Full Disclosure mailing list archives

By Date By Thread More than 60 undisclosed vulnerabilities affect 22 SOHO routers From: Jose Antonio Rodriguez Garcia <psycojugon () gmail com>

Date: Thu, 28 May 2015 02:10:05 +0200

Dear Full Disclosure community, we are a group of security researchers doing our IT Security Master's Thesis at Universidad Europea de Madrid. As a part of the dissertation, we have discovered multiple vulnerability issues on the following SOHO routers: 1. Observa Telecom AW4062 2. Comtrend WAP-5813n 3. Comtrend CT-5365 4. D-Link DSL-2750B 5. Belkin F5D7632-4 6. Sagem LiveBox Pro 2 SP 7. Amper Xavi 7968 and 7968+ 8. Sagem Fast 1201 9. Linksys WRT54GL 10. Observa Telecom RTA01N 11. Observa Telecom Home Station BHS-RTA 12. Observa Telecom VH4032N 13. Huawei HG553 14. Huawei HG556a 15. Astoria ARV7510 16. Amper ASL-26555 17. Comtrend AR-5387un 18. Netgear CG3100D 19. Comtrend VG-8050 20. Zyxel P 660HW-B1A 21. Comtrend 536+ 22. D-Link DIR-600 The aforementioned vulnerabilities are: - Persistent Cross Site Scripting (XSS) on #1, #2, #3, #6, #10, #12, #13, #14, #16, #17, #18, #19 and #20. - Unauthenticated Cross Site Scripting on #3, #7, #8, #9, #10, #14, #16, #17 and #19. - Cross Site Request Forgery (CSRF) on #1, #2, #3, #5, #10, #12, #13, #14, #15, #16, #18 and #20. - Denial of Service (DoS) on #1, #5 and #10. - Privilege Escalation on #1. - Information Disclosure on #4 and #11. - Backdoor on #10. - Bypass Authentication using SMB Symlinks on #12. - USB Device Bypass Authentication on #12, #13, #14 and #15. - Bypass Authentication on #13 and #14. - Universal Plug and Play related vulnerabilities on #2, #3, #4, #5, #6, #7, #10, #11, #12, #13, #14, #16, #21 and #22. CVEs have already been requested to MITRE and other CNAs (since MITRE is taking forever to assign a CVE) and we are waiting for response. OSVDB IDs have been assigned. Vendors and manufacturers have already been reported. All routers have been physically tested. ============================================================================================ Manufacturer: Observa Telecom Model: AW4062 Tested firmwares: 1.3.5.18 and 1.4.2 (latest) Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL customers specially during 2012. -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Multiple Cross-site Scriptings (XSS) found into the configuration menu within the router front-web. These XSS give an attacker the opportunity to execute malicious scripts. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121211 (http://osvdb.org/show/osvdb/121211) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e., there’s a vulnerable input field within the subdirectory Domain Blocking. When used legitimately, this input is used to block the traffic between the router and some particular domains. The script will remain stored (persistent XSS) into the field Domain from the Domain Block Table and it will be executed each time the victim access to the Domain Blocking subdirectory. This vulnerability can also be found within the input fields that belong to other subdirectories like Firewall/URL Blocking, Firewall/Port Forwarding, Services/DNS/Dynamic DNS and Advance/SNMP, between others. The most effective attack is found inside the Advance/SNMP subdirectory. By injecting the script into the System Name field, the malicious code will be executed each time someone connects to the router because the script is reflected into the home page. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Every input field is vulnerable to Cross Site Request Forgery (CSRF) attacks. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121210 (http://osvdb.org/show/osvdb/121210), OSVDB-121212 (http://osvdb.org/show/osvdb/121212) and OSVDB-121214 (http://osvdb.org/show/osvdb/121214) * PoC: I.e., if an attacker wants the victim to ping a certain IP address in order to check whether the victim is already logged into the router, he will send this URL to the victim: http://192.168.1.1/goform/formPing?pingAddr=37.252.96.88 It is also possible for an attacker to change the default router password by sending the victim this URL: http://192.168.1.1/goform/formPasswordSetup?userMode=0&oldpass=1234&newpass=12345&confpass=12345&save=%22Apply%20Changes%22 The URL above forces the user with index 0 (it is always going to be the user named 1234) to change his default password from 1234 to 12345. The following URL forces the victim to change his DNS servers to those the attacker wants to. http://192.168.1.1/goform/formDNS?dnsMode=dnsManual&dns1=37.252.96.88&dns2=&dns3= Any action which is available within the website can be attacked through CSRF. This includes opening ports, changing the DHCP and NTP servers, modifying the Wireless Access point, enabling WPS, etc. -------------------------------------------------------------------------------------------- ---------------------------------- Privilege Escalation ---------------------------------- * Description: Any user without administrator rights is able to carry out a privilege escalation by reading the public router configuration file (config.xml). This file stores each of the router configuration parameters, including the credentials from all users in plain text. