lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 17 Apr 2015 11:14:35 +0900
From: Pierre Kim <>
Subject: 112 ipTIME Routers/WiFi APs/Modems/Firewalls models vulnerable with
 RCE with root privileges

Hash: SHA512

## Advisory Information

Title: 112 ipTIME Routers/WiFi APs/Modems/Firewalls models vulnerable
with RCE with root privileges
Advisory URL:
Date published: 2015-04-17
Vendors contacted: KrCERT, ipTIME
Release mode: Released
CVE: no current CVE

## Product Description

EFMNetworks ipTIME is the largest Korean brand of SOHO/small/middle
entreprise Routers/WiFi APs/Modems/Firewalls in South Korea
with millions of devices deployed in the country. EFMNetworks ipTIME
is occupying more than 60 percent of personal network devices.
There are =~ 10 000 000 of ipTIME devices deployed in South Korea.

## Vulnerability Summary

This vulnerability allows to bypass the admin authentication and to
get a direct RCE as root from the LAN side with a single HTTP request.

This is a direct RCE against the Routers/WiFi APs/Modems/Firewalls
which gives a complete root access to the embedded Linux from the LAN
The exploit doesn't work by default from the WAN (no HTTP or UPNP
access from the WAN by default unless activated).
If enabled on the WAN, the remote admin interface exposes the devices
to this vulnerability.

It affects 112 ipTIME products from 2009-era firmwares to the 9.52
firmware (built time 2015-03-23)) with the default configuration:

  - ipTIME A5004NS
  - ipTIME A3004NS
  - ipTIME A3004
  - ipTIME A2004NS
  - ipTIME A2004NSplus
  - ipTIME A2004
  - ipTIME A2004plus
  - ipTIME A2008
  - ipTIME A1004
  - ipTIME A1004V
  - ipTIME A104
  - ipTIME A104NS
  - ipTIME N6004R
  - ipTIME N8004R
  - ipTIME N8004V
  - ipTIME N8004
  - ipTIME N804A3
  - ipTIME N804T3
  - ipTIME N904
  - ipTIME N904plus
  - ipTIME N904V
  - ipTIME N904Vplus
  - ipTIME N704V3
  - ipTIME N704BCM
  - ipTIME N704A3
  - ipTIME N604S
  - ipTIME N604A
  - ipTIME N104S-r1
  - ipTIME Smart
  - ipTIME N904NS
  - ipTIME N704NS
  - ipTIME N604T
  - ipTIME N604Tplus
  - ipTIME N7004NS
  - ipTIME N104V
  - ipTIME N604V
  - ipTIME N604Vplus
  - ipTIME N604R
  - ipTIME N604Rplus
  - ipTIME N604plus
  - ipTIME N104R
  - ipTIME N104Q
  - ipTIME N104plus
  - ipTIME N104K
  - ipTIME N5
  - ipTIME N2plus
  - ipTIME N1plus
  - ipTIME N1E
  - ipTIME N804V
  - ipTIME N804T
  - ipTIME N804A
  - ipTIME N804
  - ipTIME N2E
  - ipTIME N2Eplus
  - ipTIME N104A
  - ipTIME N104S
  - ipTIME N104i
  - ipTIME N1
  - ipTIME N104
  - ipTIME N104M
  - ipTIME N504
  - ipTIME N604i
  - ipTIME N604M
  - ipTIME N608
  - ipTIME N704
  - ipTIME N704A
  - ipTIME N704M
  - ipTIME N704S
  - ipTIME N704V
  - ipTIME N3004
  - ipTIME N5004
  - ipTIME N6004
  - ipTIME N6004M
  - ipTIME N104T
  - ipTIME N5-r1
  - ipTIME N104-r3
  - ipTIME WR-E1
  - ipTIME Mini
  - ipTIME MobileAP1
  - ipTIME Multi
  - ipTIME Extender2
  - ipTIME G1
  - ipTIME G104
  - ipTIME G104BE
  - ipTIME G104M
  - ipTIME G204
  - ipTIME G304
  - ipTIME G504
  - ipTIME G504
  - ipTIME G104i
  - ipTIME G104A
  - ipTIME Q604
  - ipTIME V304
  - ipTIME T3004
  - ipTIME T3008
  - ipTIME T16000
  - ipTIME T24000
  - ipTIME Q1
  - ipTIME Q104
  - ipTIME Q204
  - ipTIME Q304
  - ipTIME Q504
  - ipTIME V104
  - ipTIME V108
  - ipTIME V308
  - ipTIME V116
  - ipTIME V124
  - ipTIME V1024
  - ipTIME V1016
  - ipTIME T1004
  - ipTIME T1008
  - ipTIME X3003
  - ipTIME X3007
  - ipTIME X5007
  - ipTIME X6003

