-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ## Advisory Information Title: 112 ipTIME Routers/WiFi APs/Modems/Firewalls models vulnerable with RCE with root privileges Advisory URL: https://pierrekim.github.io/advisories/2015-iptime-0x00.txt.asc Date published: 2015-04-17 Vendors contacted: KrCERT, ipTIME Release mode: Released CVE: no current CVE ## Product Description EFMNetworks ipTIME is the largest Korean brand of SOHO/small/middle entreprise Routers/WiFi APs/Modems/Firewalls in South Korea with millions of devices deployed in the country. EFMNetworks ipTIME is occupying more than 60 percent of personal network devices. There are =~ 10 000 000 of ipTIME devices deployed in South Korea. ## Vulnerability Summary This vulnerability allows to bypass the admin authentication and to get a direct RCE as root from the LAN side with a single HTTP request. This is a direct RCE against the Routers/WiFi APs/Modems/Firewalls which gives a complete root access to the embedded Linux from the LAN side. The exploit doesn't work by default from the WAN (no HTTP or UPNP access from the WAN by default unless activated). If enabled on the WAN, the remote admin interface exposes the devices to this vulnerability. It affects 112 ipTIME products from 2009-era firmwares to the 9.52 firmware (built time 2015-03-23)) with the default configuration: - ipTIME A5004NS - ipTIME A3004NS - ipTIME A3004 - ipTIME A2004NS - ipTIME A2004NSplus - ipTIME A2004 - ipTIME A2004plus - ipTIME A2008 - ipTIME A1004 - ipTIME A1004V - ipTIME A104 - ipTIME A104NS - ipTIME N6004R - ipTIME N8004R - ipTIME N8004V - ipTIME N8004 - ipTIME N804A3 - ipTIME N804T3 - ipTIME N904 - ipTIME N904plus - ipTIME N904V - ipTIME N904Vplus - ipTIME N704V3 - ipTIME N704BCM - ipTIME N704A3 - ipTIME N604S - ipTIME N604A - ipTIME N104S-r1 - ipTIME Smart - ipTIME N904NS - ipTIME N704NS - ipTIME N604T - ipTIME N604Tplus - ipTIME N7004NS - ipTIME N104V - ipTIME N604V - ipTIME N604Vplus - ipTIME N604R - ipTIME N604Rplus - ipTIME N604plus - ipTIME N104R - ipTIME N104Q - ipTIME N104plus - ipTIME N104K - ipTIME N5 - ipTIME N2plus - ipTIME N1plus - ipTIME N1E - ipTIME N804V - ipTIME N804T - ipTIME N804A - ipTIME N804 - ipTIME N2E - ipTIME N2Eplus - ipTIME N104A - ipTIME N104S - ipTIME N104i - ipTIME N1 - ipTIME N104 - ipTIME N104M - ipTIME N504 - ipTIME N604i - ipTIME N604M - ipTIME N608 - ipTIME N704 - ipTIME N704A - ipTIME N704M - ipTIME N704S - ipTIME N704V - ipTIME N3004 - ipTIME N5004 - ipTIME N6004 - ipTIME N6004M - ipTIME N104T - ipTIME N5-r1 - ipTIME N104-r3 - ipTIME WR-E1 - ipTIME Mini - ipTIME MobileAP1 - ipTIME Multi - ipTIME Extender2 - ipTIME G1 - ipTIME G104 - ipTIME G104BE - ipTIME G104M - ipTIME G204 - ipTIME G304 - ipTIME G504 - ipTIME G504 - ipTIME G104i - ipTIME G104A - ipTIME Q604 - ipTIME V304 - ipTIME T3004 - ipTIME T3008 - ipTIME T16000 - ipTIME T24000 - ipTIME Q1 - ipTIME Q104 - ipTIME Q204 - ipTIME Q304 - ipTIME Q504 - ipTIME V104 - ipTIME V108 - ipTIME V308 - ipTIME V116 - ipTIME V124 - ipTIME V1024 - ipTIME V1016 - ipTIME T1004 - ipTIME T1008 - ipTIME X3003 - ipTIME X3007 - ipTIME X5007 - ipTIME X6003 Concerning the high CVSS score (10/10) of the vulnerability, the number of affected devices and the longevity of this vulnerability (6+ year old), we urge users to apply the new 9.58 firmware. ## Details The HTTP server allows the attacker to execute some CGI files. Many of them are vulnerable to a command inclusion which allows to execute commands with the http daemon user rights (root). root@kali:~/iptime# ./iptime.carnage 192.168.0.1 cat /var/run/hwinfo company_name=EFM Networks product_name=ipTIME N604V url=www.iptime.co.kr max_vlan=5 mirror_port=1 num_lan_port=4 lan_port_swap=1 max_port=5 wan_port=5 firmup_duration=100 reboot_duration=40 max_wds=4 max_macauth=32 wireless_ifname=eth0 wan_ifname=eth2.2 local_ifname=br0 br0_port=eth2.1,eth0 port_diag=1 flash_diag_dev=/dev/mtd bootloader_size=0x10000 max_firmware_size=0x200000 save_flash_offset=0x10000 save_flash_size=0x10000 flash_sector_size=0x10000 max_syslog=400 ip_conntrack_max=8192 udp_conntrack_max=4096 icmp_conntrack_max=1024 auth_server=auth2.efm-net.com wan_ifidx=5 language=kr product_alias=n604v root@kali:~/iptime# ./iptime.carnage 192.168.0.1 cat /home/http/build_date Mon Mar 23 14:54:50 KST 2015 root@kali:~/iptime# Considering the huge potential impact against the South Korea networks, we are not currently planning to release working exploits. The exploits will be posted on my blog located at https://pierrekim.github.io/blog/ ## Vendor Response The vendor has released a new firmware version (9.58) for 112 devices: http://iptime.com/iptime/?uid=16202&mod=document&page_id=16 ## Report Timeline * Jun 01, 2014: Vulnerability found by Pierre Kim and Alexandre Torres. * Mar 24, 2015: Vulnerability confirmed on all the existing versions from 2009 to 2015 including the last firmware version. * Apr 07, 2015: KRCERT is notified of the vulnerability using the FIRST dedicated email. * Apr 08, 2015: Pierre Kim tries to contact KRCERT using http://eng.krcert.or.kr/contactus/contact.jsp : this form doesn't work (nor
, nor JS for form-submission). * Apr 08, 2015: Vendor is contacted (security@iptime.com) to provide a valid GPG key. * Apr 08, 2015: Email sent to security@iptime.com is bounced. * Apr 08, 2015: Vendor is contacted (support@iptime.com) for a GPG key. * Apr 09, 2015: KRCERT is contacted (cert@krcert.or.kr - support email) for a GPG key. * Apr 09, 2015: vuln@krcert.or.kr is contacted. * Apr 09, 2015: KISA is contacted for a GPG key at http://www.kisa.or.kr/eng/contactUs/contactUs.jsp: 400 Bad Request or alert box saying the message was malformed. * Apr 09, 2015: KISA is contacted using Twitter (https://twitter.com/PierreKimSec/status/585986016294674433). * Apr 09, 2015: FIRST KRCERT answered asking for information about the vulnerabilites and agreed to contact ipTIME to develop a security patch as soon as possible. * Apr 09, 2015: 2 POCs are sent to FIRST KRCERT by email. * Apr 13, 2015: FIRST KRCERT confirms the POCs work and said they can't assign CVE. They ask a 90 days disclosure policy to allow ipTIME to work on this issue and asks if we can disclose the vulnerabilities details after a patch is released. * Apr 13, 2015: MITRE is contacted asking for a CVE number. * Apr 13, 2015: FIRST KRCERT is contacted : we agree on the 90 days vulnerability disclosure policy. We ask which models are vulnerable. * Apr 14, 2015: vuln@krcert.or.kr replies with one vulnerable model. The vulnerability information is sent to ipTIME and we have to use vuln@krcert.or.kr as a contact address now. * Apr 15, 2015: vuln@krcert.or.kr is contacted for a GPG key concerning other vulnerabilities found in ipTIME products. * Apr 16, 2015: Vendor releases 112 new firmwares. * Apr 16, 2015: vuln@krcert.or.kr is contacted to know if this new firmware fixes the vulnerabilities we reported. The vendor advisory specifies only "User Interface-related security" in Korean (thank you Google Translate). * Apr 16, 2015: From our tests, the vulnerabilities have been fixed. * Apr 17, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Alexandre Torres and Pierre Kim (@PierreKimSec). ## Greetings Big thanks to my friend working at YongSan, specialized in server hardware and alcohol, which gave me for free an ipTIME X3003 which resulted this complete pownage. ## References http://iptime.com/iptime/?uid=16202&mod=document&page_id=16 https://pierrekim.github.io/advisories/2015-iptime-0x00.txt.asc ## Disclaimer This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVMHSPAAoJEMQ+Dtp9ky28/5gP/3xaajDhO5Y/u8PkegkGJ4bZ 63tbiOAh2CiioWzwQXhgPUVqCua8Fh+SFqrrwf1j3klZtiNPR8ThUiQC1efE9q2+ Q8oc4KMpb0Ysf+HuFBAU7mdqNZazZukAOTttDMSProap72D5QkqzRrWEiYk5Lk/9 R5/rj94iEZ3ZM3gZkFp1HHSKvkfTXdZdwxv4r2bq3URxqmUnj3aZ/ITmqxLEYEgT ufjoaGXodffnNJZNyhFpnIMgK6DZvs8/WdH2+zCKsCltru7ou2biBD1m0LIbYli4 tCUOzgUQ+FlR7KDmUmBWhtVQodKsWdOSnDJKnyjvLueS1YCGBLMuMiNnbtdmYU8Z qdFmAEnSysrxWupk+sPZkcxrzI/8eIbON937JrrCzTaE7jNNgTyhW1AwmDqMDpqe pWfPogBRZ1LpUSiOC++zFkkayVMVyhOmqDttrRMhCzW7bCuM9dmPBfBTjqiq6luZ HRofLYmG7PBtqCwEJi+AMzWydCJgnOEq2d26AK2BoDK2PuBfGG5Rg47HC82lNOsR 0mejdpCYJXBw30YjMG5O3cH1PjlG5JfVYXsHmaFTfvN9Omz8xJZBY2528e4gNCOS SkyGa4CFJ/QF6N+3kgc5AWpjuvAdtfqINBK2OShNdASGHC+Z4Eyj9J+eaXvu8g7J k6tQ5BWKb21foIfsrYyT =XTn6 -----END PGP SIGNATURE-----