CVE-2018-12455 Scanner

The Intelbras NPLUG is an IoT device designed to extend network capabilities, often used in home and small office environments for connectivity and device management. It provides wireless networking functionalities and is managed via a web-based interface. The device firmware includes authentication mechanisms to protect access to sensitive configuration data and administrative functions. Users rely on the security of the authentication process to prevent unauthorized access and configuration changes. The device is popular in its market segment for ease of use and integration with other network devices. Firmware updates are periodically released to fix vulnerabilities and improve security.

This vulnerability involves an authentication bypass that allows attackers to access the device without valid credentials. By manipulating the HTTP cookie header and setting a cookie named "admin:", an attacker can bypass the login process entirely. This flaw results from improper validation of cookie values used for authentication, enabling unauthorized access. The issue is critical because it exposes device configurations and administrative controls to unauthenticated attackers. This vulnerability significantly increases the risk of device compromise and subsequent network attacks.

Technically, the vulnerability is exploited by sending a GET request to the /cgi-bin/DownloadCfg/RouterCfm.cfg endpoint with the HTTP header Cookie: admin:. The device fails to verify the authenticity of this cookie and returns the configuration file with sensitive information. The response is characterized by a content type related to configuration data and includes wireless parameters and password hashes. The flaw lies in the device’s firmware handling of cookie-based authentication, which does not enforce proper checks or session management.

Exploiting this vulnerability enables attackers to obtain the full router configuration file, including sensitive credentials and network settings. This can lead to full network takeover, interception of traffic, unauthorized changes, and persistent access. Attackers may also modify firewall or DNS settings, disrupting network operations or redirecting traffic maliciously. The vulnerability presents a severe security risk and requires immediate remediation through firmware upgrades. Proper access controls and monitoring can mitigate exploitation risks.

REFERENCES

• https://seclists.org/fulldisclosure/2018/Oct/18
• https://nvd.nist.gov/vuln/detail/CVE-2018-12455