Concerning the high CVSS score (10/10) of the vulnerability, the
number of affected devices and the longevity of this vulnerability (6+
year old), we urge users to apply the new 9.58 firmware.

## Details

The HTTP server allows the attacker to execute some CGI files.

Many of them are vulnerable to a command inclusion which allows to
execute commands with the http daemon user rights (root).

root@...i:~/iptime# ./iptime.carnage cat /var/run/hwinfo
company_name=EFM Networks
product_name=ipTIME N604V
root@...i:~/iptime# ./iptime.carnage cat /home/http/build_date
Mon Mar 23 14:54:50 KST 2015

Considering the huge potential impact against the South Korea
networks, we are not currently planning to release working exploits.

The exploits will be posted on my blog located at

## Vendor Response

The vendor has released a new firmware version (9.58) for 112 devices:

## Report Timeline

 * Jun 01, 2014: Vulnerability found by Pierre Kim and Alexandre Torres.
 * Mar 24, 2015: Vulnerability confirmed on all the existing versions
from 2009 to 2015 including the last firmware version.
 * Apr 07, 2015: KRCERT is notified of the vulnerability using the
FIRST dedicated email.
 * Apr 08, 2015: Pierre Kim tries to contact KRCERT using : this form doesn't work
(nor <form>, nor JS for form-submission).
 * Apr 08, 2015: Vendor is contacted ( to provide
a valid GPG key.
 * Apr 08, 2015: Email sent to is bounced.
 * Apr 08, 2015: Vendor is contacted ( for a GPG key.
 * Apr 09, 2015: KRCERT is contacted ( - support
email) for a GPG key.
 * Apr 09, 2015: is contacted.
 * Apr 09, 2015: KISA is contacted for a GPG key at  400 Bad Request or
alert box saying the message was malformed.
 * Apr 09, 2015: KISA is contacted using Twitter
 * Apr 09, 2015: FIRST KRCERT answered asking for information about
the vulnerabilites and agreed to contact ipTIME to develop a security
patch as soon as possible.
 * Apr 09, 2015: 2 POCs are sent to FIRST KRCERT by email.
 * Apr 13, 2015: FIRST KRCERT confirms the POCs work and said they
can't assign CVE. They ask a 90 days disclosure policy to allow ipTIME
to work on this issue and asks if we can disclose the vulnerabilities
details after a patch is released.
 * Apr 13, 2015: MITRE is contacted asking for a CVE number.
 * Apr 13, 2015: FIRST KRCERT is contacted : we agree on the 90 days
vulnerability disclosure policy. We ask which models are vulnerable.
 * Apr 14, 2015: replies with one vulnerable model.
The vulnerability information is sent to ipTIME and we have to use as a contact address now.
 * Apr 15, 2015: is contacted for a GPG key
concerning other vulnerabilities found in ipTIME products.
 * Apr 16, 2015: Vendor releases 112 new firmwares.
 * Apr 16, 2015: is contacted to know if this new
firmware fixes the vulnerabilities we reported. The vendor advisory
specifies only "User Interface-related security" in Korean (thank you
Google Translate).
 * Apr 16, 2015: From our tests, the vulnerabilities have been fixed.
 * Apr 17, 2015: A public advisory is sent to security mailing lists.

## Credit

This vulnerability was found by Alexandre Torres and Pierre Kim (@PierreKimSec).

## Greetings

Big thanks to my friend working at YongSan, specialized in server
hardware and alcohol, which gave me for free an ipTIME X3003 which
resulted this complete pownage.

## References

## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License:

Version: GnuPG v1


Powered by blists - more mailing lists