Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormEric SesterhennPACKETSTORM:142801
HistoryJun 05, 2017 - 12:00 a.m.

Peplink 7.0.0-build1904 XSS / CSRF / SQL Injection / File Deletion

2017-06-0500:00:00
Eric Sesterhenn
packetstormsecurity.com
62

0.015 Low

EPSS

Percentile

85.2%

JSON
`  
X41 D-Sec GmbH Security Advisory: X41-2017-005  
  
Multiple Vulnerabilities in peplink balance routers  
===================================================  
  
Overview  
--------  
Confirmed Affected Versions: 7.0.0-build1904  
Confirmed Patched Versions:  
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin  
Vulnerable Firmware:  
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin  
Models: Balance Routers 305, 380, 580, 710, 1350, 2500  
Vendor: Peplink  
Vendor URL: https://www.peplink.com/  
Vector: Network  
Credit: X41 D-Sec GmbH, Eric Sesterhenn  
Additional Credits: Claus Overbeck (Abovo IT)  
Status: Public  
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/  
  
  
Summary and Impact  
------------------  
Several issues have been identified, which allow attackers to access the  
administrative web interface with admin credentials, delete files,  
perform CSRF and XSS attacks.  
  
  
Product Description  
-------------------  
From the vendor webpage:  
Use Load Balancing and SpeedFusion bandwidth bonding to deliver  
superfast VoIP, video streaming, and data using an SD-WAN enabled  
network. Even with a basic Balance 20 dual-WAN router, you can mix  
different transport technologies and providers to keep your network up  
when individual links go down. Switching between links is automatic and  
seamless.  
  
  
  
SQL Injection via bauth Cookie  
==============================  
Severity Rating: Critical  
Vector: Network  
CVE: CVE-2017-8835  
CWE: 89  
CVSS Score: 9.8  
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
  
Summary and Impact  
------------------  
Peplink devices are vulnerable to an SQL injection attack via the bauth  
cookie parameter which is set e.g. when accessing  
https://ip/cgi-bin/MANGA/admin.cgi.  
  
The injection can be checked with the following command:  
  
./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi"  
--cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647"  
-p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ  
--flush-session -t trace.log --prefix "'" --suffix "--" -a  
  
The vulnerability in the Peplink device allows to access the SQLite  
session database containing user and session variables. By using the the  
following cookie in a web request, it is possible to select a running  
administrator session to be used for the attackers login.  
  
bauth=-12' or id IN (select s.id from sessions as s left join  
sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1')  
or '1'='2  
  
By forming specialised SQL queries, it is possible to retrieve usernames  
from the database. This worked by returning a valid session in case the  
username existed and no session if it did not exist. In the first case  
the server did not set a new session cookie in the response to the request.  
  
SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id  
from sessions as s left join sessionsvariables as v on v.id=s.id where  
v.name='username' and substr(v.value,1,3)='adm')  
  
  
  
Workarounds  
-----------  
Install vendor supplied update.  
  
  
No CSRF Protection  
==================  
Severity Rating: Medium  
Vector: Network  
CVE: CVE-2017-8836  
CWE: 352  
CVSS Score: 5.4  
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N  
  
Summary and Impact  
------------------  
The CGI scripts in the administrative interface are not protected  
against cross site request forgery attacks. This allows an attacker to  
execute commands, if a logged in user visits a malicious website. This  
can for example be used to change the credentials of the administrative  
webinterface.  
  
  
Workarounds  
-----------  
Install vendor supplied update.  
  
  
  
  
Passwords stored in Cleartext  
=============================  
Severity Rating: Medium  
Vector: Network  
CVE: CVE-2017-8837  
CWE: 256  
CVSS Score: 4.0  
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N  
  
Summary and Impact  
------------------  
The Peplink devices store passwords in cleartext in the files  
/etc/waipass and /etc/roapass. In case one of these devices is  
compromised the attacker can gain access to the cleartext passwords and  
abuse them to compromise further systems.  
  
  
Workarounds  
-----------  
Install vendor supplied update.  
  
  
  
  
XSS via syncid Parameter  
========================  
Severity Rating: Medium  
Vector: Network  
CVE: CVE-2017-8838  
CWE: 80  
CVSS Score: 5.4  
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N  
  
Summary and Impact  
------------------  
If the webinterface is accessible, it is possible to abuse the syncid  
parameter to trigger a cross-site-scripting issue by calling  
https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert%281%29%3C/script%3E  
  
This executes the JavaScript in the victims browser, which can be abused  
to steal session cookies.  
  
Workarounds  
-----------  
Install vendor supplied update.  
  
