0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Prolink PRN2001 - Multiple Vulnerabilities
Exploit Title: Prolink PRN2001 Multiple Vulnerabilities 1. -Advisory Information- Title: Prolink PRN2001 Multiple Vulnerabilities Firmware: Ver 1.2 Firmware URL: http://www.prolink2u.com/download/fw/fw_PRN2001_V1.2_20130323.zip Vendor Homepage: http://www.prolink2u.com/ Author: Herman Groeneveld aka sh4d0wman Tested On: Windows 7 / Kali Date published: Dec 01 2014 Release mode: Coordinated release 2. -Vulnerability Information- PROLiNK® PRN2001 Wireless- N Broadband AP / Router is the ideal wireless solution most suited for home and small-businesses. Designed to support wireless speeds of up to 150Mbps, the PRN2001 offers stellar performance on the 2.4GHz frequency band. This top-notch home networking device functions as an Access Point, Router or a Universal Repeater. Multiple vulnerabilities have been discovered in this router. The majority require a valid account on the device to exploit. Default credentials are: admin/password In the default configuration all vulnerabilities are restricted to exploitation over the LAN/WLAN interfaces. A successful compromise would give an attacker full control over the device. This would enable an attacker to enable remote device management over the WAN interface. 3. - Technical Description / Proof of Concept Code - Introduction: The following type of vulnerabilities have been discovered in the device: - 3.1: CWE-286: Incorrect User Management - 3.2: CWE-668: Exposure of Resource to Wrong Sphere - 3.3: CWE-200: Information Exposure - 3.4: CWE- 80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - 3.5: CWE-730: OWASP Top Ten 2004 Category A9 - Denial of Service - 3.6: CWE-933: OWASP Top Ten 2013 Category A5 - Security Misconfiguration Technical Description: -------------------------------------------------------------- 3.1 -Class: CWE-286: Incorrect User Management- Description: insufficient separation of privileges. Any account with user-level privileges has the following privileges in the web-management interface: - Create new users with administrative privileges - Upgrade the device firmware - Download and upload configuration files PoC: users could escalate their privileges by creating a new account. -------------------------------------------------------------- 3.2 -CWE-668: Exposure of Resource to Wrong Sphere- Description: a user-level account is not restricted from exporting or importing a device configuration file. The configuration file "config.img" is stored as plain-text XML. This is the root cause for the following vulnerabilities: --------------------------------------------------------------- Name: privilege escalation through device configuration file Description: the plaintext XML configuration file leaks the administrative user and password of the device giving an attacker full control over the device. PoC: administrative accounts have Flag value 0x0: <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="admin"/> <V N="PASSWORD" V="password"/> <V N="PRIORITY" V="0x2"/> </chain> --------------------------------------------------------------- Name: telnet privilege escalation through device configuration file Description: in the plaintext XML configuration file any administrative user account is set to: <V N="PRIORITY" V="0x2"/>. When this value is changed to <V N="PRIORITY" V="0x1"/> the account gains the following additional command options in a telnet shell: - chksum: Check sum checking. Syntax: chksum address length - dhcp: Enable DHCP client - disable: Turn off privileged commands - enable: Turn on privileged commands - loaddll: Unknown functionality / DoS: issuing loaddll crashes the device - script: Run specified script - system: Show general system information - webdll: Unknown functionality - xfile: File copy functionality - xip: Resolve dns -------------------------------------------------------------- 3.3 -CWE-200: Information Exposure- Description: the device is leaking various kinds of sensitive information which can aid the attacker in vulnerability discovery and/or escalate privileges. Vulnerable Functions: -------------------------------------------------------------- Name: configuration-file sensitive information disclosure Description: the XML configuration file "config.img" can be exported by user-level accounts and is stored as plain-text. The following sensitive information is leaked: Confidentiality Related: - Plaintext administrative credentials - Plaintext user-level credentials - Plaintext PPoE WAN credentials - Plaintext WEP key | WPA PSK | WSC Pin Device Integrity Related: - Create, Modify or Delete accounts: PoC: change anything inside the chain or delete the complete chain: <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="admin"/> <V N="PASSWORD" V="password"/> <V N="PRIORITY" V="0x2"/> </chain> - Enabling Device Management over WAN: PoC: modify NATRULE_INSRC_STATIC to allow web and or telnet device management over the WAN port. - DNS traffic redirection: PoC: modify DHCP Assigned DNS settings to point clients to a rogue DNS server. -------------------------------------------------------------- Name: log-file sensitive information disclosure Description: logging is disabled by default. When it is enabled any valid user-level or administrative accounts can view this log through the web-management interface. Invalid logon attempts show the username and invalid passwords in plaintext. If a user does misspell his password an attacker has a high chance of guessing the correct password. Data Exposed: - Usernames - Passwords (partial) -------------------------------------------------------------- Name: telnet sensitive information disclosure Description: the telnet command "show web" lists the complete web structure which can aid an attacker in vulnerability discovery. PoC: the following URL's are leaked and not available through the default web-management interface: - dhcpvendortbl_withoutcheck.htm - debug.htm -------------------------------------------------------------- 