BugTraq
112 ipTIME Routers/WiFi APs/Modems/Firewalls models vulnerable with RCE with root privileges Apr 17 2015 02:14AM
Pierre Kim (pierre kim sec gmail com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

## Advisory Information

Title: 112 ipTIME Routers/WiFi APs/Modems/Firewalls models vulnerable
with RCE with root privileges
Advisory URL: https://pierrekim.github.io/advisories/2015-iptime-0x00.txt.asc
Date published: 2015-04-17
Vendors contacted: KrCERT, ipTIME
Release mode: Released
CVE: no current CVE

## Product Description

EFMNetworks ipTIME is the largest Korean brand of SOHO/small/middle
entreprise Routers/WiFi APs/Modems/Firewalls in South Korea
with millions of devices deployed in the country. EFMNetworks ipTIME
is occupying more than 60 percent of personal network devices.
There are =~ 10 000 000 of ipTIME devices deployed in South Korea.

## Vulnerability Summary

This vulnerability allows to bypass the admin authentication and to
get a direct RCE as root from the LAN side with a single HTTP request.

This is a direct RCE against the Routers/WiFi APs/Modems/Firewalls
which gives a complete root access to the embedded Linux from the LAN
side.
The exploit doesn't work by default from the WAN (no HTTP or UPNP
access from the WAN by default unless activated).
If enabled on the WAN, the remote admin interface exposes the devices
to this vulnerability.

It affects 112 ipTIME products from 2009-era firmwares to the 9.52
firmware (built time 2015-03-23)) with the default configuration:

- ipTIME A5004NS
- ipTIME A3004NS
- ipTIME A3004
- ipTIME A2004NS
- ipTIME A2004NSplus
- ipTIME A2004
- ipTIME A2004plus
- ipTIME A2008
- ipTIME A1004
- ipTIME A1004V
- ipTIME A104
- ipTIME A104NS
- ipTIME N6004R
- ipTIME N8004R
- ipTIME N8004V
- ipTIME N8004
- ipTIME N804A3
- ipTIME N804T3
- ipTIME N904
- ipTIME N904plus
- ipTIME N904V
- ipTIME N904Vplus
- ipTIME N704V3
- ipTIME N704BCM
- ipTIME N704A3
- ipTIME N604S
- ipTIME N604A
- ipTIME N104S-r1
- ipTIME Smart
- ipTIME N904NS
- ipTIME N704NS
- ipTIME N604T
- ipTIME N604Tplus
- ipTIME N7004NS
- ipTIME N104V
- ipTIME N604V
- ipTIME N604Vplus
- ipTIME N604R
- ipTIME N604Rplus
- ipTIME N604plus
- ipTIME N104R
- ipTIME N104Q
- ipTIME N104plus
- ipTIME N104K
- ipTIME N5
- ipTIME N2plus
- ipTIME N1plus
- ipTIME N1E
- ipTIME N804V
- ipTIME N804T
- ipTIME N804A
- ipTIME N804
- ipTIME N2E
- ipTIME N2Eplus
- ipTIME N104A
- ipTIME N104S
- ipTIME N104i
- ipTIME N1
- ipTIME N104
- ipTIME N104M
- ipTIME N504
- ipTIME N604i
- ipTIME N604M
- ipTIME N608
- ipTIME N704
- ipTIME N704A
- ipTIME N704M
- ipTIME N704S
- ipTIME N704V
- ipTIME N3004
- ipTIME N5004
- ipTIME N6004
- ipTIME N6004M
- ipTIME N104T
- ipTIME N5-r1
- ipTIME N104-r3
- ipTIME WR-E1
- ipTIME Mini
- ipTIME MobileAP1
- ipTIME Multi
- ipTIME Extender2
- ipTIME G1
- ipTIME G104
- ipTIME G104BE
- ipTIME G104M
- ipTIME G204
- ipTIME G304
- ipTIME G504
- ipTIME G504
- ipTIME G104i
- ipTIME G104A
- ipTIME Q604
- ipTIME V304
- ipTIME T3004
- ipTIME T3008
- ipTIME T16000
- ipTIME T24000
- ipTIME Q1
- ipTIME Q104
- ipTIME Q204
- ipTIME Q304
- ipTIME Q504
- ipTIME V104
- ipTIME V108
- ipTIME V308
- ipTIME V116
- ipTIME V124
- ipTIME V1024
- ipTIME V1016
- ipTIME T1004
- ipTIME T1008
- ipTIME X3003
- ipTIME X3007
- ipTIME X5007
- ipTIME X6003

