Vulnerabilities > CVE-2017-8841 - Path Traversal vulnerability in Peplink products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
COMPLETE
network
low complexity
peplink
CWE-22
exploit available

Summary

Arbitrary file deletion exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The attack methodology is absolute path traversal in cgi-bin/MANGA/firmware_process.cgi via the upfile.path parameter.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Relative Path Traversal
    An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
  • Directory Traversal
    An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Exploit-Db

descriptionPeplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure. CVE-2017-8835,CVE-2017-8836,CVE-2017-8837,CVE-2017-8...
fileexploits/cgi/webapps/42130.txt
idEDB-ID:42130
last seen2017-06-06
modified2017-06-06
platformcgi
port443
published2017-06-06
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/42130/
titlePeplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
typewebapps

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/142801/X41-2017-005.txt
idPACKETSTORM:142801
last seen2017-06-05
published2017-06-05
reporterEric Sesterhenn
sourcehttps://packetstormsecurity.com/files/142801/Peplink-7.0.0-build1904-XSS-CSRF-SQL-Injection-File-Deletion.html
titlePeplink 7.0.0-build1904 XSS / CSRF / SQL Injection / File Deletion

Seebug

bulletinFamilyexploit
descriptionMultiple Vulnerabilities in peplink balance routers =================================================== Overview -------- Confirmed Affected Versions: 7.0.0-build1904 Confirmed Patched Versions: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin Vulnerable Firmware: fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin Models: Balance Routers 305, 380, 580, 710, 1350, 2500 Vendor: Peplink Vendor URL: https://www.peplink.com/ Vector: Network Credit: X41 D-Sec GmbH, Eric Sesterhenn Additional Credits: Claus Overbeck (Abovo IT) Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/ Summary and Impact ------------------ Several issues have been identified, which allow attackers to access the administrative web interface with admin credentials, delete files, perform CSRF and XSS attacks. Product Description ------------------- From the vendor webpage: Use Load Balancing and SpeedFusion bandwidth bonding to deliver superfast VoIP, video streaming, and data using an SD-WAN enabled network. Even with a basic Balance 20 dual-WAN router, you can mix different transport technologies and providers to keep your network up when individual links go down. Switching between links is automatic and seamless. SQL Injection via bauth Cookie ============================== Severity Rating: Critical Vector: Network CVE: CVE-2017-8835 CWE: 89 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Summary and Impact ------------------ Peplink devices are vulnerable to an SQL injection attack via the bauth cookie parameter which is set e.g. when accessing https://ip/cgi-bin/MANGA/admin.cgi. The injection can be checked with the following command: ./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi" --cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647" -p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ --flush-session -t trace.log --prefix "'" --suffix "--" -a The vulnerability in the Peplink device allows to access the SQLite session database containing user and session variables. By using the the following cookie in a web request, it is possible to select a running administrator session to be used for the attackers login. bauth=-12' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1') or '1'='2 By forming specialised SQL queries, it is possible to retrieve usernames from the database. This worked by returning a valid session in case the username existed and no session if it did not exist. In the first case the server did not set a new session cookie in the response to the request. SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id from sessions as s left join sessionsvariables as v on v.id=s.id where v.name='username' and substr(v.value,1,3)='adm') Workarounds ----------- Install vendor supplied update. No CSRF Protection ================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8836 CWE: 352 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ The CGI scripts in the administrative interface are not protected against cross site request forgery attacks. This allows an attacker to execute commands, if a logged in user visits a malicious website. This can for example be used to change the credentials of the administrative webinterface. Workarounds ----------- Install vendor supplied update. Passwords stored in Cleartext ============================= Severity Rating: Medium Vector: Network CVE: CVE-2017-8837 CWE: 256 CVSS Score: 4.0 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ The Peplink devices store passwords in cleartext in the files /etc/waipass and /etc/roapass. In case one of these devices is compromised the attacker can gain access to the cleartext passwords and abuse them to compromise further systems. Workarounds ----------- Install vendor supplied update. XSS via syncid Parameter ======================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8838 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the syncid parameter to trigger a cross-site-scripting issue by calling https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert %281%29%3C/script%3E This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. XSS via preview.cgi =================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8839 CWE: 80 CVSS Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to abuse the the orig_url parameter to trigger a cross-site-scripting issue in /guest/preview.cgi. The injection is directly into existing JavaScript. This executes the JavaScript in the victims browser, which can be abused to steal session cookies. Workarounds ----------- Install vendor supplied update. File Deletion ============= Severity Rating: Medium Vector: Network CVE: CVE-2017-8841 CWE: 73 CVSS Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Summary and Impact ------------------ A logged in user can delete arbitrary files on the Peplink devices, by abusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path is provided to the upfile.path parameter the file provided in the path is deleted during the process. This can be abused to cause a denial of service (DoS). In combination with the missing CSRF protection, this can be abused remotely via a logged in user. Workarounds ----------- Install vendor supplied update. Information Disclosure ====================== Severity Rating: Medium Vector: Network CVE: CVE-2017-8840 CWE: 200 CVSS Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Summary and Impact ------------------ If the webinterface is accessible, it is possible to retrieve sensitive information without a valid login by opening cgi-bin/HASync/hasync.cgi?debug=1 This displays the following: -----8<------------------------------------------------ Master LAN Address = [ <internal ip> / <netmask> ] Serial Number = [ <serial number> ] HA Group ID = [ <group id> ] Virtual IP = [ <internal ip> / <netmask> ] Submitted syncid = [ <syncid> ] -----8<------------------------------------------------ This information can be valuable for an attacker to exploit other issues. Workarounds ----------- Install vendor supplied update. About X41 D-Sec GmbH -------------------- X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions. Timeline -------- 2017-04-07 Issue found 2017-04-10 Vendor asked for security contact 2017-04-11 Vendor replied, send GPG key 2017-04-11 Information supplied to vendor 2017-04-11 Vendor acknowledges that the information is received 2017-04-17 Vendor acknowledges SQL injection 2017-05-08 CVE IDs for all issues requested 2017-05-08 CVE IDs assigned 2017-05-11 Vendor informed about CVE IDs 2017-05-29 Version provided to X41 for testing 2017-05-31 First test results send back to the vendor 2017-06-01 Remaining test results send back to the vendor 2017-06-05 Coordinated Firmware and Advisory release
idSSV:93186
last seen2017-11-19
modified2017-06-06
published2017-06-06
reporterRoot
titleMultiple Vulnerabilities in peplink balance routers