CVE-2023-46685
A hard-coded password vulnerability exists in the telnetd functionality of LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623. A set of specially crafted network packets can lead to arbitrary command execution.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623
WBR-6013 - https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103
9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-259 - Use of Hard-coded Password
The WBR-6013 is a SOHO wireless router produced by LevelOne.
The WBR-6013 has a telnetd service that listens for connections. In the WBR-6013’s documentation, telnetd is not mentioned and the credentials for login are not mentioned either.
The file /etc/passwd_orig is going to be used as /etc/passwd file. This file also contains the hash of the users’ passwords:
root:<redacted>:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/:/dev/null
admin:<redacted>:1000:1000:Linux User,,,:/home/admin:/bin/sh
The credentials for obtaining root in the WBR-6013 device, through telnet, are weak and hardcoded. An attacker could use these hard-coded credentials for obtaining complete control over the device.
It is possible to connect to the telnetd service and obtain root by providing the hard-coded root’s password.
# telnet 192.168.100.1
Trying 192.168.100.1...
Connected to 192.168.100.1.
Escape character is '^]'.
rlx-linux login: root
Password:
RLX Linux version 2.0
_ _ _
| | | ||_|
_ _ | | _ _ | | _ ____ _ _ _ _
| |/ || |\ \/ / | || | _ \| | | |\ \/ /
| |_/ | |/ \ | || | | | | |_| |/ \
|_| |_|\_/\_/ |_||_|_| |_|\____|\_/\_/
For further information check:
http://processor.realtek.com/
# ls /
bin etc init mnt root sys usr web
dev home lib proc sbin tmp var
LevelOne has declined to patch the issues in their software.
2023-12-14 - Initial Vendor Contact
2023-12-22 - Vendor Disclosure
2024-07-08 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.