[ISecAuditors Security Advisories] Multiple vulnerabilities in WiFi router COMTREND CT-536/HG-536+
=============================================
INTERNET SECURITY AUDITORS ALERT 2007-002
- Original release date: 31st January, 2007
- Last revised: 22th December, 2008
- Discovered by: Daniel Fernandez Bleda
- Severity: 5/5
=============================================
I. VULNERABILITY
-------------------------
Multiple vulnerabilities in WiFi router COMTREND CT-536/HG-536+
II. BACKGROUND
-------------------------
The CT-536 is an 802.11g (54Mbps) wireless and wired Local Area
Network (WLAN) ADSL router. Four 10/100 Base-T Ethernet and single USB
ports provide wired LAN connectivity with an integrated 802.11g WiFi
WLAN Access Point (AP) for wireless connectivity. The CT-536 ADSL
router provides state of the art security features such as WPA data
encryption; Firewall, VPN pass through.
III. DESCRIPTION
-------------------------
Improper validation of micro_httpd server permits multiple attacks
though this stateless server. Also, access control is defficient and
do not control access at all. Credentials are send in clear text so
"user" could get them easily.
Some fields and data are not filtered so XSS attacks and bofs can DoS
the httpd config server. Some cases the result also applies not only
to http and the router needs reboot, loosing the configuration and
reseting to default values. This means default passwords, open
wireless network, etc.
IV. PROOF OF CONCEPT
-------------------------
1. User "user" (least privileged user, read only and limited access
configuration reding) can ask a not allowed resource and the server
will return the page asked. Included the password change resource:
http://192.168.0.1/password.html
2. The router sends the 3 users passwords in clear inside the html to
make a fast check during the password change.
3. Some points in the configuration description options are
vulenrables to Cross Site SCripting attacks due improper validatation:
http://192.168.0.1/scvrtsrv.cmd?action=add&srvName=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&srvAddr=192.168.1.1&proto=1,&eStart=1,&eEnd=1,&iStart=1,&iEnd=1
4. Some resources (i.e. NAT table are vulnerable to Buffer overflows
attacks) through the description fields that seems to kill the
micro_httpd server although the router continues routing. Also similar
behaviour is seen when asking for URLs that add %13 and %10 chars,
without matching micro_httpd checks "..", "../", "/../".
5. User "user" accesses with "admin" privileges when connecting
through TELNET service.
6. User "support" seems to not exist at all.
7. SSH service cannot substitute TELNET or HTTP due it seems not
exists at all in the router!
V. BUSINESS IMPACT
-------------------------
DoS of the Web Configuration interface although the router continues
routing.
DoS of router, causing a set to reset configuration, meaning the start
up of Wireless interface (activated by default) without any type of
protection and having the possibility to access the router or the network.
Reset of router configuration.
Access with "admin" (privileged) permissions to user "user".
VI. SYSTEMS AFFECTED
-------------------------
Firmware until version A101-302JAZ-C01_R05 (current)
VII. SOLUTION
-------------------------
Change the router.
VIII. REFERENCES
-------------------------
http://www.comtrend.com
http://www.acme.com/software/micro_httpd/
http://www.jazztel.com
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Daniel Fernandez Bleda (dfernandez (at) isecauditors (dot) com).
X. REVISION HISTORY
-------------------------
January 30, 2007: Initial release
April 18, 2007: First contact with the vendor. Minor corrections.
November 09, 2007: Some corrections applied.
XI. DISCLOSURE TIMELINE
-------------------------
January 30, 2007: Vulnerability acquired by
Internet Security Auditors
April 18, 2007: Initial vendor notification sent. No response.
May 01, 2007: Second vendor notification.
Response: will be studied.
May 22, 2007: Third vendor contact. Reported to their vendor for
analysis.
August 07, 2007: Fourth Vendor contact. Problem seems to be not
much easy to correct. R/D Dept are studying the
solution.
November 09, 2007: Fifth Vendor contact. No response.
November 19, 2007: Sixth Vendor contact. No response.
December 07, 2007: Seventh Vendor contact. Chipset vendor is working.
November 11, 2008: Last Vendor contact. No response
December 22, 2008: Published.
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.