Simple GET Request Leading to Router Takeover

FiberHome Technologies is a leading equipment vendor and global solution provider the field of information technology and telecommunications. FiberHome Deals in fiber-optic communications, data networking communications, wireless communication, and intelligentizing applications. In particular, it has been providing end-to-end solutions integrated with opto-electronic devices, opticpreforms, fiber & cables, and optical communication systems to many countries around the world.

Recently, I was able to successfully attempt to reset FiberHome’s AD1020–25 Model router to it’s default configuration leading to DOS attack. Basically, due to improper authentication method, attacker can easily access the parameter, execute it & hence leading to factory reset. By this attack, it also allows users to login to router administrator page by default credentials admin/admin

In this screenshot, it can be confirmed that we are not logged in to the dashboard of Administrator

I then fired up Burp suite, which enables us to intercept network traffic, analyze it modify contents as per need. Here, you can see I was able to execute a GET request for url restoreinfo.cgi which is our vulnerable parameter allowing us for factory reset.

Thus, after execution of URL, it returned back a status 200 affirmating our request & processing the factory reset for router.

And successfully exploited ;)

The vulnerability was reported to the vendor, & reported to MITRE as well. Following URLs can be browsed for further details: CVE-2017–14147 FiberHome Unauthenticated ADSL Router Factory Reset

Note : This is all for educational purpose, hence to provide a concept of how a simple vulnerability can lead to total compromise of Network device.