Concerning the high CVSS score (10/10) of the vulnerability, the
number of affected devices and the longevity of this vulnerability (6+
year old), we urge users to apply the new 9.58 firmware.

## Details

The HTTP server allows the attacker to execute some CGI files.

Many of them are vulnerable to a command inclusion which allows to
execute commands with the http daemon user rights (root).

root@kali:~/iptime# ./iptime.carnage 192.168.0.1 cat /var/run/hwinfo
company_name=EFM Networks
product_name=ipTIME N604V
url=www.iptime.co.kr
max_vlan=5
mirror_port=1
num_lan_port=4
lan_port_swap=1
max_port=5
wan_port=5
firmup_duration=100
reboot_duration=40
max_wds=4
max_macauth=32
wireless_ifname=eth0
wan_ifname=eth2.2
local_ifname=br0
br0_port=eth2.1,eth0
port_diag=1
flash_diag_dev=/dev/mtd
bootloader_size=0x10000
max_firmware_size=0x200000
save_flash_offset=0x10000
save_flash_size=0x10000
flash_sector_size=0x10000
max_syslog=400
ip_conntrack_max=8192
udp_conntrack_max=4096
icmp_conntrack_max=1024
auth_server=auth2.efm-net.com
wan_ifidx=5
language=kr
product_alias=n604v
root@kali:~/iptime# ./iptime.carnage 192.168.0.1 cat /home/http/build_date
Mon Mar 23 14:54:50 KST 2015
root@kali:~/iptime#

Considering the huge potential impact against the South Korea
networks, we are not currently planning to release working exploits.

The exploits will be posted on my blog located at
https://pierrekim.github.io/blog/

## Vendor Response

The vendor has released a new firmware version (9.58) for 112 devices:

