COMTREND CT-536/HG-536+ XSS / Denial Of Service

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2007-002  
- Original release date: 31st January, 2007  
- Last revised: 22th December, 2008  
- Discovered by: Daniel Fernandez Bleda  
- Severity: 5/5  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Multiple vulnerabilities in WiFi router COMTREND CT-536/HG-536+  
  
II. BACKGROUND  
-------------------------  
The CT-536 is an 802.11g (54Mbps) wireless and wired Local Area  
Network (WLAN) ADSL router. Four 10/100 Base-T Ethernet and single USB  
ports provide wired LAN connectivity with an integrated 802.11g WiFi  
WLAN Access Point (AP) for wireless connectivity. The CT-536 ADSL  
router provides state of the art security features such as WPA data  
encryption; Firewall, VPN pass through.  
  
III. DESCRIPTION  
-------------------------  
Improper validation of micro_httpd server permits multiple attacks  
though this stateless server. Also, access control is defficient and  
do not control access at all. Credentials are send in clear text so  
"user" could get them easily.  
  
Some fields and data are not filtered so XSS attacks and bofs can DoS  
the httpd config server. Some cases the result also applies not only  
to http and the router needs reboot, loosing the configuration and  
reseting to default values. This means default passwords, open  
wireless network, etc.  
  
IV. PROOF OF CONCEPT  
-------------------------  
1. User "user" (least privileged user, read only and limited access  
configuration reding) can ask a not allowed resource and the server  
will return the page asked. Included the password change resource:  
  
http://192.168.0.1/password.html  
  
2. The router sends the 3 users passwords in clear inside the html to  
make a fast check during the password change.  
  
3. Some points in the configuration description options are  
vulenrables to Cross Site SCripting attacks due improper validatation:  
  
http://192.168.0.1/scvrtsrv.cmd?action=add&srvName=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&srvAddr=192.168.1.1&proto=1,&eStart=1,&eEnd=1,&iStart=1,&iEnd=1  
  
4. Some resources (i.e. NAT table are vulnerable to Buffer overflows  
attacks) through the description fields that seems to kill the  
micro_httpd server although the router continues routing. Also similar  
behaviour is seen when asking for URLs that add %13 and %10 chars,  
without matching micro_httpd checks "..", "../", "/../".  
  
5. User "user" accesses with "admin" privileges when connecting  
through TELNET service.  
  
6. User "support" seems to not exist at all.  
  
7. SSH service cannot substitute TELNET or HTTP due it seems not  
exists at all in the router!  
  
V. BUSINESS IMPACT  
-------------------------  
DoS of the Web Configuration interface although the router continues  
routing.  
DoS of router, causing a set to reset configuration, meaning the start  
up of Wireless interface (activated by default) without any type of  
protection and having the possibility to access the router or the network.  
Reset of router configuration.  
Access with "admin" (privileged) permissions to user "user".  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Firmware until version A101-302JAZ-C01_R05 (current)  
  
VII. SOLUTION  
-------------------------  
Change the router.  
  
VIII. REFERENCES  
-------------------------  
http://www.comtrend.com  
http://www.acme.com/software/micro_httpd/  
http://www.jazztel.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported by  
Daniel Fernandez Bleda (dfernandez (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
January 30, 2007: Initial release  
April 18, 2007: First contact with the vendor. Minor corrections.  
November 09, 2007: Some corrections applied.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
January 30, 2007: Vulnerability acquired by  
Internet Security Auditors  
April 18, 2007: Initial vendor notification sent. No response.  
May 01, 2007: Second vendor notification.  
Response: will be studied.  
May 22, 2007: Third vendor contact. Reported to their vendor for  
analysis.  
August 07, 2007: Fourth Vendor contact. Problem seems to be not  
much easy to correct. R/D Dept are studying the  
solution.  
November 09, 2007: Fifth Vendor contact. No response.  
November 19, 2007: Sixth Vendor contact. No response.  
December 07, 2007: Seventh Vendor contact. Chipset vendor is working.  
November 11, 2008: Last Vendor contact. No response  
December 22, 2008: Published.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors, S.L. accepts no responsibility for any  
damage caused by the use or misuse of this information.  
`