Amplia Security 5  
5
 
 
Nisuta NS-WIR150NE, NS-WIR300N Wireless Routers Remote Management Web Interface Authentication Bypass Vulnerability

Security Advisory Title: Nisuta NS-WIR150NE, NS-WIR300N Wireless Routers Remote Management Web Interface Authentication Bypass Vulnerability
Advisory ID: AMPLIA-ARA050913
Date published: 12-26-2013
Vendors contacted: Nisuta (www.nisuta.com)
Release mode: Coordinated release
Last Updated: 04-21-2014

Index

1. Vulnerablity information
2. Vulnerablity description
3. Vulnerable systems
4. Vendor Information, solutions and workarounds
5. Credits
6. Technical description
7. Disclaimer

1. Vulnerability information

Impact: Remote attackers can bypass authentication and access the router's management web interface obtaining complete control of the device
Remotely Exploitable: Yes
Bugtraq Id: <unknown>
CVE: CVE-2013-7282

2. Vulnerability description

The Nisuta (www.nisuta.com) NS-WIR150NE and NS-WIR300N wireless routers provide a remote management web interface available both on the WAN (not enabled by default) and LAN interfaces (enabled by default).

This remote management web interface requires a password.

A remote attacker can bypass authentication and gain access to the remote management web interface, taking control of the device, without knowing the password.

3. Vulnerable Systems

Nisuta NS-WIR150NE wireless router, firmware v5.07.41
Nisuta NS-WIR300N wireless router, firmware v5.07.36_NIS01 (hardware version v3.0)

and probably other Nisuta wireless routers with similar firmware.

4. Vendor Information, Solutions and Workarounds

The vendor made available the following firmware updates:

Nisuta NS-WIR150NE
http://www.nisuta.com/producto.asp?id=NSWIR150NE
http://www.nisuta.com/drivers/NSWIR150NE.rar

Nisuta NS-WIR150NF
http://www.nisuta.com/producto.asp?id=NSWIR150NF
http://www.nisuta.com/drivers/NSWIR150NF.rar

Nisuta NS-WIR300N
https://www.nisuta.com/firmware/NSWIR300N.rar

Nisuta NS-WIR300ND
https://www.nisuta.com/firmware/NSWIR300ND.rar

The fix implemented by the vendor is not optimal, although better than any workaround.

As a workaround, disable remote management on the WAN interface (not enabled by default). However, it is not possible to disable remote management on the LAN interface, and applying the fix is recommended.

It is possible to restrict remote management on the WAN interface based on source IP address, but given the critical nature of this vulnerability we do not recommend it as a workaround.

It is also worth mentioning that the remote management web interface works over http without encryption, even with the flaw described in this advisory fixed, the interface is still insecure for other reasons.

5. Credits

This vulnerability was discovered by Amplia Security Research.

We thank Nisuta for their efforts to try to fix this vulnerability and improve the security of their products.

6. Technical description

The Nisuta NS-WIR150NE and NS-WIR300N wireless routers provide a remote management web interface available both on the WAN (not enabled by default) and LAN interfaces (enabled by default).

This remote management web interface requires a password and uses form-based authentication (performed over http without encryption, which is another issue).

After entering the correct password, the router's remote management web interface always sets the same cookie, shown next:

Set-Cookie: admin:language=en; path=/

This cookie is hard-coded and obviously insecure.

Using this cookie in a HTTP request is enough to "bypass authentication" and login to the remote management web interface as an administrator without knowing the password.

The 'admin' value is not even required. For example,

Cookie: :language=en; path=/

is enough to gain access to the router.


PoC Exploit:

An unauthenticated remote attacker on the WAN and LAN interfaces can perform any action available on the router's remote management web interface, as an example, the following command will bypass authentication and download the router's configuration which includes the current remote management web interface password among other confidential information:

$ wget --header="Cookie: :language=en" http://192.168.2.1/cgi-bin/DownloadCfg/config.cfg -t 1

The password is in the 'http_passwd' variable:

$ grep http_passwd config.cfg
http_passwd=mysecretpassword
$

The attacker can now conveniently login into the remote management web interface with full control and perform changes, obtain information, etc.

Again, the password is not needed, the attacker can just set the cookie 'admin:language=en' in his browser to gain access to the management interface or perform other actions directly, this is just an example.

Custom implementation of the PoC exploit:

7. Disclaimer

The contents of this advisory are copyright (c) 2013 Amplia Security (www.ampliasecurity.com), and may be distributed freely provided that no fee is charged for distribution and proper credit is given.


  news

Amplia Security consultant contributing author of the recently released "Hacking Exposed 7: Network Security Secrets and Solutions". The best-selling security book in the world translated in some 30 languages.

go to blog

 
 
 
             
SERVICES
Web Application Penetration Testing
Network Penetration Testing
Client-Side Penetration Testing
Wireless Penetration Testing
Software Penetration Testing
Appliance Penetration Testing
Web Service Penetration Testing
Software Security Assessments
Source Code Reviews
MOST DOWNLOADED
WCE v1.4beta (Universal)
WCE v1.4beta 64bit
WCE v1.4beta 32bit
Post-Exploitation with WCE
ASP.NET Padding oracle Attack POC exploit MS10-070)
ASP.NET Auto-Decryptor File Download PoC exploit (MS10-070)
MOST READ
WCE F.A.Q.
Java 7 Update 10 0-Day Vulnerability (CVE-2013-0422)
A Padding Oracle Attack Implemented in Javascript
MOST WATCHED
Exploiting MySQL Authentication Bypass Vulnerability (CVE-2012-2122)
Exploiting Apache Struts ExceptionDelegator Vulnerability (CVE-2012-0391)
ASP.NET Padding Oracle attack PoC exploit video
Using GTT fastupload to upload files to an isolated Citrix environment
Using GTT to download files from an isolated Citrix environment
 
l
 
(c) 2014, Amplia Security Home - Services - Research - About Us - Contact - Blog - News /// info@ampliasecurity.com