Sagem Fast 3304-V2 Credential Disclosure
Posted on 14 November 2016
Exploit title: FAST3304v2 Credentials Disclosure vulnerability Author: Nassim Asrir Author Company: HenceForth Author Email: wassline@gmail.com Discovered on: 13/11/2016 Tested on: Linux x86_64 / Mozilla Firefox 49. Tested Version: Sagem Fast 3304-V2 (other versions may also be affected) Vendor: http://www.sagemcom.com/ Description : - Sagem Fast 3304-v2 router is vulnerable to a Remote Credentials Disclosure Vulnerability . This vulnerability allow to a remote attacker to get the login and password for any services in the router (Ex: USB Share) Proof: - The Sagem fast 3304-v2 router has a service (USB Share) this service allow to share Folder or Pics or in Local Network (LAN) and for see the shared folders you need the login credentials from the Admin . So we can get it just with a javascript code. 1- Navigate The router Login Page (192.168.1.1). 2- Inject the Javascript Code in searchbar: javascript:mimic_button('sidebar: %20lb_sidebar_advanced_memory_sharing..', 0) 3- Now you can see the login credentials: * The host to see shared folders is 192.168.1.1 4- and now we get the login and pass but the pass is unclear so just click in (CTRL + u ) to see the source code and click in (CTRL + f) and put in the search box (password) and you can see the value for password clear.