http://iptime.com/iptime/?uid=16202&mod=document&page_id=16

## Report Timeline

* Jun 01, 2014: Vulnerability found by Pierre Kim and Alexandre Torres.
* Mar 24, 2015: Vulnerability confirmed on all the existing versions
from 2009 to 2015 including the last firmware version.
* Apr 07, 2015: KRCERT is notified of the vulnerability using the
FIRST dedicated email.
* Apr 08, 2015: Pierre Kim tries to contact KRCERT using
http://eng.krcert.or.kr/contactus/contact.jsp : this form doesn't work
(nor <form>, nor JS for form-submission).
* Apr 08, 2015: Vendor is contacted (security (at) iptime (dot) com [email concealed]) to provide
a valid GPG key.
* Apr 08, 2015: Email sent to security (at) iptime (dot) com [email concealed] is bounced.
* Apr 08, 2015: Vendor is contacted (support (at) iptime (dot) com [email concealed]) for a GPG key.
* Apr 09, 2015: KRCERT is contacted (cert (at) krcert.or (dot) kr [email concealed] - support
email) for a GPG key.
* Apr 09, 2015: vuln (at) krcert.or (dot) kr [email concealed] is contacted.
* Apr 09, 2015: KISA is contacted for a GPG key at
http://www.kisa.or.kr/eng/contactUs/contactUs.jsp: 400 Bad Request or
alert box saying the message was malformed.
* Apr 09, 2015: KISA is contacted using Twitter
(https://twitter.com/PierreKimSec/status/585986016294674433).
* Apr 09, 2015: FIRST KRCERT answered asking for information about
the vulnerabilites and agreed to contact ipTIME to develop a security
patch as soon as possible.
* Apr 09, 2015: 2 POCs are sent to FIRST KRCERT by email.
* Apr 13, 2015: FIRST KRCERT confirms the POCs work and said they
can't assign CVE. They ask a 90 days disclosure policy to allow ipTIME
to work on this issue and asks if we can disclose the vulnerabilities
details after a patch is released.
* Apr 13, 2015: MITRE is contacted asking for a CVE number.
* Apr 13, 2015: FIRST KRCERT is contacted : we agree on the 90 days
vulnerability disclosure policy. We ask which models are vulnerable.
* Apr 14, 2015: vuln (at) krcert.or (dot) kr [email concealed] replies with one vulnerable model.
The vulnerability information is sent to ipTIME and we have to use
vuln (at) krcert.or (dot) kr [email concealed] as a contact address now.
* Apr 15, 2015: vuln (at) krcert.or (dot) kr [email concealed] is contacted for a GPG key
concerning other vulnerabilities found in ipTIME products.
* Apr 16, 2015: Vendor releases 112 new firmwares.
* Apr 16, 2015: vuln (at) krcert.or (dot) kr [email concealed] is contacted to know if this new
firmware fixes the vulnerabilities we reported. The vendor advisory
specifies only "User Interface-related security" in Korean (thank you
Google Translate).
* Apr 16, 2015: From our tests, the vulnerabilities have been fixed.
* Apr 17, 2015: A public advisory is sent to security mailing lists.

## Credit

This vulnerability was found by Alexandre Torres and Pierre Kim (@PierreKimSec).

## Greetings

Big thanks to my friend working at YongSan, specialized in server
hardware and alcohol, which gave me for free an ipTIME X3003 which
resulted this complete pownage.

## References

http://iptime.com/iptime/?uid=16202&mod=document&page_id=16
https://pierrekim.github.io/advisories/2015-iptime-0x00.txt.asc

## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVMHSPAAoJEMQ+Dtp9ky28/5gP/3xaajDhO5Y/u8PkegkGJ4bZ
63tbiOAh2CiioWzwQXhgPUVqCua8Fh+SFqrrwf1j3klZtiNPR8ThUiQC1efE9q2+
Q8oc4KMpb0Ysf+HuFBAU7mdqNZazZukAOTttDMSProap72D5QkqzRrWEiYk5Lk/9
R5/rj94iEZ3ZM3gZkFp1HHSKvkfTXdZdwxv4r2bq3URxqmUnj3aZ/ITmqxLEYEgT
ufjoaGXodffnNJZNyhFpnIMgK6DZvs8/WdH2+zCKsCltru7ou2biBD1m0LIbYli4
tCUOzgUQ+FlR7KDmUmBWhtVQodKsWdOSnDJKnyjvLueS1YCGBLMuMiNnbtdmYU8Z
qdFmAEnSysrxWupk+sPZkcxrzI/8eIbON937JrrCzTaE7jNNgTyhW1AwmDqMDpqe
pWfPogBRZ1LpUSiOC++zFkkayVMVyhOmqDttrRMhCzW7bCuM9dmPBfBTjqiq6luZ
HRofLYmG7PBtqCwEJi+AMzWydCJgnOEq2d26AK2BoDK2PuBfGG5Rg47HC82lNOsR
0mejdpCYJXBw30YjMG5O3cH1PjlG5JfVYXsHmaFTfvN9Omz8xJZBY2528e4gNCOS
SkyGa4CFJ/QF6N+3kgc5AWpjuvAdtfqINBK2OShNdASGHC+Z4Eyj9J+eaXvu8g7J
k6tQ5BWKb21foIfsrYyT
=XTn6
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus