-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Title: 112 ipTIME Routers/WiFi APs/Modems/Firewalls models vulnerable
with RCE with root privileges
Advisory URL: https://pierrekim.github.io/advisories/2015-iptime-0x00.txt.asc
Date published: 2015-04-17
Vendors contacted: KrCERT, ipTIME
Release mode: Released
CVE: no current CVE
EFMNetworks ipTIME is the largest Korean brand of SOHO/small/middle
entreprise Routers/WiFi APs/Modems/Firewalls in South Korea
with millions of devices deployed in the country. EFMNetworks ipTIME
is occupying more than 60 percent of personal network devices.
There are =~ 10 000 000 of ipTIME devices deployed in South Korea.
This vulnerability allows to bypass the admin authentication and to
get a direct RCE as root from the LAN side with a single HTTP request.
This is a direct RCE against the Routers/WiFi APs/Modems/Firewalls
which gives a complete root access to the embedded Linux from the LAN
side.
The exploit doesn't work by default from the WAN (no HTTP or UPNP
access from the WAN by default unless activated).
If enabled on the WAN, the remote admin interface exposes the devices
to this vulnerability.
It affects 112 ipTIME products from 2009-era firmwares to the 9.52
firmware (built time 2015-03-23)) with the default configuration:
Concerning the high CVSS score (10/10) of the vulnerability, the
number of affected devices and the longevity of this vulnerability (6+
year old), we urge users to apply the new 9.58 firmware.
The HTTP server allows the attacker to execute some CGI files.
Many of them are vulnerable to a command inclusion which allows to
execute commands with the http daemon user rights (root).
root@kali:~/iptime# ./iptime.carnage 192.168.0.1 cat /var/run/hwinfo
company_name=EFM Networks
product_name=ipTIME N604V
url=www.iptime.co.kr
max_vlan=5
mirror_port=1
num_lan_port=4
lan_port_swap=1
max_port=5
wan_port=5
firmup_duration=100
reboot_duration=40
max_wds=4
max_macauth=32
wireless_ifname=eth0
wan_ifname=eth2.2
local_ifname=br0
br0_port=eth2.1,eth0
port_diag=1
flash_diag_dev=/dev/mtd
bootloader_size=0x10000
max_firmware_size=0x200000
save_flash_offset=0x10000
save_flash_size=0x10000
flash_sector_size=0x10000
max_syslog=400
ip_conntrack_max=8192
udp_conntrack_max=4096
icmp_conntrack_max=1024
auth_server=auth2.efm-net.com
wan_ifidx=5
language=kr
product_alias=n604v
root@kali:~/iptime# ./iptime.carnage 192.168.0.1 cat /home/http/build_date
Mon Mar 23 14:54:50 KST 2015
root@kali:~/iptime#
Considering the huge potential impact against the South Korea
networks, we are not currently planning to release working exploits.
The exploits will be posted on my blog located at
https://pierrekim.github.io/blog/
The vendor has released a new firmware version (9.58) for 112 devices:
http://iptime.com/iptime/?uid=16202&mod=document&page_id=16
This vulnerability was found by Alexandre Torres and Pierre Kim (@PierreKimSec).
Big thanks to my friend working at YongSan, specialized in server
hardware and alcohol, which gave me for free an ipTIME X3003 which
resulted this complete pownage.
http://iptime.com/iptime/?uid=16202&mod=document&page_id=16
https://pierrekim.github.io/advisories/2015-iptime-0x00.txt.asc
This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVMHSPAAoJEMQ+Dtp9ky28/5gP/3xaajDhO5Y/u8PkegkGJ4bZ
63tbiOAh2CiioWzwQXhgPUVqCua8Fh+SFqrrwf1j3klZtiNPR8ThUiQC1efE9q2+
Q8oc4KMpb0Ysf+HuFBAU7mdqNZazZukAOTttDMSProap72D5QkqzRrWEiYk5Lk/9
R5/rj94iEZ3ZM3gZkFp1HHSKvkfTXdZdwxv4r2bq3URxqmUnj3aZ/ITmqxLEYEgT
ufjoaGXodffnNJZNyhFpnIMgK6DZvs8/WdH2+zCKsCltru7ou2biBD1m0LIbYli4
tCUOzgUQ+FlR7KDmUmBWhtVQodKsWdOSnDJKnyjvLueS1YCGBLMuMiNnbtdmYU8Z
qdFmAEnSysrxWupk+sPZkcxrzI/8eIbON937JrrCzTaE7jNNgTyhW1AwmDqMDpqe
pWfPogBRZ1LpUSiOC++zFkkayVMVyhOmqDttrRMhCzW7bCuM9dmPBfBTjqiq6luZ
HRofLYmG7PBtqCwEJi+AMzWydCJgnOEq2d26AK2BoDK2PuBfGG5Rg47HC82lNOsR
0mejdpCYJXBw30YjMG5O3cH1PjlG5JfVYXsHmaFTfvN9Omz8xJZBY2528e4gNCOS
SkyGa4CFJ/QF6N+3kgc5AWpjuvAdtfqINBK2OShNdASGHC+Z4Eyj9J+eaXvu8g7J
k6tQ5BWKb21foIfsrYyT
=XTn6
-----END PGP SIGNATURE-----