  
  
  
XSS via preview.cgi  
===================  
Severity Rating: Medium  
Vector: Network  
CVE: CVE-2017-8839  
CWE: 80  
CVSS Score: 5.4  
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N  
  
Summary and Impact  
------------------  
If the webinterface is accessible, it is possible to abuse the the  
orig_url parameter to trigger a cross-site-scripting issue in  
/guest/preview.cgi. The injection is directly into existing JavaScript.  
  
This executes the JavaScript in the victims browser, which can be abused  
to steal session cookies.  
  
Workarounds  
-----------  
Install vendor supplied update.  
  
  
  
File Deletion  
=============  
Severity Rating: Medium  
Vector: Network  
CVE: CVE-2017-8841  
CWE: 73  
CVSS Score: 6.5  
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H  
  
Summary and Impact  
------------------  
A logged in user can delete arbitrary files on the Peplink devices, by  
abusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path  
is provided to the upfile.path parameter the file provided in the path  
is deleted during the process. This can be abused to cause a denial of  
service (DoS). In combination with the missing CSRF protection, this can  
be abused remotely via a logged in user.  
  
Workarounds  
-----------  
Install vendor supplied update.  
  
  
  
  
Information Disclosure  
======================  
Severity Rating: Medium  
Vector: Network  
CVE: CVE-2017-8840  
CWE: 200  
CVSS Score: 5.3  
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N  
  
Summary and Impact  
------------------  
If the webinterface is accessible, it is possible to retrieve sensitive  
information without a valid login by opening  
cgi-bin/HASync/hasync.cgi?debug=1  
  
This displays the following:  
  
-----8<------------------------------------------------  
Master LAN Address = [ <internal ip> / <netmask> ]  
Serial Number = [ <serial number> ]  
HA Group ID = [ <group id> ]  
Virtual IP = [ <internal ip> / <netmask> ]  
Submitted syncid = [ <syncid> ]  
-----8<------------------------------------------------  
  
This information can be valuable for an attacker to exploit other issues.  
  
Workarounds  
-----------  
Install vendor supplied update.  
  
  
  
  
About X41 D-Sec GmbH  
--------------------  
X41 D-Sec is a provider of application security services. We focus on  
application code reviews, design review and security testing. X41 D-Sec  
GmbH was founded in 2015 by Markus Vervier. We support customers in  
various industries such as finance, software development and public  
institutions.  
  
Timeline  
--------  
2017-04-07 Issue found  
2017-04-10 Vendor asked for security contact  
2017-04-11 Vendor replied, send GPG key  
2017-04-11 Information supplied to vendor  
2017-04-11 Vendor acknowledges that the information is received  
2017-04-17 Vendor acknowledges SQL injection  
2017-05-08 CVE IDs for all issues requested  
2017-05-08 CVE IDs assigned  
2017-05-11 Vendor informed about CVE IDs  
2017-05-29 Version provided to X41 for testing  
2017-05-31 First test results send back to the vendor  
2017-06-01 Remaining test results send back to the vendor  
2017-06-05 Coordinated Firmware and Advisory release  
  
--   
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen  
T: +49 241 9809418-0, Fax: -9  
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989  
GeschA$?ftsfA1/4hrer: Markus Vervier  
  
`

Related

exploitpack 1
seebug 1
zdt 1
openvas 1
exploitdb 1
cvelist 7
prion 7
cve 7
exploitpack
exploitpack
Peplink Balance Routers 7.0.0-build1904 - SQL Injection Cross-Site Scripting Information Disclosure
2017-06-06 00:00:00
seebug
seebug
Multiple Vulnerabilities in peplink balance routers
2017-06-06 00:00:00
zdt
zdt
Peplink Balance Routers 7.0.0-build1904 - Multiple Vulnerabilities
2017-06-06 00:00:00
openvas
openvas
Peplink Balance Routers Multiple Vulnerabilities
2017-06-06 00:00:00
exploitdb
exploitdb
Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
2017-06-06 00:00:00
cvelist
cvelist
CVE-2017-8841
2017-06-05 14:00:00
CVE-2017-8837
2017-06-05 14:00:00
CVE-2017-8836
2017-06-05 14:00:00
prion
prion
Path traversal
2017-06-05 14:29:00
Default credentials
2017-06-05 14:29:00
Cross site request forgery (csrf)
2017-06-05 14:29:00
cve
cve
CVE-2017-8841
2017-06-05 14:29:00
CVE-2017-8837
2017-06-05 14:29:00
CVE-2017-8836
2017-06-05 14:29:00

0.015 Low

EPSS

Percentile

85.2%

JSON
Related for PACKETSTORM:142801
exploitpack1seebug1zdt1openvas1exploitdb1cvelist7prion7cve7