Exploit Title: Prolink PRN2001 Multiple Vulnerabilities

1. -Advisory Information-

Title: Prolink PRN2001 Multiple Vulnerabilities
Firmware: Ver 1.2
Firmware URL: http://www.prolink2u.com/download/fw/fw_PRN2001_V1.2_20130323.zip
Vendor Homepage: http://www.prolink2u.com/
Author: Herman Groeneveld aka sh4d0wman
Tested On: Windows 7 / Kali
Date published: Dec 01 2014
Release mode: Coordinated release

2. -Vulnerability Information-

PROLiNK® PRN2001 Wireless- N Broadband AP / Router is the ideal wireless solution most suited for home and small-businesses. Designed to support wireless speeds of up to 150Mbps, the PRN2001 offers stellar performance on the 2.4GHz frequency band. This top-notch home networking device functions as an Access Point, Router or a Universal Repeater.

Multiple vulnerabilities have been discovered in this router. The majority require a valid account on the device to exploit. Default credentials are: admin/password

In the default configuration all vulnerabilities are restricted to exploitation over the LAN/WLAN interfaces. A successful compromise would give an attacker full control over the device. This would enable an attacker to enable remote device management over the WAN interface. 


3. - Technical Description / Proof of Concept Code -

Introduction:

The following type of vulnerabilities have been discovered in the device:
- 3.1: CWE-286: Incorrect User Management
- 3.2: CWE-668: Exposure of Resource to Wrong Sphere
- 3.3: CWE-200: Information Exposure
- 3.4: CWE- 80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- 3.5: CWE-730: OWASP Top Ten 2004 Category A9 - Denial of Service
- 3.6: CWE-933: OWASP Top Ten 2013 Category A5 - Security Misconfiguration


Technical Description:
--------------------------------------------------------------

3.1 -Class: CWE-286: Incorrect User Management- 

Description: insufficient separation of privileges. Any account with user-level privileges has the following privileges in the web-management interface:
- Create new users with administrative privileges 
- Upgrade the device firmware
- Download and upload configuration files

PoC: users could escalate their privileges by creating a new account.

--------------------------------------------------------------

3.2 -CWE-668: Exposure of Resource to Wrong Sphere-

Description: a user-level account is not restricted from exporting or importing a device configuration file. The configuration file "config.img" is stored as plain-text XML. This is the root cause for the following vulnerabilities:

---------------------------------------------------------------

Name: privilege escalation through device configuration file

Description: the plaintext XML configuration file leaks the administrative user and password of the device giving an attacker full control over the device. 

PoC: administrative accounts have Flag value 0x0:
<chain N="USERNAME_PASSWORD">
<V N="FLAG" V="0x0"/>
<V N="USERNAME" V="admin"/>
<V N="PASSWORD" V="password"/>
<V N="PRIORITY" V="0x2"/>
</chain>

---------------------------------------------------------------

Name: telnet privilege escalation through device configuration file

Description: in the plaintext XML configuration file any administrative user account is set to: <V N="PRIORITY" V="0x2"/>. When this value is changed to <V N="PRIORITY" V="0x1"/> the account gains the following additional command options in a telnet shell:

- chksum: Check sum checking. Syntax: chksum address length
- dhcp: Enable DHCP client
- disable: Turn off privileged commands
- enable: Turn on privileged commands
- loaddll: Unknown functionality / DoS: issuing loaddll crashes the device
- script: Run specified script
- system: Show general system information
- webdll: Unknown functionality
- xfile: File copy functionality
- xip: Resolve dns

--------------------------------------------------------------

3.3 -CWE-200: Information Exposure-

Description: the device is leaking various kinds of sensitive information which can aid the attacker in vulnerability discovery and/or escalate privileges.

Vulnerable Functions:

--------------------------------------------------------------

Name: configuration-file sensitive information disclosure

Description: the XML configuration file "config.img" can be exported by user-level accounts and is stored as plain-text. The following sensitive information is leaked:

Confidentiality Related:
- Plaintext administrative credentials 
- Plaintext user-level credentials
- Plaintext PPoE WAN credentials
- Plaintext WEP key | WPA PSK | WSC Pin

Device Integrity Related:
- Create, Modify or Delete accounts:
PoC: change anything inside the chain or delete the complete chain:
<chain N="USERNAME_PASSWORD">
<V N="FLAG" V="0x0"/>
<V N="USERNAME" V="admin"/>
<V N="PASSWORD" V="password"/>
<V N="PRIORITY" V="0x2"/>
</chain>

- Enabling Device Management over WAN:
PoC: modify NATRULE_INSRC_STATIC to allow web and or telnet device management over the WAN port.

- DNS traffic redirection:
PoC: modify DHCP Assigned DNS settings to point clients to a rogue DNS server.

--------------------------------------------------------------

Name: log-file sensitive information disclosure

Description: logging is disabled by default. When it is enabled any valid user-level or administrative accounts can view this log through the web-management interface. Invalid logon attempts show the username and invalid passwords in plaintext. If a user does misspell his password an attacker has a high chance of guessing the correct password.

Data Exposed:
- Usernames
- Passwords (partial)

--------------------------------------------------------------

Name: telnet sensitive information disclosure

Description: the telnet command "show web" lists the complete web structure which can aid an attacker in vulnerability discovery. 

