<<< Date Index >>>     <<< Thread Index >>>

[ISecAuditors Security Advisories] Multiple vulnerabilities in WiFi router COMTREND CT-536/HG-536+



=============================================
INTERNET SECURITY AUDITORS ALERT 2007-002
- Original release date: 31st January, 2007
- Last revised: 22th December, 2008
- Discovered by: Daniel Fernandez Bleda
- Severity: 5/5
=============================================

I. VULNERABILITY
-------------------------
Multiple vulnerabilities in WiFi router COMTREND CT-536/HG-536+

II. BACKGROUND
-------------------------
The CT-536 is an 802.11g (54Mbps) wireless and wired Local Area
Network (WLAN) ADSL router. Four 10/100 Base-T Ethernet and single USB
ports provide wired LAN connectivity with an integrated 802.11g WiFi
WLAN Access Point (AP) for wireless connectivity. The CT-536 ADSL
router provides state of the art security features such as WPA data
encryption; Firewall, VPN pass through.

III. DESCRIPTION
-------------------------
Improper validation of micro_httpd server permits multiple attacks
though this stateless server. Also, access control is defficient and
do not control access at all. Credentials are send in clear text so
"user" could get them easily.

Some fields and data are not filtered so XSS attacks and bofs can DoS
the httpd config server. Some cases the result also applies not only
to http and the router needs reboot, loosing the configuration and
reseting to default values. This means default passwords, open
wireless network, etc.

IV. PROOF OF CONCEPT
-------------------------
1. User "user" (least privileged user, read only and limited access
configuration reding)  can ask a not allowed resource and the server
will return the page asked. Included the password change resource:

http://192.168.0.1/password.html

2. The router sends the 3 users passwords in clear inside the html to
make a fast check during the password change.

3. Some points in the configuration description options are
vulenrables to Cross Site SCripting attacks due improper validatation:

http://192.168.0.1/scvrtsrv.cmd?action=add&srvName=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&srvAddr=192.168.1.1&proto=1,&eStart=1,&eEnd=1,&iStart=1,&iEnd=1

4. Some resources (i.e. NAT table are vulnerable to Buffer overflows
attacks) through the description fields that seems to kill the
micro_httpd server although the router continues routing. Also similar
behaviour is seen when asking for URLs that add %13 and %10 chars,
without matching micro_httpd checks "..", "../", "/../".

5. User "user" accesses with "admin" privileges when connecting
through TELNET service.

6. User "support" seems to not exist at all.

7. SSH service cannot substitute TELNET or HTTP due it seems not
exists at all in the router!

V. BUSINESS IMPACT
-------------------------
DoS of the Web Configuration interface although the router continues
routing.
DoS of router, causing a set to reset configuration, meaning the start
up of Wireless interface (activated by default) without any type of
protection and having the possibility to access the router or the network.
Reset of router configuration.
Access with "admin" (privileged) permissions to user "user".

VI. SYSTEMS AFFECTED
-------------------------
Firmware until version A101-302JAZ-C01_R05 (current)

VII. SOLUTION
-------------------------
Change the router.

VIII. REFERENCES
-------------------------
http://www.comtrend.com
http://www.acme.com/software/micro_httpd/
http://www.jazztel.com

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Daniel Fernandez Bleda (dfernandez (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
January   30, 2007: Initial release
April     18, 2007: First contact with the vendor. Minor corrections.
November  09, 2007: Some corrections applied.

XI. DISCLOSURE TIMELINE
-------------------------
January   30, 2007: Vulnerability acquired by
                    Internet Security Auditors
April     18, 2007: Initial vendor notification sent. No response.
May       01, 2007: Second vendor notification.
                    Response: will be studied.
May       22, 2007: Third vendor contact. Reported to their vendor for
                    analysis.
August    07, 2007: Fourth Vendor contact. Problem seems to be not
                    much easy to correct. R/D Dept are studying the
                    solution.
November  09, 2007: Fifth Vendor contact. No response.
November  19, 2007: Sixth Vendor contact. No response.
December  07, 2007: Seventh Vendor contact. Chipset vendor is working.
November  11, 2008: Last Vendor contact. No response
December  22, 2008: Published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.