Multilaser RE160 Cookie Manipulation Access Bypass

`=====[Tempest Security Intelligence - Security Advisory -  
CVE-2023-38946]=======  
  
Access Control Bypass in Multilaser router's Web Management Interface  
  
Author: Vinicius Moraes < vinicius.moraes.w () gmail com >  
  
=====[Table of  
Contents]========================================================  
  
1. Overview  
2. Detailed description  
3. Other contexts & solutions  
4. Acknowledgements  
5. Timeline  
6. References  
  
=====[1.  
Overview]==============================================================  
  
* Systems affected: Multilaser RE160 web interface -  
V5.07.51_pt_MTL01(verified)  
-  
V5.07.52_pt_MTL01(verified)  
(other routers/versions may be  
affected)  
* Release date: 28/02/2024  
* CVSS score: 7.7 / High  
* CVSS vector:  
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  
* Impact: This vulnerability allows attackers to bypass the access control  
of  
the router's web interface and perform management actions, such as  
changing the DNS settings, enabling router remote access,  
changing the  
IP routing table, and retrieving the WiFi and management  
application  
passwords. A noteworthy aspect also regards the fact that the  
attack  
can be conducted remotely.  
  
=====[2. Detailed  
description]==================================================  
  
The affected Multilaser router has a web management interface designed to  
graphically assist users in configuring features and diagnosing problems.  
However, there is a bug in its access control mechanism that allows  
unauthenticated users to access the router's management features.  
  
In order to exploit this bug, it is necessary to add an "admin:" cookie in  
the  
requests. The following example shows how an unauthenticated user (not  
bearing  
a credential or session token) could perform it by using the curl tool[1]  
to  
retrieve, for example, a backup of the router config, which contains its  
web  
interface password:  
  
[snippet]  
  
$ # traditional unauthenticated request being redirected to the login page  
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E  
'HTTP/|Locatio'  
HTTP/1.0 302 Redirect  
Location: http://[routerIpAddress]/login.asp  
$  
$ # malicious unauthenticated request getting the web interface password  
$ # (in this example: "pass123")  
$ curl -isH 'Cookie: admin:' [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg |  
grep  
-E 'HTTP/|http_passwd'  
HTTP/1.0 200 OK  
http_passwd=pass123  
  
[/snippet]  
  
By performing the aforementioned steps, an attacker gains access to all  
features  
of the web interface, either by exploiting the issue in other endpoints or  
by  
using the interface password, contained in the router config, as a  
traditional  
user.  
  
This vulnerability can be exploited remotely via a malicious mobile/desktop  
application performing HTTP requests against the router, or locally by  
connecting to a vulnerable router (such as through the wireless  
infrastructure  
of a coffee shop or airport).  
  
=====[3. Other contexts &  
solutions]============================================  
  
Conceptually, in order to fix this issue, the server receiving the request  
must  
always validate the value of the cookie as a prerequisite for enforcing  
access  
control. Besides that, this value cannot be predictable. Upon not receiving  
a  
valid session token within the request, users should be redirected to the  
login  
page.  
  
Practically, updating to the latest firmware (V5.07.52_pt_MTL01) will  
reduce the  
attack window for this vulnerability, limiting the exploitation to only work  
when there is an active user session on the router. However, this equipment  
is  
also affected by another vulnerability with the same impact and no attack  
window  
limitation[3].  
  
Furthermore, Multilaser informed that they contacted the firmware vendor of  
the  
model RE160, but due to the age of the equipment and its limitations, it  
will  
not receive an update. Therefore, it is recommended to replace the RE160  
router  
with a new one that is receiving updates (such as RE160V or RE163V)[4][5].  
  
=====[4.  
Acknowledgements]======================================================  
  
Joaquim Brasil de Oliveira < palulabrasil () gmail com >  
< twitter.com/palulabr >  
Tempest Security Intelligence[2]  
  
=====[5.  
Timeline]==============================================================  
  
28/04/2023 - The bug regarding model RE160 was reported to vendor;  
29/06/2023 - A new contact was made with the company;  
29/06/2023 - Vendor sent the available latest firmware for RE160;  
07/07/2023 - It was confirmed that the latest firmware was still vulnerable;  
26/10/2023 - Vendor informed that RE160 will not receive a full fix.  
  
=====[6.  
References]============================================================  
  
[1] https://curl.se  
[2] https://tempest.com.br  
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38945  
[4]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v  
[5]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v  
  
`