• Vulnerable device:  GPON ONT: Titanium 2122A  found HERE
  • Software Version: T2122-V1.26EXL
  • Hardware Version: C40-210

 

 

Description:

The web login interface of this router contains a limit for number of times a user can try invalid passwords. The default limit is set to 3 after which the login is locked for a minute. Attackers can bypass this limitation on frontend by manipulating the cookie value.

The login page also suffers with weak captcha implementation. Attacker can easily repeat a login request with same captcha value, thus making the brute force possible.

 

Vulnerability

The file /cgi-bin/login.asp holds the variable loginTimes

var loginTimes = 0;

 

The function SET_C_T sets the cookie

 function SET_C_T(name, value, time)
  {
   var strsec = getsec(time);
   var exp = new Date();
   exp.setTime(exp.getTime() + strsec*1);
   document.cookie = name + "="+ escape (value) + ";expires=" + exp.toGMTString()+";path=/;";
  } 

 

Once the password is submitted, a AJAX call is made to server and a response is received of the same. The received response  is then checked for various parameters. One such parameter is 'Privilege' (result.Privilege)

result.Privilege is set to 0 in case of a wrong password. The value of loginTimes variable is increased by 1, and SET_C_T function is called to set the cookie with loginTimes.

This is clearly visible in below code.


else if ( '0' == result.Privilege )
	        		{
	        				loginTimes += 1;
									SET_C_T("loginTimes", loginTimes, "s60");
	        				$('#errmsg').text('You already login incorrectly for ' +  loginTimes + ' time!');      			
	        		}

 

For each wrong password entered the value of loginTimes variable gets incremented by 1 and so does the cookie.

In case user entered the wrong password three times, the webpage will be locked for a minute. The number of invalid attempts are checked by reading the value of cookie loginTimes


			if( (GET_C("loginTimes") != "") && (typeof(GET_C("loginTimes")) != "undefined") )
				loginTimes = parseInt(GET_C("loginTimes"));
			if ( loginTimes >= 3 )
			{
				$('#errmsg').text('Login three times fail, Webpage locked,please login after 1 minute!');
				return false;	
			}

 

 

Exploiting

Since the value of cookie loginTimes is read to count the number of times user has entered invalid passwords. This cookie can be easily modified through Web developer tools console or by Burp.

Fixing the value of cookie to a negative number like -99999 will give an attacker unlimited number of attempts to try brute force attacks via the web interface, as shown in below PoC

https://i.ibb.co/Tw5Q7Js/PoC.gif

 

Since the cookie can be altered an attacker can capture the login request and perform a Bruteforce via Burp Intruder easily. You can check it in action on our youtube channel HERE