{"id":9346,"date":"2017-09-18T08:59:54","date_gmt":"2017-09-18T16:59:54","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/18\/news-3119\/"},"modified":"2017-09-18T08:59:54","modified_gmt":"2017-09-18T16:59:54","slug":"news-3119","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/09\/18\/news-3119\/","title":{"rendered":"SSD Advisory \u2013 NEXXT Authentication Bypass"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Sun, 17 Sep 2017 09:02:04 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3414\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3414');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes an authentication bypass found in NEXXT routers.<\/p>\n<p>NEXXT Connectivity Solutions develops &#8220;state of the art networking devices that help connect people and things together, at home, the office and virtually everywhere&#8221;.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Netfairy, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> We tried to contact NEXXT since August 17 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.<\/p>\n<p><span id=\"more-3414\"><\/span><\/p>\n<p><strong>Vulnerability details<\/strong><br \/> User controlled input is not sufficiently sanitized and can be exploit by an attacker to bypass the authentication mechanism.<\/p>\n<p>By changing the cookie, an attacker can bypass the login authentication mechanism and login as admin.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> The setup for testing the PoC we will use Chrome Browser with EditThisCokie plugin.<\/p>\n<p>Browse to the victim&#8217;s IP &#8211; http:\/\/IP:8080\/login.asp<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/media-20170910.png\" data-slb-active=\"1\" data-slb-asset=\"2031731571\" data-slb-internal=\"0\" data-slb-group=\"3414\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/media-20170910-300x136.png\" alt=\"\" width=\"300\" height=\"136\" class=\"alignnone size-medium wp-image-3417\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/media-20170910-300x136.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/media-20170910.png 600w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Add a new cookie: admin:language=en<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/media-20170910-1.png\" data-slb-active=\"1\" data-slb-asset=\"794283017\" data-slb-internal=\"0\" data-slb-group=\"3414\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/media-20170910-1-300x162.png\" alt=\"\" width=\"300\" height=\"162\" class=\"alignnone size-medium wp-image-3416\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/media-20170910-1-300x162.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/media-20170910-1.png 600w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Then direct open: http:\/\/IP:8080\/advance.asp<br \/> <a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/media-20170910-2.png\" data-slb-active=\"1\" data-slb-asset=\"1071981539\" data-slb-internal=\"0\" data-slb-group=\"3414\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/media-20170910-2-300x175.png\" alt=\"\" width=\"300\" height=\"175\" class=\"alignnone size-medium wp-image-3415\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/media-20170910-2-300x175.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/media-20170910-2.png 600w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3414\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/media-20170910-300x136.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Sun, 17 Sep 2017 09:02:04 +0000<\/strong><\/p>\n<p>\ufeffVulnerability Summary The following advisory describes an authentication bypass found in NEXXT routers. NEXXT Connectivity Solutions develops &#8220;state of the art networking devices that help connect people and things together, at home, the office and virtually everywhere&#8221;. Credit An independent security researcher, Netfairy, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program Vendor &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3414\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 NEXXT Authentication Bypass<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[10757,12136],"class_list":["post-9346","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9346","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9346"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9346\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9346"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9346"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9346"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}