker can capture the login request and perform a Bruteforce via Burp Intruder easily. You can check it in action on our youtube channel HERE
Comments off