I am very fond of researching about the embedded devices. One day I was into my Digicom router, to test how much secure i am from the attack like Is You PC Safe Inside NAT . After finding simple XSS bug I started digging more deep, if I could find any serious bug in it . Then I started analyzing the session which is generated every time I log in . After few minutes I discovered that the session value has increase by 1 in each login.
If previous Session id was = n , then next time session id will be “n+1”
Session : n ( where is n is any number )
Session : n+1 ( this process will continue until router is reboot)
After analyzing the session generation logic of the router, I sent the admin login traffic to the burp to find any running session . I started brute forcing the session and found one session which has not expired. Now with the session anyone can get full administrative right. You can create a new SSID ,you can change WiFi password, or if you want to hack PC then you can change DNS and further hack their Devices.
This hack can be easily done from remote location if anyone can find IP of the infected router. When it come to online devices then Shodan will help you. I am really sorry that I can’t provide you the shodan link for this device due to legal issues.
This bug has been assigned as the CVE-2014-8496 and this POC is just for the educational purpose. So as an author I will not be responsible for any of your illegal actions . After publishing this bug i i had no excitement at all, my face was something like :/ but when MITRE guys told me that it is the first CVE from Nepal, my face was similar to this 😀
Soon I am going to write an article
“Why Is there Backdoor in 100K broadband router of more then 20 vendor?”