[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bypassable authentication in SingTel / Aztech DSL8900GR(AC) router
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Bypassable authentication in SingTel / Aztech DSL8900GR(AC) router
- From: cort@xxxxxxxxxxxxxxxxxxxxxx
- Date: Sat, 11 Nov 2017 06:14:30 GMT
Credit: Cort
Date: 5 Aug 2017
CVE: Not assigned
Vendor: Aztech (https://www.aztech.com) / SingTel (https://www.singtel.com/)
Product: Aztech DSL8900GR(AC) router
Versions Affected: firmware 340.6.1-007 (latest available as of 9 Nov 2017)
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Fix: Not available.
Introduction
===
The Aztech DSL8900GR(AC) router is distributed by SingTel (largest ISP in
Singapore) with their business broadband package. It does not appear to be
available for direct sales.
The web admin interface for the router is protected by http basic access
authentication, but it was found that this only applies to the main menu page.
By directly visiting the pages used for the actual configurations (eg. DNS
server settings page), no passwords are requested, and configuration changes
can be successfully applied without authentication.
While only the DSL8900GR(AC) was tested, other models of Aztech routers
distributed by SingTel were observed to have an identical web admin interface
and are potentially affected in the same way.
Technical Description
===
The attack can be carried out by a local user without admin priviledges by
directly visiting the configuration pages for the web admin interface. For
example, visiting http://192.168.1.254/rtroutecfg.cmd?action=viewcfg will allow
the user to view and change static routes on the router without requiring any
authentication.
The attack can also be remotely triggered without local access, by getting a
local user to visit a malicious webpage or click on a link. The router accepts
configurations change command via HTTP GET without authentication.
The vulnerability can be exploited to change DNS servers, static routes, wifi
passwords, and reboot the router. This can be used to spoof websites, capture
traffic, or shutdown networks.
All configuration changes accessible through the web admin interface are likely
to be affected, but only the previously mentioned changes were tested.
Proof of Concept (Local Attack)
===
1) Connect to the router's network (eg. via wifi AP).
2) Visit http://192.168.1.254/rtroutecfg.cmd?action=viewcfg using any browser.
No username or password is requested.
3) Change route using the web interface. It can be easily verified that the
route change has been effected by the router.
Proof of Concept (Remote Attack)
===
1) Create a webpage containing the following HTML and place it anywhere on the
internet.
<iframe src="http://192.168.1.254/aztech_lancfg2.cgi?lanDnsSecondary=1.2.3.4";>
</iframe>
2) Get a user on the router's network to visit the webpage. The user does not
require admin priviledges.
3) The secondary DNS has now been changed to "1.2.3.4". This example is
generally harmless, but other more dangerous changes can be made in the same
way.
Solutions
===
No known workaround.
Patch was expected to complete testing by 30 Sep 2017, but there was
subsequently no communications from the vendor on the patch status.
Timeline
===
2017-08-05 Discovery by Cort. Initial vendor (Aztech) notification (no
response).
2017-08-12 Second notification to vendor (no response).
2017-08-17 Third notification to vendor (no response).
2017-08-21 Notified SingCert, who in turn notified Aztech and SingTel.
2017-09-06 Patch testing expected to be completed by 30 Sep 2017 (according to
SingCert).
2017-10-05 SingCert checking on status of patch. No response on status.
2017-11-05 Contacted SingCert to check on status of patch (no response).
2017-11-11 Public disclosure of vulnerability due to lack of response from
vendor.