Dear PacketStorm community, we are a group of security researchers doing our IT Security Master's Thesis at Universidad Europea de Madrid. As a part of the dissertation, we have discovered multiple vulnerability issues on the following SOHO routers: 1. Observa Telecom AW4062 2. Comtrend WAP-5813n 3. Comtrend CT-5365 4. D-Link DSL-2750B 5. Belkin F5D7632-4 6. Sagem LiveBox Pro 2 SP 7. Amper Xavi 7968 and 7968+ 8. Sagem Fast 1201 9. Linksys WRT54GL 10. Observa Telecom RTA01N 11. Observa Telecom Home Station BHS-RTA 12. Observa Telecom VH4032N 13. Huawei HG553 14. Huawei HG556a 15. Astoria ARV7510 16. Amper ASL-26555 17. Comtrend AR-5387un 18. Netgear CG3100D 19. Comtrend VG-8050 20. Zyxel P 660HW-B1A 21. Comtrend 536+ 22. D-Link DIR-600 The aforementioned vulnerabilities are: - Persistent Cross Site Scripting (XSS) on #1, #2, #3, #6, #10, #12, #13, #14, #16, #17, #18, #19 and #20. - Unauthenticated Cross Site Scripting on #3, #7, #8, #9, #10, #14, #16, #17 and #19. - Cross Site Request Forgery (CSRF) on #1, #2, #3, #5, #10, #12, #13, #14, #15, #16, #18 and #20. - Denial of Service (DoS) on #1, #5 and #10. - Privilege Escalation on #1. - Information Disclosure on #4 and #11. - Backdoor on #10. - Bypass Authentication using SMB Symlinks on #12. - USB Device Bypass Authentication on #12, #13, #14 and #15. - Bypass Authentication on #13 and #14. - Universal Plug and Play related vulnerabilities on #2, #3, #4, #5, #6, #7, #10, #11, #12, #13, #14, #16, #21 and #22. CVEs have already been requested to MITRE and other CNAs (since MITRE is taking forever to assign a CVE) and we are waiting for response. OSVDB IDs have been assigned. Vendors and manufacturers have already been reported. All routers have been physically tested. ============================================================================================ Manufacturer: Observa Telecom Model: AW4062 Tested firmwares: 1.3.5.18 and 1.4.2 (latest) Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL customers specially during 2012. -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Multiple Cross-site Scriptings (XSS) found into the configuration menu within the router front-web. These XSS give an attacker the opportunity to execute malicious scripts. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121211 (http://osvdb.org/show/osvdb/121211) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e., there’s a vulnerable input field within the subdirectory Domain Blocking. When used legitimately, this input is used to block the traffic between the router and some particular domains. The script will remain stored (persistent XSS) into the field Domain from the Domain Block Table and it will be executed each time the victim access to the Domain Blocking subdirectory. This vulnerability can also be found within the input fields that belong to other subdirectories like Firewall/URL Blocking, Firewall/Port Forwarding, Services/DNS/Dynamic DNS and Advance/SNMP, between others. The most effective attack is found inside the Advance/SNMP subdirectory. By injecting the script into the System Name field, the malicious code will be executed each time someone connects to the router because the script is reflected into the home page. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Every input field is vulnerable to Cross Site Request Forgery (CSRF) attacks. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121210 (http://osvdb.org/show/osvdb/121210), OSVDB-121212 (http://osvdb.org/show/osvdb/121212) and OSVDB-121214 (http://osvdb.org/show/osvdb/121214) * PoC: I.e., if an attacker wants the victim to ping a certain IP address in order to check whether the victim is already logged into the router, he will send this URL to the victim: http://192.168.1.1/goform/formPing?pingAddr=37.252.96.88 It is also possible for an attacker to change the default router password by sending the victim this URL: http://192.168.1.1/goform/formPasswordSetup?userMode=0&oldpass=1234&newpass=12345&confpass=12345&save=%22Apply%20Changes%22 The URL above forces the user with index 0 (it is always going to be the user named 1234) to change his default password from 1234 to 12345. The following URL forces the victim to change his DNS servers to those the attacker wants to. http://192.168.1.1/goform/formDNS?dnsMode=dnsManual&dns1=37.252.96.88&dns2=&dns3= Any action which is available within the website can be attacked through CSRF. This includes opening ports, changing the DHCP and NTP servers, modifying the Wireless Access point, enabling WPS, etc. -------------------------------------------------------------------------------------------- ---------------------------------- Privilege Escalation ---------------------------------- * Description: Any user without administrator rights is able to carry out a privilege escalation by reading the public router configuration file (config.xml). This file stores each of the router configuration parameters, including the credentials from all users in plain text. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121213 (http://osvdb.org/show/osvdb/121213) and OSVDB-121285 (http://osvdb.org/show/osvdb/121285) * PoC: An user without administrator rights (i.e., user), connects to the router through FTP. This user is able to get both /etc/passwd and config.xml files. The file config.xml stores each of the router configuration parameters in plain text, including the credentials from all users. Doing so, any user is able to gain administrator privileges. This is critical because not too many people know there is another user apart from the administrator one. That means they only change the administrator password, leaving a default user with default credentials (user:user) being able to escalate privileges. -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.1.1/goform/admin/formReboot If a victim opens this URL, router commits all the information and reboots in a process that takes 60 seconds long. There are tons of ways for an attacker to do a Denial of Service attack by exploiting Cross Site Request Forgery vulnerabilities: a) Establish new firewall rules in order to block certain URLs, IPs or MACs. Even setting up a global Deny order is possible and only allowing traffic from/to certain IPs/MAcs. b) Delete the router configuration that allows itself to connect to the Internet Service Provider. c) Disable the Wireless Interface so no device can be connected through the 802.11 protocol. d) Etc. ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: WAP-5813n (tested in Product Numbers 723306-104 and 723306-033) Tested firmwares: P401-402TLF-C02_R35 and P401-402TLF-C04_R09 (latest one) Comments: Common router that Spanish ISP Telefónica used to give away to their FTTH customers from 2011 to 2014 -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless>Basic subdirectory allows script code injection. The script execution can be clearly seen within the Wireless>Security and Wireless>MAC Filter subdirectories. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and OSVDB-121217 (http://osvdb.org/show/osvdb/121217) * PoC: Every input field is vulnerable to CSRF. Whenever the administrator user changes his password, he is actually opening the URL: /password.cgi?adminPassword=newpassword. An attacker may send the following URL to the victim, so the administrator password will be changed to 1234567890: http://192.168.1.1/password.cgi?adminPassword=1234567890 If an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.252.96.88&dnsSecondary=37.252.96.89&dnsIfc=&dnsRefresh=1 -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122383 (http://osvdb.org/show/osvdb/122383) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: CT-5365 Tested firmwares: A111-306TKF-C02_R16 Comments: Common router that Spanish ISP Telefónica used to give away to their FTTH customers since 2012 -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless>Basic subdirectory allows script code injection. The script execution can be clearly seen within the Wireless>Security and Wireless>MAC Filter subdirectories. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and OSVDB-121217 (http://osvdb.org/show/osvdb/121217) * PoC: Every input field is vulnerable to CSRF. Whenever the administrator user changes his password, he is actually opening the URL: /password.cgi?sysPassword=newpassword. An attacker may send the following URL to the victim, so the administrator password will be changed to 1234567890: http://192.168.1.1/password.cgi?sysPassword=1234567890 If an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.56.61.35.88&dnsSecondary=80.58.61.34&dnsDinamic=0&dnsRefresh=1 -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121215 (http://osvdb.org/show/osvdb/121215) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (Device Info -> DHCP). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122383 (http://osvdb.org/show/osvdb/122383) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: D-Link Model: DSL-2750B Tested firmwares: EU_1.01 Comments: -------------------------------------------------------------------------------------------- ------------------ Information Disclosure (Insecure Object References) ------------------- * Description: An attacker is able to obtain critical information without being logged in. * Report status: Reported to MITRE on 2015-03-25. Waiting for assignation. OSVDB-121219 (http://osvdb.org/show/osvdb/121219) * PoC: By accessing the URL http://192.168.1.1/hidden_info.html, browser shows huge amount of parameters such as SSID, Wi-Fi password, PIN code, etc. without requiring any login process. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122384 (http://osvdb.org/show/osvdb/122384) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Belkin Model: F5D7632-4 Tested firmwares: 6.01.04 Comments: -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out malicious actions. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121220 (http://osvdb.org/show/osvdb/121220) * PoC: Every input field is vulnerable to CSRF. I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so: http://192.168.2.1/cgi-bin/setup_dns.exe?page="setup_dns"&logout=""&dns1_1=37&dns1_2=252 &dns1_3=96&dns1_4=88&dns2_1=37&dns2_2=252&dns2_3=96&dns2_4=89 -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.2.1/cgi-bin/restart.exe?page="tools_gateway"&logout="" This URL causes the router to reboot, interrupting any active connection and denying the service for about 20 seconds. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122389 (http://osvdb.org/show/osvdb/122389) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Sagem Model: LiveBox 2 Pro Tested firmwares: FAST3yyy_671288 Comments: Common router that ISP Orange used to give away to their ADSL customers. -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code, even if the victim is not logged into the router web-config page. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121223 (http://osvdb.org/show/osvdb/121223) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. 1. The SSID field within the “Configuración-> Equipos -> Personalizar” (Configuration->Devices->Personalize) subdirectory allows script code injection. The script execution can be clearly seen within the “Configuración-> Equipos -> Mostrar” (Configuration->Devices->Show) subdirectory. 2. The SSID field within the “Configuración-> LiveBox-> Configuracion Wifi -> SSID-name” (Configuration->LiveBox->Wi-Fi Configuration->SSID-Name) subdirectory allows script code injection. The script execution can be clearly seen within the main log-in webpage, even if the user is not logged in. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122387 (http://osvdb.org/show/osvdb/122387) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Amper Model: Xavi 7968 and Xavi 7968+ Tested firmwares: 3.01APT94 (latest one) Comments: Common router that ISP Telefónica used to give away to their ADSL customers from 2010 to 2013. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121224 (http://osvdb.org/show/osvdb/121224) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (/webconfig/status/dhcp_table.html). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify the WPS configuration by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122388 (http://osvdb.org/show/osvdb/122388) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the WPS configuration or resetting the AP to default settings. ============================================================================================ ============================================================================================ Manufacturer: Sagem Model: Fast 1201 Tested firmwares: 3.01APT94 (latest one) Comments: - -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121222 (http://osvdb.org/show/osvdb/121222) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the DHCP Leases list (dhcpinfo.html). Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Linksys Model: WRT54GL Tested firmwares: 4.30.16 build 6 Comments: - -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121221 (http://osvdb.org/show/osvdb/121221) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (DHCPTable.asp). It can be accessed either directly through the URL or through the Status-> Local Network -> DHCP Clients Table subdirectories. Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: RTA01N Tested firmwares: RTK_V2.2.13 Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL/VDSL customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Multiple Cross-site Scriptings (XSS) found into the configuration menu within the router front-web. These XSS give an attacker the opportunity to execute malicious scripts. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121787 (http://osvdb.org/show/osvdb/121787) and OSVDB-121788 (http://osvdb.org/show/osvdb/121788) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e., Nombre del host (Hostname) input field within the subdirectory Servicio -> DDNS (Service -> DDNS or /ddns.htm) is vulnerable. There is another vulnerable input field within the Mantenimiento -> Contraseña (Maintenance -> Password or /userconfig.htm) subdirectory. After creating a user whose username contains the malicious script, it is stored into the User Accounts table and executes once the victim accesses this subdirectory. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Every input field is vulnerable to Cross Site Request Forgery (CSRF) attacks. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121786 (http://osvdb.org/show/osvdb/121786) * PoC: I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/form2Dns.cgi?dnsMode="1"&dns1="37.252.96.88"&dns2="37.252.96.89"&dns3=""&submit.htm?dns.htm="Send"&save="Aplicar cambios" It is also possible for an attacker to change the default router administrator password by sending the victim this URL: http://192.168.1.1/form2userconfig.cgi?username="1234"&privilege=2&oldpass="1234"&newpass="newpass"&confpass="newpass"&modify="Modificar"&select="s0"&hiddenpass="1234"&submit.htm?userconfig.htm="Send" The URL above forces the administrator user (it is always going to be the user named 1234) to change his default password from 1234 to newpass. -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.1.1/form2Reboot.cgi?rebootMode=0&reboot="Reiniciar"&submit.htm?reboot.htm="Send" If a victim opens this URL, router replies with HTTP 200 OK status code and reboots. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121789 (http://osvdb.org/show/osvdb/121789) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the DHCP Active Clients table (/dhcptbl.html). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- ----------------------------------------- Backdoor --------------------------------------- * Description: There is a second default administrator user who is hidden to the legitimate router owner. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121785 (http://osvdb.org/show/osvdb/121785) * PoC: In addition to the well-known 1234 administrator user, there is another one named admin, whose password is 7449airocon. This superuser remains hidden (it does only appear into the backup configuration XML file) and is able to modify any configuration settings either through the web interface or through telnet. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules, carry out a persistent denial of service and obtain the WLAN passwords, between other things, by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122386 (http://osvdb.org/show/osvdb/122386) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. It is also possible for an attacker to change the WPS configuration settings, reset the AP to the default ones and obtain critical information, such as WLAN passwords. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: Home Station BHS-RTA Tested firmwares: v1.1.3 Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL/VDSL customers -------------------------------------------------------------------------------------------- --------------------------------- Information Disclosure --------------------------------- * Description: Observa Telecom Home Station BHS-RTA web interface allows an external attacker to obtain critical information without login process. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121781 (http://osvdb.org/show/osvdb/121781), OSVDB-121782 (http://osvdb.org/show/osvdb/121782), OSVDB-121783 (http://osvdb.org/show/osvdb/121783) and OSVDB-121784 (http://osvdb.org/show/osvdb/121784) * PoC: Without requiring any login process, an external attacker is able to obtain critical information such as the WLAN password and settings, the Internet configuration, a list of connected clients, etc. By accessing the following URL, browser shows WLAN configuration, including the passwords: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnWifiJSON.txt&var:page=returnWifiJSON.txt&_=1430086147101 By accessing the following URL, browser shows a list of connected clients, including their IP and MAC addresses: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnDevicesJSON.txt&var:page=returnDevicesJSON.txt&_=1430086147101 By accessing the following URL, browser shows the Internet configuration parameters: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnInternetJSON.txt&var:page=returnInternetJSON.txt&_=1430086980134 By accessing the following URL, browser shows whether the administrator password has been changed or is the default one. http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnPasswordJSON.txt&var:page=returnPasswordJSON.txt&_=1430086980134 -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122386 (http://osvdb.org/show/osvdb/122386) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: VH4032N Tested firmwares: VH4032N_V0.2.35 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121793 (http://osvdb.org/show/osvdb/121793) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e, the SSID input field is vulnerable if the following code is written in: ‘;