CVE 2020–29138 — Improper Access Control in the SAGEMCOM router, model F@ST 3486 running NET_4.109.0

This is the explanation regarding the CVE 2020–29138 which I’ve discovered in the routers provided by the CLARO company in Brazil.

The SAGEMCOM router, model F@ST3486 NET, running the NET_4.109.0 software version, contains an Improper Access Control vulnerability in the configuration backup functionality. This router is widely distributed by the ISP provider CLARO company, for their customers in Brazil.

The vulnerability occurs when there is a valid session running in the router web interface.

As long as there is any valid session opened, any unauthenticated request to http://<router-ip>/backupsettings.conf will allow the router configuration download.

Reproducing:

Access the router’s web interface and log in.

Image for post
Image for post

Make a request to the /backupsettings.conf path removing any cookie data.

Image for post
Image for post
Request wihtout any session data

Making the request from a different IP than the one which initialized the valid session:

Image for post
Image for post
curl request without any session data

The backupsettings.conf file contains sensitive information, including the administration username and password.

Image for post
Image for post

If the “Remote Configuration Management” is activated in the router, the access to the backup configuration file becomes available through the WAN to all Internet at the TCP:6080 .

In the image bellow I used a web proxy and accessed the WAN IP address of the router “189.61…” to ensure the external communication.

Image for post
Image for post

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store