Decipher the downloaded rommfile.cfg using Caesar cipher. Send a GET request to the router using cgi-bin/userromfile.cgi via curl: ī. Although the ROM file is a ciphered text, this can be deciphered using a weak substitution technique (ROT 24) which could potentially lead to data exposure.Ī. A malicious attacker can send a direct GET request to the cgi-bin/userromfile.cgi script and download the ROM file. This includes the customer's name and WAN account, the TR-069 credential of the telecom company and the web portal's admin username and password. The router's configuration file contains the hardware information as well as all of the user's credentials. From computer B, open a terminal session and make a POST request to the router: From computer A, open a web browser and login to the modem/router's web portal using the administrator ID.Ģ.
The command may be freely executed from any terminal in the network as long as the session of the privilege ID is valid.ġ. Send a GET request to the cgi-bin/AZ_Retrain.cgi to reset the WAN connection: Ī successful authentication of a privilege (admin) ID in the web portal allows any attacker in the network to hijack and reuse the existing session in order to trick and allow the web server to execute administrative commands. Sending a crafted HTTP GET request to the router via /cgi-bin/AZ_Retrain.cgi will allow an attacker to execute code that could potentially lead to Denial of Service (DoS) attack and may terminate or all established Internet connections in the network.
The CGI script that resets the WAN connectivity of the modem can be called directly from the web server with no authentication. The vulnerable model numbers are: DSL5018EN (1T1R) (Shipped with Globe Telecom in the Philippines), DSL705E and DSL705EU. This modem/router also supports IEEE802.11b/g/n as a Wireless LAN Access point. The Aztech ADSL family of modems/routes are shipped to residential and SOHO users that desires speed from 150-300mbps rate.
Change Mirror Download PRODUCT DESCRIPTION
0 kommentar(er)
