Skip to content

S1lkys/CVE-2020-29669

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code
This branch is 10 commits ahead, 5 commits behind code-byter:master.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

Macally WIFISD2-2A82

Writeup for CVE-2020-29669 by Maximilian Barz (Silky) and Daniel Schwendner (code-byter)


This is a writeup of exploiting the Macally WIFISD2-2A82 Travel Router (Firmware version: 2.000.010). The Guest user is able to reset its own password. This process has a vulnerability which can be used to take over the administrators account and results in shell access. As the admin user may read the /etc/shadow file, the password hashes of each user (including root) can be dumped. The root hash can be cracked easily which results in a complete system compromise. All this from the guest account which is meant to be given to guests.

images/router.jpg

CVSS 3.1 Base Score: 8.7

Affected file: /protocol.csp

images/base.png

Walkthrough / PoC:

Step 1:

Login as guest account on the web interface. Default password for guest and admin is blank.

images/web_login.png


When authenticated successfully a similar screen should appear.

images/dashboard.png




Step 2:

Navigate to the User manager in the settings menu, where you can change the password of your current user.

images/password_change.png

Guest is able to reset his own password, fill in the blank fields and capture the request in BurpSuite

images/burp_1.png

Change the value of name to admin and forward the request.

images/burp_2.png

In the web interface, a pop-up box will appear saying "Password changed successfully"

images/password_changed.png



Step 3:

Login as admin via telnet with the previously set password.

images/telnet_login.png

Admin is able to read /etc/shadow file exposing the root hash.

images/etc_password.png

Exploit

The whole exploitation process is automated with a python script. To spawn a root shell (or crack the root hash) run macally_exploit.py.

python3 macally_exploit.py 10.10.10.254

images/exploit.png

CVE MITRE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29669.

Exploit-DB entry: https://www.exploit-db.com/exploits/49256.


Maximilian Barz (OSCP), Email: mbzra@protonmail.com, Twitter: S1lky_1337

Daniel Schwendner, Email: officialcodebyter@gmail.com, Instagram: code_byter

About

Macally WIFISD2

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%