EFM ipTIME A8004T Authentication Bypass Vulnerability Allowing Password Reset

A critical authentication bypass vulnerability has been identified in the EFM ipTIME A8004T router, specifically in the firmware version 14.18.2. The issue arises in the 'httpcon_check_session_url' function within the '/cgi/timepro.cgi' file, part of the Hidden Hiddenloginsetup Interface. This vulnerability allows remote attackers to bypass authentication requirements and manipulate session validation. Exploitation involves altering the request path to skip authentication checks, enabling unauthorized access to reset the administrator's password using a retrieved CAPTCHA token.

Impact

Exploitation of this vulnerability allows for unauthorized authentication bypass, enabling attackers to access the router's administrative functions and reset passwords arbitrarily.

Reproduction

To reproduce this vulnerability, send a request to the '/cgi/timepro.cgi' endpoint. Ensure the request URL does not begin with the '/sess-bin/' prefix, as this will cause the session validation to be improperly authenticated. Once authentication is bypassed, access the Hidden Hiddenloginsetup Interface to reset the administrator's password, using a CAPTCHA token obtained from an unauthenticated request.