3.4 -CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)- Description: the web-based device management interface is vulnerable to persistent XSS attacks caused by insufficient input validation. A valid account on the router is needed to exploit the vulnerabilities. Vulnerable Functions: -------------------------------------------------------------- URL: ddns.htm Field(s): hostname, username PoC: insert into both fields: <script>alert(String.fromCharCode(88,83,83));</script> XSS Execution: - When the dyndns settings page is requested in the web-interface - if logging is enabled: loading the system log in the web-interface -------------------------------------------------------------- URL: login.htm Fields: username PoC: insert as username: <script>alert(String.fromCharCode(88,83,83));</script> XSS Execution: - if logging is enabled: loading the system log in the web-interface -------------------------------------------------------------- URL: config.img Field(s): any of the above values but modified through the configuration file (XML). Description: the configuration file is stored in plain-text. Above injection can be carried out by inserting the XSS test-string into XML elements. Execution takes place inside the web-management interface when browsed to the vulnerable url's. XSS Execution: - same locations as previous disclosed injections but in XML, username injection example: <V N="USERNAME" V="[XSS Inject Here]"/> <V N="PASSWORD" V="test"/> -------------------------------------------------------------- 3.5 -CWE-730: OWASP Top Ten 2004 Category A9 - Denial of Service- Description: un-authenticated and authenticated users can perform various actions which result in the router crashing and rebooting. In this process all LAN, WAN and Wireless connections are dropped. Vulnerable Functions: -------------------------------------------------------------- Name: Unauthenticated device DoS Description: sending a request to [device ip]/autboot.htm in the web-management interface will initiate a factory-default reboot. In this process all LAN, WAN and Wireless connections are dropped. Device settings however remain unchanged. PoC: GET request to [deviceip]/autoboot.htm -------------------------------------------------------------- Name: Authenticated device DoS through invalid firmware update Description: authenticated users could crash the device by uploading a large file as firmware upgrade. The device has no checks in place before the upload is accepted. After a certain amount of data is uploaded the device will initiate a reboot, most likely to resource exhaustion of either the memory or local disk space. PoC: upload any big file as firmware image -------------------------------------------------------------- Name: Authenticated Telnet custom command device DoS Description: various custom telnet commands can be unlocked through the configuration file. Executing the "loaddll" command without any parameters will crash and reboot the device. PoC: gain special privileges and issue the loaddll inside the telnet shell -------------------------------------------------------------- Name: Authenticated NTP Date HTTP Request device DoS Description: the web-management interface allows time configuration by authenticated users. If certain parts are modified the device will crash and reboot. PoC: POST form2systime.cgi?year=1975&month=Jan&day=1&hour=0&min=19&sec=24&daylightsaving=6&submit.htm%3Ftime.htm=send Insert junk (for example: A*400) in Year, Month or Day and the device will crash. -------------------------------------------------------------- 3.6 -CWE-933: OWASP Top Ten 2013 Category A5 - Security Misconfiguration- Description: various configuration settings do not conform to general recommended security best practices weakening the device's security posture. Vulnerable Functions: -------------------------------------------------------------- Name: configuration error Description: when new user accounts are created through the web-management interface the default permissions are root-level and these can't be changed to user-level. However intercepting the HTTP request and modifying the permissions parameter to user-level results in the creation of a user account with user-level privileges. Parts of the web management interface will be restricted. PoC: enter a valid name and password, change the privilege level to 1 (root priv) or 2 (user priv): username=[name]&privilege=[2]&newpass=[pass]&confpass=[pass]&adduser=Add&hiddenpass=$submit.htm%Fuserconfig.htm=Send -------------------------------------------------------------- Name: unencrypted device management protocols Description: the router can be managed either through the web-management interface which sends HTTP traffic or by Telnet. Both protocols use plaintext communications which could allow an attacker to intercept and/or modify this traffic. -------------------------------------------------------------- Name: password complexity and lockout policy Description: no password complexity is enforced, the minimum length is 1 character. No lockout mechanism does exist for the web-management interface. This enables an attacker to guess a correct username / password combination through password guessing or brute-forcing. Weak passwords give an attacker a higher chance of success. The telnet service features a lockout policy; it disconnects any client after three wrong login attempts. PoC: hydra [ip] -l admin -P /root/Desktop/pass.txt -f -v -t 1 http-post-form '/login.cgi:username=^USER^&password=^PASS^&submit.htm%3Flogin.htm=Send:F=Username or password error' -------------------------------------------------------------- 4. -Vendor Information, Solutions and Workarounds- Date 10-10-2014 - Vulnerabilities discovered Date 20-10-2014 - Contacted vendor by e-mail for responsble disclosure, informed them of release date December 1st 2014 No Reply Date 01-11-2014 - Contacted vendor by e-mail No Reply Date 15-11-2014 - Contacted vendor by e-mail No Reply Date 01-12-2014 - Public Disclosure # 0day.today [2024-12-24] #