what you don't know can hurt you

Aztech DSL5018EN / DSL705E / DSL705EU DoS / Broken Session Management

Aztech DSL5018EN / DSL705E / DSL705EU DoS / Broken Session Management
Posted Sep 15, 2014
Authored by Federick Joe P Fajardo

Aztech DSL5018EN, DSL705E, and DSL705EU ADSL modems/routers suffer from broken session management, denial of service, file exposure, and parameter tampering vulnerabilities.

tags | exploit, denial of service, vulnerability
advisories | CVE-2014-6435, CVE-2014-6436, CVE-2014-6437
MD5 | e31e579373367ba7f124194a3d19fd17

Aztech DSL5018EN / DSL705E / DSL705EU DoS / Broken Session Management

Change Mirror Download
PRODUCT DESCRIPTION

The Aztech ADSL family of modems/routes are shipped to residential and SOHO users that desires speed from 150-300mbps rate. This modem/router also supports IEEE802.11b/g/n as a Wireless LAN Access point. The vulnerable model numbers are: DSL5018EN (1T1R) (Shipped with Globe Telecom in the Philippines), DSL705E and DSL705EU.

Vendor reference: http://www.aztech.com/prod_adsl_dsl5018en_1t1r.html

1. Denial of Service (DoS)

The CGI script that resets the WAN connectivity of the modem can be called directly from the web server with no authentication. Sending a crafted HTTP GET request to the router via /cgi-bin/AZ_Retrain.cgi will allow an attacker to execute code that could potentially lead to Denial of Service (DoS) attack and may terminate or all established Internet connections in the network.

Proof of Concept for this vulnerability

Send a GET request to the cgi-bin/AZ_Retrain.cgi to reset the WAN connection: http://x.arpa.ph/fjpf/aztech-exploits/azreset.txt

2. Broken Session Management

A successful authentication of a privilege (admin) ID in the web portal allows any attacker in the network to hijack and reuse the existing session in order to trick and allow the web server to execute administrative commands. The command may be freely executed from any terminal in the network as long as the session of the privilege ID is valid.

Proof of Concept for this vulnerability

1. From computer A, open a web browser and login to the modem/router's web portal using the administrator ID.
2. From computer B, open a terminal session and make a POST request to the router: http://x.arpa.ph/fjpf/aztech-exploits/azpass.txt

3. File and Data Exposure

The router's configuration file contains the hardware information as well as all of the user's credentials. This includes the customer's name and WAN account, the TR-069 credential of the telecom company and the web portal's admin username and password. A malicious attacker can send a direct GET request to the cgi-bin/userromfile.cgi script and download the ROM file. Although the ROM file is a ciphered text, this can be deciphered using a weak substitution technique (ROT 24) which could potentially lead to data exposure.

Proof of Concept for this vulnerability

a. Send a GET request to the router using cgi-bin/userromfile.cgi via curl: http://x.arpa.ph/fjpf/aztech-exploits/azgetconf.txt
b. Decipher the downloaded rommfile.cfg using Caesar cipher.

4. Web Parameter Tampering

Some of the router's restricted and disabled settings can be acquired by checking the hidden fields in forms. Most of these settings can be manipulated by intercepting the data and manipulating the values upon submission. The below example shows how we manipulated the Access Control List in order to enable Telnet in the WAN section of the control panel before submitting the data.

Proof of Concept for this vulnerability

a. Open a web browser and redirect traffic to localhost:8080.
b. Open burb proxy and intercept traffic coming from the browser.
c. Login to the router's web portal and go to the page where the protected values are located.
d. Find the reference to the hidden values in the form and modify it.
e. Submit the request to the router. Refresh the browser to see the modified protected values.

Screenshots: http://x.arpa.ph/fjpf/aztech-exploits/aztech.img.tgz

The following CVE's precedes the above and were found as fixed:

CVE-2008-6588 _ Aztech ADSL2/2+ 4-port router has a default "isp" account with a default "isp" password, which allows remote attackers to obtain access if this default is not changed.
CVE-2008-6554 _ cgi-bin/script in Aztech ADSL2/2+ 4-port router 3.7.0 build 070426 allows remote attackers to execute arbitrary commands via shell metacharacters in the query string.
CVE-2007-4733 _ The Aztech DSL600EU router, when WAN access to the web interface is disabled, does not properly block inbound traffic on TCP port 80, which allows remote attackers to connect to the web interface by guessing a TCP sequence number, possibly involving spoofing of an ARP packet, a related issue to CVE-1999-0077.

Researchers:
Federick Joe Fajardo / fjpfajardo(at)ph.ibm.com, Lorenzo Miguel Flores / floresl(at)ph.ibm.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    11 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close