Ghetto Patch Diffing a Cisco RV110W Firmware Update
qkaiser •
I received an email last week from someone looking into vulnerabilities affecting Cisco RV110W. They were wondering if I had any information about CVE-2020-3323, CVE-2020-3330, or CVE-2020-3331 that were released at the same time than the ones I had found.
CVE-2020-3323 and CVE-2020-3331 are described as unauthenticated remote code execution, while CVE-2020-3330 is a system account with default password. They were discovered by Larryxi of XDSEC, and Gyengtak Kim, Jeongun Baek, and Sanghyuk Lee of GeekPwn.
Knowing nothing about these specific issues, I initially answered that they should download firmware files and perform patch diffing, looking for memory corruption fixes like “strcpy” magically morphing into “strncpy”. As I went through the advisories, I couldn’t resist the urge to do it myself, especially when these issues are similar to the ones I reported. I think it’s a nice exercise in identifying my own blind spots :)
Finding CVE-2020-3330
I started by downloading the two most recent version of Cisco RV110W firmware (1.2.2.8 and 1.2.2.5) and extracting them with binwalk.
Now we need to find what changed between these two updates. We will hash each file from the squashfs filesystem using MD5 and then compare fingerprints using diff.
Let’s start by building the hash files:
Then we can run diff:
It appears that Cisco simply removed utelnetd binary from the firmware. It makes sense given that this service can’t be enabled from the web UI. Probably an artifact left from internal testing.
Anyway, utelnetd - like any good unix tool - rely on /bin/login to authenticate users. It’s a built-in binary that uses /etc/shadow to authenticate users. The shadow file is absent from the firmware squashfs file system so it must be generated when the device boots up.
Let’s search for references to /etc/shadow:
/sbin/rc is a good candidate. That binary is executed during Linux initialization procedure. Let’s run strings on it and look for references to /etc/shadow:
And voilà ! We now know that the static default credentials belonged to the admin user. However we only have the md5crypt hash of that password. Let’s run hashcat with rockyou and some rules:
There you go. The static credentials found in RV110W firmware before 1.2.2.8 are admin:Admin123.
Note that I never found a way to enable Telnet from the device web interface and that none of the RV110W exposed on the Internet have Telnet port open.
In the next installation of this series, I’ll perform more advanced patch diffing with Ghidra to find CVE-2020-3323 and CVE-2020-3331.
As always, if you have any question just get in touch on Twitter or by email :)