My First CVE- Linksys WRT 1300 ACS- CVE-2019-7311
So having completed my OSCP this summer and studying for OSCE I wanted to begin the process of trying to find security bugs in the real world. Obtaining a CVE and listing in the exploitdb seemed like a good start. I decided to begin with those things in proximity to me….like my router. Several months ago i had recently listened to a podcast (i’ll try to find the link) to a security flaw within a netgear router of similar vintage (2014?) to my own linksys. The podcast described a crazy lack of best practices when it came to this particular netgear router. Things like….a plain text password being located on the router, FTP being opened to the public internet, and all manner of bad things. Things that shouldnt be a thing in the 21st century for a $200+ device that functions as the gateway of internet access for millions of internet users. As I listed to the podcast I didn’t hear anything described too exotic from those security basics that I learned. I thought to myself I know how to MITM, use nmap, fuzz and use burp…i should give it a shot!
With two weeks worth of review under the way i’ve already found a series of issues with my several hundred dollar linksys router. Some specific areas of concerns that will become future blog entries (like unauthenticated access to router)! and some that should provide more fodder for future research (diagnostic report anyone). For now and the topic of this blog entry is how my LinkSys WRT 1300 ACS seems to manage authentication ….or doesnt….otherwise known as CVE-2019-7311.
The Flaw
The flaw is basic and can be broken into 3 parts.
- The router does not default-ly use HTTPS for logging into its admin interface. This fact means that communication between it and the user during administrative tasks are not encrypted.
- The router uses base64 to hash the username password. For those of you still new to security research, base64 is not encryption its simply an alternatively way to represent text. It might as well be plain text!
- The router seems to send the username and password (in base64) in the form of a cookie with almost every transaction.
The design flaw can be seen by capturing the packets from your web browser to your router using something like Burp.
As can seen below, the line JNAP Authorization contains what appears to be random text (its not its base64).
When base64 decoded you can see the password.
YWRtaW46bm90bXlyZWFscGFzc3dvcmQ=
EQUALS
admin:notmyrealpassword
Implications
The implications are that if anyone is sniffing your network while you log in administratively to your router or gains immediate access to your computer after log in they will be able to acquire your admin password.
How Did I find It?
By having too much time on my hands and examining the login process between my computer and the router.
The CVE Process
- 2/1/19:Requested CVE
- 2/4/19 : Notified manufacturer of design flaw.
- 4/28/19: No Response- Published Flaw