Info disclosure — CVE-2020–9476
The Arris tg1692a router firmware 9.1.103DE2 does not sufficiently protect administrator credentials. The /login page discloses the administrator password in base64 encoding on the returned web page. A remote attacker can capture packets during the login process on this page and can obtain administrator credentials for the device.
Proof Of Concept —
First Step —
Start packet capture then log in and password on the router.
Second Step —
After the data capture, check the GET request on the / login page, the arg = parameter passes the login and password of the router encoded in base64.
After performing the base64 decode we have the login and password separated by: (colon)
Video —