[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple Vulnerabilities with Aztech Modem Routers
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Multiple Vulnerabilities with Aztech Modem Routers
- From: Federick Joe P Fajardo <fjpfajardo@xxxxxxxxxx>
- Date: Mon, 15 Sep 2014 04:42:13 +0800
PRODUCT DESCRIPTION
The Aztech ADSL family of modems/routes are shipped to residential and SOHO
users that desires speed from 150-300mbps rate. This modem/router also supports
IEEE802.11b/g/n as a Wireless LAN Access point. The vulnerable model numbers
are: DSL5018EN (1T1R) (Shipped with Globe Telecom in the Philippines), DSL705E
and DSL705EU.
Vendor reference: http://www.aztech.com/prod_adsl_dsl5018en_1t1r.html
1. Denial of Service (DoS)
The CGI script that resets the WAN connectivity of the modem can be called
directly from the web server with no authentication. Sending a crafted HTTP GET
request to the router via /cgi-bin/AZ_Retrain.cgi will allow an attacker to
execute code that could potentially lead to Denial of Service (DoS) attack and
may terminate or all established Internet connections in the network.
Proof of Concept for this vulnerability
Send a GET request to the cgi-bin/AZ_Retrain.cgi to reset the WAN connection:
http://x.arpa.ph/fjpf/aztech-exploits/azreset.txt
2. Broken Session Management
A successful authentication of a privilege (admin) ID in the web portal allows
any attacker in the network to hijack and reuse the existing session in order
to trick and allow the web server to execute administrative commands. The
command may be freely executed from any terminal in the network as long as the
session of the privilege ID is valid.
Proof of Concept for this vulnerability
1. From computer A, open a web browser and login to the modem/router's web
portal using the administrator ID.
2. From computer B, open a terminal session and make a POST request to the
router: http://x.arpa.ph/fjpf/aztech-exploits/azpass.txt
3. File and Data Exposure
The router's configuration file contains the hardware information as well as
all of the user's credentials. This includes the customer's name and WAN
account, the TR-069 credential of the telecom company and the web portal's
admin username and password. A malicious attacker can send a direct GET request
to the cgi-bin/userromfile.cgi script and download the ROM file. Although the
ROM file is a ciphered text, this can be deciphered using a weak substitution
technique (ROT 24) which could potentially lead to data exposure.
Proof of Concept for this vulnerability
a. Send a GET request to the router using cgi-bin/userromfile.cgi via curl:
http://x.arpa.ph/fjpf/aztech-exploits/azgetconf.txt
b. Decipher the downloaded rommfile.cfg using Caesar cipher.
4. Web Parameter Tampering
Some of the router's restricted and disabled settings can be acquired by
checking the hidden fields in forms. Most of these settings can be manipulated
by intercepting the data and manipulating the values upon submission. The below
example shows how we manipulated the Access Control List in order to enable
Telnet in the WAN section of the control panel before submitting the data.
Proof of Concept for this vulnerability
a. Open a web browser and redirect traffic to localhost:8080.
b. Open burb proxy and intercept traffic coming from the browser.
c. Login to the router's web portal and go to the page where the protected
values are located.
d. Find the reference to the hidden values in the form and modify it.
e. Submit the request to the router. Refresh the browser to see the modified
protected values.
Screenshots: http://x.arpa.ph/fjpf/aztech-exploits/aztech.img.tgz
The following CVE's precedes the above and were found as fixed:
CVE-2008-6588 _ Aztech ADSL2/2+ 4-port router has a default "isp" account with
a default "isp" password, which allows remote attackers to obtain access if
this default is not changed.
CVE-2008-6554 _ cgi-bin/script in Aztech ADSL2/2+ 4-port router 3.7.0 build
070426 allows remote attackers to execute arbitrary commands via shell
metacharacters in the query string.
CVE-2007-4733 _ The Aztech DSL600EU router, when WAN access to the web
interface is disabled, does not properly block inbound traffic on TCP port 80,
which allows remote attackers to connect to the web interface by guessing a TCP
sequence number, possibly involving spoofing of an ARP packet, a related issue
to CVE-1999-0077.
Researchers:
Federick Joe Fajardo / fjpfajardo(at)ph.ibm.com, Lorenzo Miguel Flores /
floresl(at)ph.ibm.com