Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Authorization Bypass

By kannthu

High
Vidoc logoVidoc Module
#fatpipe#default-login#backdoor#auth-bypass
Description

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Authorization Bypass

What is the "FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Authorization Bypass?"

The "FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Authorization Bypass" module is designed to detect an authorization bypass vulnerability in the FatPipe WARP/IPVPN/MPVPN 10.2.2 software. This vulnerability allows an attacker to bypass proper authorization and gain unauthorized access to the device. The severity of this vulnerability is classified as high.

This module was authored by gy741.

Impact

If successfully exploited, this authorization bypass vulnerability allows an attacker to gain access to the FatPipe WARP/IPVPN/MPVPN 10.2.2 device without proper authentication. The hidden administrative account "cmuser" can be accessed without a password, granting the attacker write access permissions to the device. This account is not visible in the Users menu list, making it difficult to detect unauthorized access.

How the module works?

The "FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Authorization Bypass" module works by sending a specific HTTP request to the target device. The request is sent to the "/fpui/loginServlet" endpoint with the necessary login parameters. The module then checks the response for specific matching conditions to determine if the authorization bypass vulnerability is present.

An example of the HTTP request sent by the module:

POST /fpui/loginServlet HTTP/1.1
Host: <Hostname>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

loginParams=%7B%22username%22%3A%22cmuser%22%2C%22password%22%3A%22%22%2C%22authType%22%3A0%7D

The module uses the following matching conditions to identify the authorization bypass vulnerability:

- Status code: The response should have a status code of 200. - Header: The response should contain the word "application/json" in the header. - Response body: The response body should contain the words "\"loginRes\":\"success\"" and "\"activeUserName\":\"cmuser\"".

If all the matching conditions are met, the module reports the vulnerability.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
status: 200and
word: application/jsonand
word: "loginRes":"success", "activeUserName":"...
Passive global matcher
No matching conditions.
On match action
Report vulnerability