PoC: the following URL's are leaked and not available through the default web-management interface:
- dhcpvendortbl_withoutcheck.htm
- debug.htm

--------------------------------------------------------------


3.4 -CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)-

Description: the web-based device management interface is vulnerable to persistent XSS attacks caused by insufficient input validation. A valid account on the router is needed to exploit the vulnerabilities. 

Vulnerable Functions:

--------------------------------------------------------------

URL: ddns.htm
Field(s): hostname, username
PoC: insert into both fields: <script>alert(String.fromCharCode(88,83,83));</script>

XSS Execution: 
- When the dyndns settings page is requested in the web-interface
- if logging is enabled: loading the system log in the web-interface

--------------------------------------------------------------

URL: login.htm
Fields: username
PoC: insert as username: <script>alert(String.fromCharCode(88,83,83));</script>

XSS Execution:
- if logging is enabled: loading the system log in the web-interface

-------------------------------------------------------------- 

URL: config.img
Field(s): any of the above values but modified through the configuration file (XML).

Description: the configuration file is stored in plain-text. Above injection can be carried out by inserting the XSS test-string into XML elements. Execution takes place inside the web-management interface when browsed to the vulnerable url's.

XSS Execution:
- same locations as previous disclosed injections but in XML, username injection example:

<V N="USERNAME" V="[XSS Inject Here]"/>
<V N="PASSWORD" V="test"/>

--------------------------------------------------------------


3.5 -CWE-730: OWASP Top Ten 2004 Category A9 - Denial of Service-

Description: un-authenticated and authenticated users can perform various actions which result in the router crashing and rebooting. In this process all LAN, WAN and Wireless connections are dropped.

Vulnerable Functions:

--------------------------------------------------------------

Name: Unauthenticated device DoS

Description: sending a request to [device ip]/autboot.htm in the web-management interface will initiate a factory-default reboot. In this process all LAN, WAN and Wireless connections are dropped. Device settings however remain unchanged.

PoC: GET request to [deviceip]/autoboot.htm

--------------------------------------------------------------

Name: Authenticated device DoS through invalid firmware update

Description: authenticated users could crash the device by uploading a large file as firmware upgrade. The device has no checks in place before the upload is accepted. After a certain amount of data is uploaded the device will initiate a reboot, most likely to resource exhaustion of either the memory or local disk space.

PoC: upload any big file as firmware image

--------------------------------------------------------------

Name: Authenticated Telnet custom command device DoS

Description: various custom telnet commands can be unlocked through the configuration file. Executing the "loaddll" command without any parameters will crash and reboot the device.

PoC: gain special privileges and issue the loaddll inside the telnet shell

--------------------------------------------------------------

Name: Authenticated NTP Date HTTP Request device DoS

Description: the web-management interface allows time configuration by authenticated users. If certain parts are modified the device will crash and reboot.

PoC: POST form2systime.cgi?year=1975&month=Jan&day=1&hour=0&min=19&sec=24&daylightsaving=6&submit.htm%3Ftime.htm=send
Insert junk (for example: A*400) in Year, Month or Day and the device will crash.

--------------------------------------------------------------


3.6 -CWE-933: OWASP Top Ten 2013 Category A5 - Security Misconfiguration-

Description: various configuration settings do not conform to general recommended security best practices weakening the device's security posture. 

Vulnerable Functions:

--------------------------------------------------------------

Name: configuration error 

Description: when new user accounts are created through the web-management interface the default permissions are root-level and these can't be changed to user-level. However intercepting the HTTP request and modifying the permissions parameter to user-level results in the creation of a user account with user-level privileges. Parts of the web management interface will be restricted.

PoC: enter a valid name and password, change the privilege level to 1 (root priv) or 2 (user priv):
username=[name]&privilege=[2]&newpass=[pass]&confpass=[pass]&adduser=Add&hiddenpass=$submit.htm%Fuserconfig.htm=Send

--------------------------------------------------------------

Name: unencrypted device management protocols

Description: the router can be managed either through the web-management interface which sends HTTP traffic or by Telnet. Both protocols use plaintext communications which could allow an attacker to intercept and/or modify this traffic.

--------------------------------------------------------------

Name: password complexity and lockout policy

Description: no password complexity is enforced, the minimum length is 1 character. No lockout mechanism does exist for the web-management interface. This enables an attacker to guess a correct username / password combination through password guessing or brute-forcing. Weak passwords give an attacker a higher chance of success.
The telnet service features a lockout policy; it disconnects any client after three wrong login attempts.

PoC: hydra [ip] -l admin -P /root/Desktop/pass.txt -f -v -t 1 http-post-form '/login.cgi:username=^USER^&password=^PASS^&submit.htm%3Flogin.htm=Send:F=Username or password error'

--------------------------------------------------------------

4. -Vendor Information, Solutions and Workarounds-
Date 10-10-2014 - Vulnerabilities discovered
Date 20-10-2014 - Contacted vendor by e-mail for responsble disclosure, informed them of release date December 1st 2014
		  No Reply
Date 01-11-2014 - Contacted vendor by e-mail
		  No Reply
Date 15-11-2014 - Contacted vendor by e-mail
		  No Reply
Date 01-12-2014 - Public Disclosure

5. -Author-
This vulnerability was discovered and researched by: Herman Groeneveld aka sh4d0wman
I am a freelance security consultant / researcher based in Phnom Penh
Looking for career opportunities, fellow researchers, help in unpacking the encrypted firmware :-)
herman_worldwide [at] hotmail [.co]m