Itel DAB Gateway Authentication Bypass Vulnerability

A vulnerability allowing authentication bypass has been identified in the Itel DAB Gateway (IDGat build c041640a). This issue arises from improper validation of JSON Web Tokens (JWT) across devices. Attackers can exploit this vulnerability by reusing a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, regardless of differing passwords and networks. This flaw enables a full compromise of the affected devices.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access on affected devices, leading to a complete compromise of the device's functionality and settings.

Reproduction

To reproduce this vulnerability, log into an affected device (Device 1) using valid credentials to obtain a JWT token. This token can then be injected into the local storage of another device (Device 2) running the same firmware. After refreshing the page, Device 2 will authenticate as an admin without requiring a password. This process can be automated with a Python script that logs into Device 1, retrieves the JWT, and uses it to access Device 2.

Remediation

It is recommended to bind JWT tokens to specific devices or sessions, implement short expiration times for tokens, and store them securely using HTTP-only cookies instead of local storage. Until a patch is available, administrators can disable JWT-based authentication and monitor logs for suspicious activity.