Talos Vulnerability Report

SUMMARY

The LevelOne WBR-6012 router with firmware R0.40e6 has an authentication bypass vulnerability in its web application due to reliance on client IP addresses for authentication. Attackers could spoof an IP address to gain unauthorized access without needing a session token.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

LevelOne WBR-6012 R0.40e6

PRODUCT URLS

WBR-6012 - https://us.level1.com/products/wbr-6012

CVSSv3 SCORE

9.0 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-291 - Reliance on IP Address for Authentication

DETAILS

The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.

Once authenticated to the web application, no session token is needed as the web application is using the client IP address to determine if a request is authenticated or not.

To determine if a user is authenticated, the device checks if the current client IP address matches the client IP address of the most recent successful login. This can be observed in the function at 0x800e9614, which is used to process the web application functionalities which requires authentication, most of which resides in /cgi-bin/.

The IP address of the most recently authenticated user is stored as a global variable (LOGGED_IP) located at 0x801af040. This global is written to in several locations, almost exclusively by the http_main, login, and logout functions.

The current client IP address is stored in a global variable (CLIENT_IP) located at 0x801bec8c.

The simplest method of identifying, in firmware, that the device relies solely on IP address for authentication is to look at the logout function (0x800e6898). This is a simple function which has some logic to determine if the user logging out has “admin” or “user” privileges and then print a message in the system log:

800e6914 printf("S%s from %I logged out\n",user_name,CLIENT_IP);

However, the only functionality related to revoking a user’s authentication (0x0x800e68cc) is shown in the pseudocode below:

int logout(void){

  if (LOGGED_IP == CLIENT_IP) {
    LOGIN_SECONDS_TIME = 0xffffffff;
    LOGGED_IP = 0;
    user_level = 0;
  }

  LOGIN_LEVEL = 0;
  *HTTP_PARAMS_VALUES[0] = '@';
  return 0;
}

In addition, it can be shown through the application that when determining if a user is authenticated a check is made to determine if LOGGED_UP == CLIENT_IP (such as at 0x800c021c).

Exploit Proof of Concept

Validated several ways but the most foolproof:

1. take 2 different physical systems (PC1 and PC2) not connected to any network and assign them the same IP address (used 192.168.1.100 in testing)
2. physically connect PC1 to the router and log in to the web application
3. physically disconnect PC1 from the router
4. physically connect PC2 to the router and load any web page of the router’s web application
   1. the router will treat PC2 as authenticated and allow access to all pages and functionality

TIMELINE

2024-06-03 - Vendor Disclosure
2024-08-05 - Status update request from TALOS - No reply
2024-09-03 - Status update request - Impending public release notification
2024-10-23 - Vendor notification of upcoming release date
2024-10-30 - Public Release