VIR Vulnerability Intelligence Relay

CVE-2017-6558

critical
Published 2017-03-09 ยท Modified 2026-05-13
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

iball Baton 150M iB-WRA150N v1 00000001 1.2.6 build 110401 Rel.47776n devices are prone to an authentication bypass vulnerability that allows remote attackers to view and modify administrative router settings by reading the HTML source code of the password.cgi file.

Predictions

Exploit likelihood
97%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-42591 webapps php text ยท 2 KB
Indrajith.A.N ยท 2017-03-07

iBall Baton 150M Wireless Router - Authentication Bypass

text exploit Source: Exploit-DB 
Title:
====
iball Baton 150M Wireless router - Authentication Bypass

Credit:
======
Name: Indrajith.A.N
Website: https://www.indrajithan.com

Date:
====
07-03-2017

Vendor:
======
iball Envisioning the tremendous potential for innovative products required
by the ever evolving users in computing and digital world, iBall was
launched in September 2001 and which is one of the leading networking
company

Product:
=======
iball Baton 150M Wireless-N ADSI.2+ Router

Product link:
http://www.iball.co.in/Product/150M-Wireless-N-Broadband-Router/539

Abstract:
=======
iball Baton 150M Router's login page is insecurely developed that any
attacker could bypass the admin's authentication just by tweaking the
password.cgi file.

Affected Version:
=============
Firmware Version : 1.2.6 build 110401 Rel.47776n
Hardware Version : iB-WRA150N v1 00000001

Exploitation-Technique:
===================
Remote

Severity Rating:
===================
9

Details:
=======
Any attacker can escalate his privilege to admin using this vulnerability.

Proof Of Concept:
================
1) Navigate to Routers Login page which is usually IPV4 default Gateway IP,
i.e 172.20.174.1

2) Now just append password.cgi to the URL i.e
http://172.20.174.1/password.cgi

3) Right-click and View Source code which disclsus the username, password
and user role of the admin in the comment section

4) Successfully logged in using the disclosed credentials.

Reference:
=========
1. https://www.youtube.com/watch?v=8GZg1IuSfCs
2. https://www.techipick.com/exploiting-router-authentication-through-web-interface

Disclosure Timeline:
======================================
Vendor Notification: March 5, 2017

-----
Indrajith.A.N

References

CWEs

CWE-798

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.