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121213 (http://osvdb.org/show/osvdb/121213) and OSVDB-121285 (http://osvdb.org/show/osvdb/121285) * PoC: An user without administrator rights (i.e., user), connects to the router through FTP. This user is able to get both /etc/passwd and config.xml files. The file config.xml stores each of the router configuration parameters in plain text, including the credentials from all users. Doing so, any user is able to gain administrator privileges. This is critical because not too many people know there is another user apart from the administrator one. That means they only change the administrator password, leaving a default user with default credentials (user:user) being able to escalate privileges. -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.1.1/goform/admin/formReboot If a victim opens this URL, router commits all the information and reboots in a process that takes 60 seconds long. There are tons of ways for an attacker to do a Denial of Service attack by exploiting Cross Site Request Forgery vulnerabilities: a) Establish new firewall rules in order to block certain URLs, IPs or MACs. Even setting up a global Deny order is possible and only allowing traffic from/to certain IPs/MAcs. b) Delete the router configuration that allows itself to connect to the Internet Service Provider. c) Disable the Wireless Interface so no device can be connected through the 802.11 protocol. d) Etc. ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: WAP-5813n (tested in Product Numbers 723306-104 and 723306-033) Tested firmwares: P401-402TLF-C02_R35 and P401-402TLF-C04_R09 (latest one) Comments: Common router that Spanish ISP Telefónica used to give away to their FTTH customers from 2011 to 2014 -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless>Basic subdirectory allows script code injection. The script execution can be clearly seen within the Wireless>Security and Wireless>MAC Filter subdirectories. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and OSVDB-121217 (http://osvdb.org/show/osvdb/121217) * PoC: Every input field is vulnerable to CSRF. Whenever the administrator user changes his password, he is actually opening the URL: /password.cgi?adminPassword=newpassword. An attacker may send the following URL to the victim, so the administrator password will be changed to 1234567890: http://192.168.1.1/password.cgi?adminPassword=1234567890 If an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.252.96.88&dnsSecondary=37.252.96.89&dnsIfc=&dnsRefresh=1 -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122383 (http://osvdb.org/show/osvdb/122383) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: CT-5365 Tested firmwares: A111-306TKF-C02_R16 Comments: Common router that Spanish ISP Telefónica used to give away to their FTTH customers since 2012 -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless>Basic subdirectory allows script code injection. The script execution can be clearly seen within the Wireless>Security and Wireless>MAC Filter subdirectories. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and OSVDB-121217 (http://osvdb.org/show/osvdb/121217) * PoC: Every input field is vulnerable to CSRF. Whenever the administrator user changes his password, he is actually opening the URL: /password.cgi?sysPassword=newpassword. An attacker may send the following URL to the victim, so the administrator password will be changed to 1234567890: http://192.168.1.1/password.cgi?sysPassword=1234567890 If an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.56.61.35.88&dnsSecondary=80.58.61.34&dnsDinamic=0&dnsRefresh=1 -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121215 (http://osvdb.org/show/osvdb/121215) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (Device Info -> DHCP). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122383 (http://osvdb.org/show/osvdb/122383) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: D-Link Model: DSL-2750B Tested firmwares: EU_1.01 Comments: -------------------------------------------------------------------------------------------- ------------------ Information Disclosure (Insecure Object References) ------------------- * Description: An attacker is able to obtain critical information without being logged in. * Report status: Reported to MITRE on 2015-03-25. Waiting for assignation. OSVDB-121219 (http://osvdb.org/show/osvdb/121219) * PoC: By accessing the URL http://192.168.1.1/hidden_info.html, browser shows huge amount of parameters such as SSID, Wi-Fi password, PIN code, etc. without requiring any login process. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122384 (http://osvdb.org/show/osvdb/122384) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Belkin Model: F5D7632-4 Tested firmwares: 6.01.04 Comments: -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out malicious actions. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121220 (http://osvdb.org/show/osvdb/121220) * PoC: Every input field is vulnerable to CSRF. I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so: http://192.168.2.1/cgi-bin/setup_dns.exe?page= "setup_dns"&logout=""&dns1_1=37&dns1_2=252 &dns1_3=96&dns1_4=88&dns2_1=37&dns2_2=252&dns2_3=96&dns2_4=89 -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.2.1/cgi-bin/restart.exe?page="tools_gateway"&logout="" This URL causes the router to reboot, interrupting any active connection and denying the service for about 20 seconds. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122389 (http://osvdb.org/show/osvdb/122389) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Sagem Model: LiveBox 2 Pro Tested firmwares: FAST3yyy_671288 Comments: Common router that ISP Orange used to give away to their ADSL customers. -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code, even if the victim is not logged into the router web-config page. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121223 (http://osvdb.org/show/osvdb/121223) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. 1. The SSID field within the “Configuración-> Equipos -> Personalizar” (Configuration->Devices->Personalize) subdirectory allows script code injection. The script execution can be clearly seen within the “Configuración-> Equipos -> Mostrar” (Configuration->Devices->Show) subdirectory. 2. The SSID field within the “Configuración-> LiveBox-> Configuracion Wifi -> SSID-name” (Configuration->LiveBox->Wi-Fi Configuration->SSID-Name) subdirectory allows script code injection. The script execution can be clearly seen within the main log-in webpage, even if the user is not logged in. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122387 (http://osvdb.org/show/osvdb/122387) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Amper Model: Xavi 7968 and Xavi 7968+ Tested firmwares: 3.01APT94 (latest one) Comments: Common router that ISP Telefónica used to give away to their ADSL customers from 2010 to 2013. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121224 (http://osvdb.org/show/osvdb/121224) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (/webconfig/status/dhcp_table.html). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify the WPS configuration by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122388 (http://osvdb.org/show/osvdb/122388) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the WPS configuration or resetting the AP to default settings. ============================================================================================ ============================================================================================ Manufacturer: Sagem Model: Fast 1201 Tested firmwares: 3.01APT94 (latest one) Comments: - -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121222 (http://osvdb.org/show/osvdb/121222) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the DHCP Leases list (dhcpinfo.html). Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Linksys Model: WRT54GL Tested firmwares: 4.30.16 build 6 Comments: - -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121221 (http://osvdb.org/show/osvdb/121221) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (DHCPTable.asp). It can be accessed either directly through the URL or through the Status-> Local Network -> DHCP Clients Table subdirectories. Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: RTA01N Tested firmwares: RTK_V2.2.13 Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL/VDSL customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Multiple Cross-site Scriptings (XSS) found into the configuration menu within the router front-web. These XSS give an attacker the opportunity to execute malicious scripts. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121787 (http://osvdb.org/show/osvdb/121787) and OSVDB-121788 (http://osvdb.org/show/osvdb/121788) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e., Nombre del host (Hostname) input field within the subdirectory Servicio -> DDNS (Service -> DDNS or /ddns.htm) is vulnerable. There is another vulnerable input field within the Mantenimiento -> Contraseña (Maintenance -> Password or /userconfig.htm) subdirectory. After creating a user whose username contains the malicious script, it is stored into the User Accounts table and executes once the victim accesses this subdirectory. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Every input field is vulnerable to Cross Site Request Forgery (CSRF) attacks. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121786 (http://osvdb.org/show/osvdb/121786) * PoC: I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/form2Dns.cgi?dnsMode="1"&dns1="37.252.96.88"&dns2="37.252.96.89"&dns3=""&submit.htm?dns.htm="Send"&save="Aplicar cambios" It is also possible for an attacker to change the default router administrator password by sending the victim this URL: http://192.168.1.1/form2userconfig.cgi? username="1234"&privilege=2&oldpass="1234"&newpass="newpass"&confpass="newpass"&modify="Modificar"&select="s0"&hiddenpass="1234"&submit.htm?userconfig.htm="Send" The URL above forces the administrator user (it is always going to be the user named 1234) to change his default password from 1234 to newpass. -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.1.1/form2Reboot.cgi?rebootMode=0&reboot= "Reiniciar"&submit.htm?reboot.htm="Send" If a victim opens this URL, router replies with HTTP 200 OK status code and reboots. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121789 (http://osvdb.org/show/osvdb/121789) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the DHCP Active Clients table (/dhcptbl.html). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- ----------------------------------------- Backdoor --------------------------------------- * Description: There is a second default administrator user who is hidden to the legitimate router owner. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121785 (http://osvdb.org/show/osvdb/121785) * PoC: In addition to the well-known 1234 administrator user, there is another one named admin, whose password is 7449airocon. This superuser remains hidden (it does only appear into the backup configuration XML file) and is able to modify any configuration settings either through the web interface or through telnet. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules, carry out a persistent denial of service and obtain the WLAN passwords, between other things, by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122386 (http://osvdb.org/show/osvdb/122386) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. It is also possible for an attacker to change the WPS configuration settings, reset the AP to the default ones and obtain critical information, such as WLAN passwords. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: Home Station BHS-RTA Tested firmwares: v1.1.3 Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL/VDSL customers -------------------------------------------------------------------------------------------- --------------------------------- Information Disclosure --------------------------------- * Description: Observa Telecom Home Station BHS-RTA web interface allows an external attacker to obtain critical information without login process. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121781 (http://osvdb.org/show/osvdb/121781), OSVDB-121782 (http://osvdb.org/show/osvdb/121782), OSVDB-121783 (http://osvdb.org/show/osvdb/121783) and OSVDB-121784 (http://osvdb.org/show/osvdb/121784) * PoC: Without requiring any login process, an external attacker is able to obtain critical information such as the WLAN password and settings, the Internet configuration, a list of connected clients, etc. By accessing the following URL, browser shows WLAN configuration, including the passwords: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnWifiJSON.txt&var:page=returnWifiJSON.txt&_=1430086147101 By accessing the following URL, browser shows a list of connected clients, including their IP and MAC addresses: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnDevicesJSON.txt&var:page=returnDevicesJSON.txt&_=1430086147101 By accessing the following URL, browser shows the Internet configuration parameters: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnInternetJSON.txt&var:page=returnInternetJSON.txt&_=1430086980134 By accessing the following URL, browser shows whether the administrator password has been changed or is the default one. http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnPasswordJSON.txt&var:page=returnPasswordJSON.txt&_=1430086980134 -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122386 (http://osvdb.org/show/osvdb/122386) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: VH4032N Tested firmwares: VH4032N_V0.2.35 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121793 (http://osvdb.org/show/osvdb/121793) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e, the SSID input field is vulnerable if the following code is written in: ‘; </script><script>alert(1)</script><script>// The malicious code will be executed throughout the whole web interface. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Every input field is vulnerable to Cross Site Request Forgery (CSRF) attacks. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121791 (http://osvdb.org/show/osvdb/121791) and OSVDB-121792 (http://osvdb.org/show/osvdb/121792) * PoC: Although the existence of a token related to session ID, configuration settings can be modified without the need of it. Thus, every input field is vulnerable to CSRF attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.0.1/en_US/administration.cgi?usrPassword=newpass If an attacker wants to change the FTP server configuration settings, such as the password and the allowance of remote FTP WAN connections, he may use the following link: http://192.168.0.1/en_US/config_ftp.cgi?ftpEnabled=1&ftpUserName=vodafone&ftpPassword=vulnpass&ftpPort=21&ftpAclMode=2 -------------------------------------------------------------------------------------------- ------------------------ Bypass Authentication using SMB Symlinks ------------------------ * Description: An external attacker, without requiring any login process, is able to download the whole router kernel filesystem, including all the configuration information and the user account information files, by creating symbolic links through the router Samba server. