-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ## Advisory Information Title: 112 ipTIME Routers/WiFi APs/Modems/Firewalls models vulnerable with RCE with root privileges Advisory URL: https://pierrekim.github.io/advisories/2015-iptime-0x00.txt.asc Date published: 2015-04-17 Vendors contacted: KrCERT, ipTIME Release mode: Released CVE: no current CVE ## Product Description EFMNetworks ipTIME is the largest Korean brand of SOHO/small/middle entreprise Routers/WiFi APs/Modems/Firewalls in South Korea with millions of devices deployed in the country. EFMNetworks ipTIME is occupying more than 60 percent of personal network devices. There are =~ 10 000 000 of ipTIME devices deployed in South Korea. ## Vulnerability Summary This vulnerability allows to bypass the admin authentication and to get a direct RCE as root from the LAN side with a single HTTP request. This is a direct RCE against the Routers/WiFi APs/Modems/Firewalls which gives a complete root access to the embedded Linux from the LAN side. The exploit doesn't work by default from the WAN (no HTTP or UPNP access from the WAN by default unless activated). If enabled on the WAN, the remote admin interface exposes the devices to this vulnerability. It affects 112 ipTIME products from 2009-era firmwares to the 9.52 firmware (built time 2015-03-23)) with the default configuration: - ipTIME A5004NS - ipTIME A3004NS - ipTIME A3004 - ipTIME A2004NS - ipTIME A2004NSplus - ipTIME A2004 - ipTIME A2004plus - ipTIME A2008 - ipTIME A1004 - ipTIME A1004V - ipTIME A104 - ipTIME A104NS - ipTIME N6004R - ipTIME N8004R - ipTIME N8004V - ipTIME N8004 - ipTIME N804A3 - ipTIME N804T3 - ipTIME N904 - ipTIME N904plus - ipTIME N904V - ipTIME N904Vplus - ipTIME N704V3 - ipTIME N704BCM - ipTIME N704A3 - ipTIME N604S - ipTIME N604A - ipTIME N104S-r1 - ipTIME Smart - ipTIME N904NS - ipTIME N704NS - ipTIME N604T - ipTIME N604Tplus - ipTIME N7004NS - ipTIME N104V - ipTIME N604V - ipTIME N604Vplus - ipTIME N604R - ipTIME N604Rplus - ipTIME N604plus - ipTIME N104R - ipTIME N104Q - ipTIME N104plus - ipTIME N104K - ipTIME N5 - ipTIME N2plus - ipTIME N1plus - ipTIME N1E - ipTIME N804V - ipTIME N804T - ipTIME N804A - ipTIME N804 - ipTIME N2E - ipTIME N2Eplus - ipTIME N104A - ipTIME N104S - ipTIME N104i - ipTIME N1 - ipTIME N104 - ipTIME N104M - ipTIME N504 - ipTIME N604i - ipTIME N604M - ipTIME N608 - ipTIME N704 - ipTIME N704A - ipTIME N704M - ipTIME N704S - ipTIME N704V - ipTIME N3004 - ipTIME N5004 - ipTIME N6004 - ipTIME N6004M - ipTIME N104T - ipTIME N5-r1 - ipTIME N104-r3 - ipTIME WR-E1 - ipTIME Mini - ipTIME MobileAP1 - ipTIME Multi - ipTIME Extender2 - ipTIME G1 - ipTIME G104 - ipTIME G104BE - ipTIME G104M - ipTIME G204 - ipTIME G304 - ipTIME G504 - ipTIME G504 - ipTIME G104i - ipTIME G104A - ipTIME Q604 - ipTIME V304 - ipTIME T3004 - ipTIME T3008 - ipTIME T16000 - ipTIME T24000 - ipTIME Q1 - ipTIME Q104 - ipTIME Q204 - ipTIME Q304 - ipTIME Q504 - ipTIME V104 - ipTIME V108 - ipTIME V308 - ipTIME V116 - ipTIME V124 - ipTIME V1024 - ipTIME V1016 - ipTIME T1004 - ipTIME T1008 - ipTIME X3003 - ipTIME X3007 - ipTIME X5007 - ipTIME X6003 Concerning the high CVSS score (10/10) of the vulnerability, the number of affected devices and the longevity of this vulnerability (6+ year old), we urge users to apply the new 9.58 firmware. ## Details The HTTP server allows the attacker to execute some CGI files. Many of them are vulnerable to a command inclusion which allows to execute commands with the http daemon user rights (root). root@kali:~/iptime# ./iptime.carnage 192.168.0.1 cat /var/run/hwinfo company_name=EFM Networks product_name=ipTIME N604V url=www.iptime.co.kr max_vlan=5 mirror_port=1 num_lan_port=4 lan_port_swap=1 max_port=5 wan_port=5 firmup_duration=100 reboot_duration=40 max_wds=4 max_macauth=32 wireless_ifname=eth0 wan_ifname=eth2.2 local_ifname=br0 br0_port=eth2.1,eth0 port_diag=1 flash_diag_dev=/dev/mtd bootloader_size=0x10000 max_firmware_size=0x200000 save_flash_offset=0x10000 save_flash_size=0x10000 flash_sector_size=0x10000 max_syslog=400 ip_conntrack_max=8192 udp_conntrack_max=4096 icmp_conntrack_max=1024 auth_server=auth2.efm-net.com wan_ifidx=5 language=kr product_alias=n604v root@kali:~/iptime# ./iptime.carnage 192.168.0.1 cat /home/http/build_date Mon Mar 23 14:54:50 KST 2015 root@kali:~/iptime# Considering the huge potential impact against the South Korea networks, we are not currently planning to release working exploits. The exploits will be posted on my blog located at https://pierrekim.github.io/blog/ ## Vendor Response The vendor has released a new firmware version (9.58) for 112 devices: http://iptime.com/iptime/?uid=16202&mod=document&page_id=16 ## Report Timeline * Jun 01, 2014: Vulnerability found by Pierre Kim and Alexandre Torres. * Mar 24, 2015: Vulnerability confirmed on all the existing versions from 2009 to 2015 including the last firmware version. * Apr 07, 2015: KRCERT is notified of the vulnerability using the FIRST dedicated email. * Apr 08, 2015: Pierre Kim tries to contact KRCERT using http://eng.krcert.or.kr/contactus/contact.jsp : this form doesn't work (nor