lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAnZqX_4GxHbXAhst7iBg6X=VmKo0MNajSTMZ6-yum_-qb12cA@mail.gmail.com>
Date: Wed, 3 Jan 2018 08:38:41 +0200
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] SSD Advisory – Livebox Fibra (Orange Router) Multiple Vulnerabilities

SSD Advisory – Livebox Fibra (Orange Router) Multiple Vulnerabilities

Full report: https://blogs.securiteam.com/index.php/archives/3585
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerabilities Summary
The following advisory describes four (4) vulnerabilities found in Livebox
Fibra router version AR_LBFIBRA\_sp-00.03.04.112S. It is possible to chain
the vulnerabilities into remote code execution.

The “Livebox Fibra” router is “manufactured by Arcadyan for Orange and
Jazztel in Spain”

The vulnerabilities found in Arcadyan routers are:

Unauthenticated configuration information leak
Hard-coded credentials
Memory leak
Stack buffer Overflow

Credit
An independent security researcher has reported this vulnerability to
Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
Arcadyan and Orange were informed of the vulnerabilities and patched them.

Vulnerabilities details
Unauthenticated configuration information leak and weak usage of default
users

The “Livebox Fibra” router web server does not properly filter GET request,
an unauthenticated user can send the following GET request and get the
configuration file from the router:

===

`http://IP/cgi/cgi_network_connected.js`

===

The router uses an insecure way to get the configuration variables, it
loads JavaScript files dinamically that set JS variables with the router
configuration information.

Hard-coded credentials
Default users that can be used to log in in the router’s website is:
ApiUsr, with the password ApiUsrPass and orangecare with password orange.

Memory leak
The router’s web server allows to configure multiple configuration
variables.

In order to configure one of those variables, it makes a POST request like
the following:

===

```

POST /apply.cgi HTTP/1.1

Host: 192.168.1.1

Accept-Encoding: gzip, deflate

Connection: keep-alive

Proxy-Connection: keep-alive

Accept: */*

User-Agent: A

Accept-Language: es-ES;q=1

Content-Length: 400


pi=[CSRF_TOKEN]&SET0=[CFG_VAR_ID]%3D[CFG_VAR_VALUE]

```
===

CSRF_TOKEN – CSRF Token that changes for every POST request (We can
generate a new token and use it in a new request on:
http://IP/cgi/renewPi.js)

CFG_VAR_ID – identifies the configuration variable that you want to modify
(It changes at the same time that the CSRF_TOKEN changes). We can get the
CFG_VAR_ID values from http://IP/cgi/cgi_sys_smtp.js

CFG_VAR_VALUE is the new value for the configuration variable

In order to trigger the vulnerability, we sent a POST request to change the
configuration (with correct “pi” and CFG_VAR_ID”) and a greater
“Content-Length” for the request.

The server uses the “Content-Length” calculate the length of the new value
and then it uses the calculated size in “strncpy”.

We can play with information in the POST request in order to achieve that
“malloc” allocates our configuration value in an interesting zone in memory.

The server correctly allocates memory for our new value, but in order to
read and save the new configuration value, it reads out of bounds due to a
bad calculation of the length (based on the “Content-length” header).

Stack buffer Overflow

The router’s has an API that provides the configuration variables values in
JSON – It is used by the smartphone app, called ‘Mi Livebox’.

“/API/Services/Notifications/EmailNotification” returns a JSON object with
the email address configured to receive notifications when a new device
connects to the network or when a new phone call arrives.

The function is vulnerable to buffer-overflow in the URL request parser

If we make a request like the following we will triage the vulnerability:

===

`http://IP/API/Services/Notifications/[A repeated 243 times]`

===

We overwrite the following registers (MIPS Big Endian): s0, s1, s2, s3 and
ra. Since we control **ra** we can control the flow of the program and jump
to our shellcode.

In order to exploit this vulnerability we have two problems:

ASLR
We cannot use special bytes on our exploit (spaces, null bytes..)

This vulnerability is not exploitable by itself, but we can use the memory
leak explained before in order to leak some memory address and calculate
the Libc base.

Then, we can use ROP gadgets from the libc or another lib, and finally get
remote code execution.






--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 6D273779F52A9FC2

Download attachment "SSD Advisory – Livebox Fibra (Orange Router) Multiple Vulnerabilities.pdf" of type "application/pdf" (172049 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