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121790 (http://osvdb.org/show/osvdb/121790) * PoC: An unauthenticated attacker is able to download the whole router filesystem by connecting to the Samba server. There is a shared service (called storage) in which it is possible to create symbolic links to the router filesystem and download the content. I.e., a symlink to / is possible and allows the attacker to freely view and download the entire filesystem. -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121794 (http://osvdb.org/show/osvdb/121794) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify the WPS configuration by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122386 (http://osvdb.org/show/osvdb/122386) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the WPS configuration or resetting the AP to default settings. ============================================================================================ ============================================================================================ Manufacturer: Huawei Model: HG553 Tested firmwares: V100R001C03B043SP01 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121778 (http://osvdb.org/show/osvdb/121778) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- --------------------------------- Bypass Authentication ---------------------------------- * Description: An external attacker, without requiring any login process, is able to reset the router settings to default ones besides bringing a permanent denial of service attack on. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121779 (http://osvdb.org/show/osvdb/121779) * PoC: Without requiring any login process, an attacker is able to bring on a permanent denial of service by constantly accessing the /rebootinfo.cgi URL. The attacker is also able to force the router to reset to default configuration settings by accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router by using the default credentials. In both attacks, router replies with HTTP 400 status code, but either the reboot or the configuration reset is being correctly executed. -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121776 (http://osvdb.org/show/osvdb/121776) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the WiFi->Básico (WiFi->Basic) subdirectory allows script code injection. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121775 (http://osvdb.org/show/osvdb/121775) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.0.1/userpasswd.cgi?usrPassword=newpassword -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122385 (http://osvdb.org/show/osvdb/122385) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Huawei Model: HG556a Tested firmwares: V100R001C10B077 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121778 (http://osvdb.org/show/osvdb/121778) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- --------------------------------- Bypass Authentication ---------------------------------- * Description: An external attacker, without requiring any login process, is able to reset the router settings to default ones besides bringing a permanent denial of service attack on. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121779 (http://osvdb.org/show/osvdb/121779) * PoC: Without requiring any login process, an attacker is able to bring on a permanent denial of service by constantly accessing the /rebootinfo.cgi URL. The attacker is also able to force the router to reset to default configuration settings by accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router by using the default credentials. In both attacks, router asks for username-password and returns HTTP 401 status code (unauthorized), but after multiple requests are sent, it replies with HTTP 400 status code and executes the action. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121775 (http://osvdb.org/show/osvdb/121775) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.1.23/es_ES/expert/userpasswd.cgi?usrPassword=vodafone1&sSuccessPage=administration.htm&sErrorPage=administration.htm -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121776 (http://osvdb.org/show/osvdb/121776) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the WiFi->Nombre (WiFi->Name) subdirectory allows script code injection. The script execution can be clearly seen within different subdirectories such as diagnostic.htm and config_wifi.htm. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121777 (http://osvdb.org/show/osvdb/121777) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the Dispositivos Conectados (Connected Devices) table. Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122385 (http://osvdb.org/show/osvdb/122385) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Astoria Model: ARV7510 Tested firmwares: 00.03.41 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121773 (http://osvdb.org/show/osvdb/121773) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121774 (http://osvdb.org/show/osvdb/121774) and OSVDB-121888 (http://osvdb.org/show/osvdb/121888) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.1.22/cgi-bin/setup_pass.cgi?pwdOld=vodafone&pwdNew=vodafone1&pwdCfm=vodafone1 ============================================================================================ ============================================================================================ Manufacturer: Amper Model: ASL-26555 Tested firmwares: v2.0.0.37B_ES Comments: