POC CVE-2024–22773

Around 20 days ago, I decided to conduct tests on an Intelbras device in search of potential vulnerabilities. It was during this process that I identified an authentication flaw. Following a successful authentication, it is possible to intercept the hash of the correct password, even when submitting a payload with an incorrect password.

The tested device was the “Roteador ACtion RF 1200” with firmware version 1.2.2, the latest available at that time.

Here are the details of the Proof of Concept (POC):

Step 1: Perform authentication with the correct username and password

To exploit the vulnerability, the browser needs to have authenticated at least once, regardless of the timeframe.

Step 2: Intercepting an authentication with an incorrect password payload

Now, we need to intercept an attempt to log in with a random password; I’ll test it with the password “123456”. Shortly after, we’ll observe that the intercepted request exposes the hash of the correct password.

Now, we need to change the hash in the password field to the hash exposed in the cookie. Pay attention; in addition to the hash, it includes 6 extra characters that should be ignored.

After releasing the request, we will be logged into the device even without knowing the password.

POC Video

https://www.youtube.com/watch?v=-r0TWJq55DU

Conclusão

With this, we can authenticate without knowing the correct password. It’s also possible to sniff network traffic using tcpdump or Wireshark and capture the hash. The vulnerability has been reported to the manufacturer, who has acknowledged it and committed to addressing the issue by releasing a new firmware version.