Allied Telesis AT-RG634A ADSL Broadband Router – Web Shell

• Exploit Database
• 109 阅读

• 作者： Groundworks Technologies
  日期： 2014-03-26
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/32545/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88

  *Title:*   Allied Telesis AT-RG634A ADSL Broadband router hidden administrative unauthenticated webshell.   *Vulnerability Information:* - CVE: CVE-2014-1982 - Type of Vulnerability: - CWE-78: OS Command Injection - CWE-306 : Missing Authentication for Critical Function   *Affected products:*   - Allied Telesis AT-RG634A ADSL Broadband router. (version 3.3+ and probably others)   Other products like, - Allied Telesis iMG624A(firmware version, 3.5) - Allied Telesis iMG616LH (firmware version, +2.4) - Allied Telesis iMG646BD (firmware version, 3.5)   *Vendor:* - Allied Telesis : http://www.alliedtelesis.com//     has the same vulnerbility, but the vendor reports that the version 3.8.05 of the firmware has already addressed this issue, but we where unable to test nor confirm this information.   *Security Patches / Workaround:*   - Allied Telesis has noted that the AT-RG634A product is no longer supported, but gives a workaround to mitigate the issue.   Configure the device so that only trusted devices can access the target device using the following command,   "WEBSERVER SET MANAGEMENTIP <ip-address>"   *Short Description:*   The Allied Telesis AT-RG634A ADSL Broadband router has a hidden url page in their admnistrative HTTP interface capable of executing commands as admin without requiring any kind of authentication.   *Description:*   "The AT-RG634 is a full-featured, broadband media gateway and router designed for cost-effective delivery of advanced IP Triple Play voice, video and data services over an ADSL infrastructure. The RG634 supports Layer 3 functions, including NAT, DMZ, and Stateful inspection firewall for delivery of revenue-generating services such as home networking and security services." (from www.alliedtelesis.com/p-2345.html)   The Allied Telesis AT-RG634A ADSL Broadband router has a hidden URL (/cli.html) page to execute CLI command with admin priviledges, available by default and without any kind of authentication.   Having as impact a total compromise of the target device.   *Steps to reproduce:*   - Connect via HTTP to the hidden page http://<device IP>/cli.html a input box is shown, every command typed there will be executed as admin.   Entering the following lines in the hidden page (/cli.html) a new telnet admin user called "eviluser" is added to the system.   >> system add login eviluser system set user eviluser access >> superuser.     *Credits:*   This security issue was discovered and researched by Sebastian Muniz (topo), Security Researcher of Groundworks Technologies (http://www.groundworkstech.com)     *License:*   The contents of this advisory are copyright (c) 2014 Groundworks Technologies,and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/