Lucene search

Talos IntelligenceTALOS-2023-1871

HistoryJul 08, 2024 - 12:00 a.m.

LevelOne WBR-6013 telnetd hard-coded password vulnerability

2024-07-0800:00:00

Talos Intelligence

www.talosintelligence.com

levelone

wbr-6013

telnetd

hard-coded password

vulnerability

arbitrary command execution

soho wireless router

weak credentials

arbitrary command execution

vendor disclosure

public release

cisco talos

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

39.3%

JSON

Talos Vulnerability Report

TALOS-2023-1871

LevelOne WBR-6013 telnetd hard-coded password vulnerability

July 8, 2024

CVE Number

CVE-2023-46685

SUMMARY

A hard-coded password vulnerability exists in the telnetd functionality of LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623. A set of specially crafted network packets can lead to arbitrary command execution.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623

PRODUCT URLS

WBR-6013 - <https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103>

CVSSv3 SCORE

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-259 - Use of Hard-coded Password

DETAILS

The WBR-6013 is a SOHO wireless router produced by LevelOne.

The WBR-6013 has a telnetd service that listens for connections. In the WBR-6013’s documentation, telnetd is not mentioned and the credentials for login are not mentioned either.

The file /etc/passwd_orig is going to be used as /etc/passwd file. This file also contains the hash of the users’ passwords:

root:&lt;redacted&gt;:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/:/dev/null
admin:&lt;redacted&gt;:1000:1000:Linux User,,,:/home/admin:/bin/sh

The credentials for obtaining root in the WBR-6013 device, through telnet, are weak and hardcoded. An attacker could use these hard-coded credentials for obtaining complete control over the device.

Exploit Proof of Concept

It is possible to connect to the telnetd service and obtain root by providing the hard-coded root’s password.

# telnet 192.168.100.1
Trying 192.168.100.1...
Connected to 192.168.100.1.
Escape character is '^]'.

rlx-linux login: root
Password: 
RLX Linux version 2.0
        _           _  _
        | |         | ||_|                 
_  _ | | _  _    | | _ ____  _   _  _  _ 
| |/ || |\ \/ /   | || |  _ \| | | |\ \/ /
| |_/ | |/    \   | || | | | | |_| |/    \
|_|   |_|\_/\_/   |_||_|_| |_|\____|\_/\_/

For further information check:
http://processor.realtek.com/
# ls /
bin   etc   init  mnt   root  sys   usr   web
dev   home  lib   proc  sbin  tmp   var

VENDOR RESPONSE

LevelOne has declined to patch the issues in their software.

TIMELINE

2023-12-14 - Initial Vendor Contact
2023-12-22 - Vendor Disclosure
2024-07-08 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.

Vulnerability Reports Next Report

TALOS-2023-1874

Previous Report

TALOS-2023-1784

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

39.3%

JSON

Related for TALOS-2023-1871