Vulnerabilities in iB-WRA150N devices

vendor:

iB-WRA150N

by:

maxki4x

8.8

CVSS

HIGH

Hard coded accounts, Remote command execution

798

CWE

Product Name: iB-WRA150N

Affected Version From: 1.2.6 build 110401 Rel.47776n

Affected Version To: 1.2.6 build 110401 Rel.47776n

Patch Exists: NO

Related CWE: CVE-2018-6388

CPE: o:iball:ib-wra150n_firmware:1.2.6_build_110401_rel.47776n

Metasploit:

Other Scripts:

Platforms Tested:

2018

Vulnerabilities in iB-WRA150N devices

The iB-WRA150N devices have hard coded accounts with default usernames and passwords. This allows an attacker to gain unauthorized access to the device. Additionally, the devices are vulnerable to remote command execution due to insufficient input filtering in the ping test arguments on the Diagnostics page. An attacker can inject arbitrary commands and retrieve sensitive files such as the /etc/passwd file.

Mitigation:

The vendor has not provided a solution or workaround for these vulnerabilities at the time of reporting. It is recommended to change the default usernames and passwords for the affected devices. Additionally, the input filtering should be improved to prevent remote command execution.

Source

Exploit-DB raw data:

## Vulnerabilities summary
The following advisory describes two (2) vulnerabilities found in iB-WRA150N devices, firmware 1.2.6 build 110401 Rel.47776n.

iB-WRA150N is “a powerful solution to Internet connectivity at home, small offices and work stations. The key is if you are using an ADSL2+ connection now and later decide to change to Broadband or vice-versa you don’t need to change your router. This iBall router is 2-in-1 and compatible to both – Broadband connection as well as ADSL2 connection (Telephone connection or cable operator connection). ”

The vulnerabilities found are:

Hard coded accounts
Remote command execution

## Credit
An independent security researcher, maxki4x, has reported this vulnerabilities to Beyond Security’s SecuriTeam Secure Disclosure program.

## Vendor response
We tried to contact iBall since December 20 2017, repeated attempts to establish contact were answered, but no details have been provided on a solution or a workaround.

CVE: CVE-2018-6388

## Vulnerabilities details

Hard coded accounts
Username: admin
Password: admin

Username: support
Password: support

Username: user
Password: user

## Remote command execution
After we logged in to the victims router – using the hard coded accounts, we can trigger the second vulnerability and achieve remote command execution.

User controlled input is not sufficiently filtered, allowing user to inject arbitrary commands into ping test arguments in Diagnostics page.

By entering the following input in the ping test arguments in Diagnostics page, the attacker can get the /etc/passwd file:

```
127.0.0.1;cat/etc/passwd
```