============================================= INTERNET SECURITY AUDITORS ALERT 2007-002 - Original release date: 31st January, 2007 - Last revised: 22th December, 2008 - Discovered by: Daniel Fernandez Bleda - Severity: 5/5 ============================================= I. VULNERABILITY ------------------------- Multiple vulnerabilities in WiFi router COMTREND CT-536/HG-536+ II. BACKGROUND ------------------------- The CT-536 is an 802.11g (54Mbps) wireless and wired Local Area Network (WLAN) ADSL router. Four 10/100 Base-T Ethernet and single USB ports provide wired LAN connectivity with an integrated 802.11g WiFi WLAN Access Point (AP) for wireless connectivity. The CT-536 ADSL router provides state of the art security features such as WPA data encryption; Firewall, VPN pass through. III. DESCRIPTION ------------------------- Improper validation of micro_httpd server permits multiple attacks though this stateless server. Also, access control is defficient and do not control access at all. Credentials are send in clear text so "user" could get them easily. Some fields and data are not filtered so XSS attacks and bofs can DoS the httpd config server. Some cases the result also applies not only to http and the router needs reboot, loosing the configuration and reseting to default values. This means default passwords, open wireless network, etc. IV. PROOF OF CONCEPT ------------------------- 1. User "user" (least privileged user, read only and limited access configuration reding) can ask a not allowed resource and the server will return the page asked. Included the password change resource: http://192.168.0.1/password.html 2. The router sends the 3 users passwords in clear inside the html to make a fast check during the password change. 3. Some points in the configuration description options are vulenrables to Cross Site SCripting attacks due improper validatation: http://192.168.0.1/scvrtsrv.cmd?action=add&srvName=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&srvAddr=192.168.1.1&proto=1,&eStart=1,&eEnd=1,&iStart=1,&iEnd=1 4. Some resources (i.e. NAT table are vulnerable to Buffer overflows attacks) through the description fields that seems to kill the micro_httpd server although the router continues routing. Also similar behaviour is seen when asking for URLs that add %13 and %10 chars, without matching micro_httpd checks "..", "../", "/../". 5. User "user" accesses with "admin" privileges when connecting through TELNET service. 6. User "support" seems to not exist at all. 7. SSH service cannot substitute TELNET or HTTP due it seems not exists at all in the router! V. BUSINESS IMPACT ------------------------- DoS of the Web Configuration interface although the router continues routing. DoS of router, causing a set to reset configuration, meaning the start up of Wireless interface (activated by default) without any type of protection and having the possibility to access the router or the network. Reset of router configuration. Access with "admin" (privileged) permissions to user "user". VI. SYSTEMS AFFECTED ------------------------- Firmware until version A101-302JAZ-C01_R05 (current) VII. SOLUTION ------------------------- Change the router. VIII. REFERENCES ------------------------- http://www.comtrend.com http://www.acme.com/software/micro_httpd/ http://www.jazztel.com IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Daniel Fernandez Bleda (dfernandez (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- January 30, 2007: Initial release April 18, 2007: First contact with the vendor. Minor corrections. November 09, 2007: Some corrections applied. XI. DISCLOSURE TIMELINE ------------------------- January 30, 2007: Vulnerability acquired by Internet Security Auditors April 18, 2007: Initial vendor notification sent. No response. May 01, 2007: Second vendor notification. Response: will be studied. May 22, 2007: Third vendor contact. Reported to their vendor for analysis. August 07, 2007: Fourth Vendor contact. Problem seems to be not much easy to correct. R/D Dept are studying the solution. November 09, 2007: Fifth Vendor contact. No response. November 19, 2007: Sixth Vendor contact. No response. December 07, 2007: Seventh Vendor contact. Chipset vendor is working. November 11, 2008: Last Vendor contact. No response December 22, 2008: Published. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.