SingTel / Aztech DSL8900GR(AC) Authentication Bypass
Posted on 14 November 2017
Credit: Cort Date: 5 Aug 2017 CVE: Not assigned Vendor: Aztech (https://www.aztech.com) / SingTel (https://www.singtel.com/) Product: Aztech DSL8900GR(AC) router Versions Affected: firmware 340.6.1-007 (latest available as of 9 Nov 2017) CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Fix: Not available. Introduction === The Aztech DSL8900GR(AC) router is distributed by SingTel (largest ISP in Singapore) with their business broadband package. It does not appear to be available for direct sales. The web admin interface for the router is protected by http basic access authentication, but it was found that this only applies to the main menu page. By directly visiting the pages used for the actual configurations (eg. DNS server settings page), no passwords are requested, and configuration changes can be successfully applied without authentication. While only the DSL8900GR(AC) was tested, other models of Aztech routers distributed by SingTel were observed to have an identical web admin interface and are potentially affected in the same way. Technical Description === The attack can be carried out by a local user without admin priviledges by directly visiting the configuration pages for the web admin interface. For example, visiting http://192.168.1.254/rtroutecfg.cmd?action=viewcfg will allow the user to view and change static routes on the router without requiring any authentication. The attack can also be remotely triggered without local access, by getting a local user to visit a malicious webpage or click on a link. The router accepts configurations change command via HTTP GET without authentication. The vulnerability can be exploited to change DNS servers, static routes, wifi passwords, and reboot the router. This can be used to spoof websites, capture traffic, or shutdown networks. All configuration changes accessible through the web admin interface are likely to be affected, but only the previously mentioned changes were tested. Proof of Concept (Local Attack) === 1) Connect to the router's network (eg. via wifi AP). 2) Visit http://192.168.1.254/rtroutecfg.cmd?action=viewcfg using any browser. No username or password is requested. 3) Change route using the web interface. It can be easily verified that the route change has been effected by the router. Proof of Concept (Remote Attack) === 1) Create a webpage containing the following HTML and place it anywhere on the internet. <iframe src="http://192.168.1.254/aztech_lancfg2.cgi?lanDnsSecondary=1.2.3.4"> </iframe> 2) Get a user on the router's network to visit the webpage. The user does not require admin priviledges. 3) The secondary DNS has now been changed to "1.2.3.4". This example is generally harmless, but other more dangerous changes can be made in the same way. Solutions === No known workaround. Patch was expected to complete testing by 30 Sep 2017, but there was subsequently no communications from the vendor on the patch status. Timeline === 2017-08-05 Discovery by Cort. Initial vendor (Aztech) notification (no response). 2017-08-12 Second notification to vendor (no response). 2017-08-17 Third notification to vendor (no response). 2017-08-21 Notified SingCert, who in turn notified Aztech and SingTel. 2017-09-06 Patch testing expected to be completed by 30 Sep 2017 (according to SingCert). 2017-10-05 SingCert checking on status of patch. No response on status. 2017-11-05 Contacted SingCert to check on status of patch (no response). 2017-11-11 Public disclosure of vulnerability due to lack of response from vendor.