Sunday, 21 July 2013

Modem Authentication Bypass via Cookie ID 'Hijack'

In this 'hack', i am going to show how to bypass the authentication page of a modem by 'stealing' an authenticated session Cookie ID and apply it in our hack. For educational purpose and the potential of being sent a lawsuit and also as a form of respect to the company issuing these modems, i have removed all images of the company logo with the image 'CENSORED'. 



The image of the Modem used in this 'hack'


Let's do the Modem Administration page walkthrough. Access the modem through the URL.


In this case, i want to edit some Wireless settings, so i click on the Wireless tab and it gives me a login portal. Enter my password and Login.


Once authenticated, i can now access the Wireless configuration settings.


Now let's do a wrong password authentication. Before doing this, we shall clear the browsing history including cookies from Firefox.


Browse to the login page and enter a wrong password. Since the password is invalid, we are now unable to login.


So let's try to bypass that login page. In this 'hack', im using Burp Proxy to analyze the HTTP header and perform the 'hijack'
Once Burp Proxy is configured, let's access the URL. Burp Proxy will show that we are making a request to the modem. Click Forward to let the traffic pass.


Next, a Cookie was created with the ID=dM4n1R


Go to the Wireless tab and enter the password.


When we click Login, it is using the same cookie to send the authentication details to the modem.


And since the password is correct, we are able to get the config_wifi.htm (which is the Wireless configuration page)
*Important: Copy the cookie ID!!!!! This is crucial for the bypass step.


And we are now in the configuration page.


Now let's clear our browsing history and cookies for a new session and this time we are going to analyse a failed authentication session.
Clear your cookies, close your browser and reopened it. 
Access the URL and we now see a new cookie is being generated with the ID=a0SluW


Go to the Wireless tab and enter a wrong password.


Now since the password is wrong, we get the reply as config_wifi.htm?pwd=ko HTTP/1.1 


And the message seen for a failed authentication.


Now let's perform the 'bypass hack'. 
Clear the browsing histories and cookies. Close your browser and reopen a new one.
Access the URL.
You can see, a new session is created with a new cookie ID.


Replace the cookie ID with the ID dM4n1R



Replace the cookie ID with the ID dM4n1R when prompted


Now that all the cookies are replaced, click on the Wireless tab and you will see that you are able to access the Wireless Configuration page without having to authenticate at the login screen.



Conclusion

In this hack, while we practice the idea of deleting histories and cookies, some devices are not smart enough to know that the cookies used are a 'manipulated' one. Furthermore, in this administration page, there is no 'log out' button to be clicked. A possible prevention to this hack is to have the log out button which after that is smart enough to know that the cookie used after logged out must not be used anymore. Additionally, i would also need to mention that although this hack is successful, the same cookie ID could not be used after a period of time. The expiration of the cookie could be one of the reason why that happens.

*Disclaimer: While this hack is successful, my understanding on how cookies work in devices besides computers may not be correct hence my prevention suggestion may not be applicable to the modem device.

3 comments:

  1. Never use this modem before, but based on your screencap, the issue seems to be insecure communication channel. If you can intercept the username and password, why bother abt the "cookie ID".. :)

    my 2 cents worth

    ReplyDelete
    Replies
    1. Insecure communication is one. I was using Burpsuite to intercept the traffic to mainpulate the cookie ID. Thus while intercepting the authentication, username and password is typically can be seen. However, the point of this is to demonstrate that even using a non administrative credential to login and using the previously used cookie that was from the admin priviledged session, i was able to bypass the non admin priviledge acct and have access straight to the Admin console...

      Delete
  2. This comment has been removed by the author.

    ReplyDelete