Common router that Spanish ISP Telefónica used to give away to their customers -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121770 (http://osvdb.org/show/osvdb/121770) and OSVDB-121771 (http://osvdb.org/show/osvdb/121771) * PoC: Besides the main web configuration interface (port 80), there is a much more advanced one on port 8000 in which every input field is vulnerable to CSRF. I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.21:8000/ADVANCED/ad_dns.xgi? &set/dproxy/enable=0&set/dns/mode=4&set/dns/server/primarydns=80.58.61.251&set/dns/server/secondarydns=80.58.61.251&CMT=0&EXE=DNS It is also possible for an attacker to change the default router administrator password by sending the victim this URL: (URL is omitted due to size reasons) -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121772 (http://osvdb.org/show/osvdb/121772) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Red Inalambrica->Nombre (Wireless Network->Name) subdirectory allows script code injection. The vulnerable input field is found into the basic web interface on port 80. The script execution can be clearly seen within the Advanced->WLAN Access Rules subdirectory, into the advanced web interface on port 8000. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121224 (http://osvdb.org/show/osvdb/121224) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the Connected Clients table (Setup->Local Network). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122388 (http://osvdb.org/show/osvdb/122388) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: AR-5387un Tested firmwares: A731-410JAZ-C04_R02 Comments: Common router that ISP Jazztel used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless->Basic subdirectory allows script code injection. The script execution can be clearly seen within Wireless->Security and Wireless->MAC Filter subdirectories. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121215 (http://osvdb.org/show/osvdb/121215) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the DHCP Leases table (Device Info -> DHCP). Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Netgear Model: CG3100D Tested firmwares: v1.05.05 Comments: Common router that ISP ONO used to give away to their customers -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121795 (http://osvdb.org/show/osvdb/121795) * PoC: Every input field is vulnerable to CSRF. An attacker may code a malicious website which triggers a POST request to the victim’s router. When a website with that code is accessed, the POST request is sent and the attack is done. It is also possible for an attacker to reset the victim’s router to default settings by using custom source code. (Source codes have been omitted due to size reasons). -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121780 (http://osvdb.org/show/osvdb/121780) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Red Inalambrica->Nombre (Wireless Network->Name) subdirectory allows script code injection. The script execution can be clearly seen within different subdirectories such as Básico->Inicio (Basic->Home), Avanzado->Inicio (Advanced->Home) and Avanzado->Estado del router (Advanced->Router status). ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: VG-8050 Tested firmwares: SB01-S412TLF-C07_R03 Comments: Common router that Spanish ISP Telefonica used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless->Basic subdirectory allows script code injection. The script execution can be clearly seen within Wireless->Security and Wireless->MAC Filter subdirectories. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121215 (http://osvdb.org/show/osvdb/121215) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the DHCP Leases table (Device Info -> DHCP). Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Zyxel Model: P 660HW-B1A Tested firmwares: 3.10L.02 Comments: Common router that Spanish ISP Telefonica used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121796 (http://osvdb.org/show/osvdb/121796) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the Hostname field within the Dynamic DNS subdirectory allows script code injection. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121797 (http://osvdb.org/show/osvdb/121797) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/password.cgi?sysPassword=newpassword ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: 536+ Tested firmwares: A101-220TLF-C35 Comments: Common router that Spanish ISP Telefonica used to give away to their customers -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122383 (http://osvdb.org/show/osvdb/122383) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: D-Link Model: DIR-600 Tested firmwares: PV6K3A8024009 Comments: -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122384 (http://osvdb.org/show/osvdb/122384) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ We would also like to thank Alejandro Ramos (Project Tutor) and Maite Villalba (Director of Master). Greetings, Jose Antonio Rodriguez Garcia Alvaro Folgado Rueda Ivan Sanz de Castro. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: More than 60 undisclosed vulnerabilities affect 22 SOHO routers Jose Antonio Rodriguez Garcia (May 31)