{"id":11493,"date":"2018-02-14T14:19:18","date_gmt":"2018-02-14T22:19:18","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/02\/14\/news-5264\/"},"modified":"2018-02-14T14:19:18","modified_gmt":"2018-02-14T22:19:18","slug":"news-5264","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/02\/14\/news-5264\/","title":{"rendered":"SSD Advisory \u2013 TrendNet AUTHORIZED_GROUP Information Disclosure"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 14 Feb 2018 08:58:11 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3627\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3627');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes an information disclosure found in the following TrendNet routers:<\/p>\n<ul>\n<li>TEW-751DR &#8211; v1.03B03<\/li>\n<li>TEW-752DRU &#8211; v1.03B01<\/li>\n<li>TEW733GR &#8211; v1.03B01<\/li>\n<\/ul>\n<p>TRENDnet\u2019s &#8220;N600 Dual Band Wireless Router, model TEW-751DR, offers proven concurrent Dual Band 300 Mbps Wireless N networking. Embedded GREENnet technology reduces power consumption by up to 50%. For your convenience this router comes pre-encrypted and features guest networks. Seamlessly stream HD video with this powerful router.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> Several attempts to email TrendNet went unanswered, we have no idea what is the status of a fix or availability of a workaround.<br \/> <span id=\"more-3627\"><\/span><br \/> <strong>Vulnerability details<\/strong><br \/> When an Admin is log-in to one of the mentioned TrendNet routers &#8211; it will trigger the global variable: $AUTHORIZED_GROUP >= 1.<\/p>\n<p>An attacker can use this global variable to bypass security checks and use it to read arbitrary files.<\/p>\n<p>If we will extract the firmware and load it into IDA and take a look at cgibin (phpcgi_main function)- will see that the following:<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-1.jpg\" data-slb-active=\"1\" data-slb-asset=\"21189502\" data-slb-internal=\"0\" data-slb-group=\"3627\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-1-300x271.jpg\" alt=\"\" width=\"300\" height=\"271\" class=\"alignnone size-medium wp-image-3628\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-1-300x271.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-1-768x693.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-1-1024x924.jpg 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-1.jpg 1069w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The interesting part here is the REQUEST_METHOD (HEAD, GET, POST) and how it&#8217;s parse the request (cgibin_parse_request):<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-2.jpg\" data-slb-active=\"1\" data-slb-asset=\"1276865925\" data-slb-internal=\"0\" data-slb-group=\"3627\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-2-300x206.jpg\" alt=\"\" width=\"300\" height=\"206\" class=\"alignnone size-medium wp-image-3631\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-2-300x206.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-2-768x529.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-2.jpg 1001w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-3.jpg\" data-slb-active=\"1\" data-slb-asset=\"1281024655\" data-slb-internal=\"0\" data-slb-group=\"3627\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-3-300x290.jpg\" alt=\"\" width=\"300\" height=\"290\" class=\"alignnone size-medium wp-image-3630\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-3-300x290.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-3-768x744.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-3.jpg 1009w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>It should look like that:<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-23-combo.jpg\" data-slb-active=\"1\" data-slb-asset=\"701609239\" data-slb-internal=\"0\" data-slb-group=\"3627\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-23-combo-215x300.jpg\" alt=\"\" width=\"215\" height=\"300\" class=\"alignnone size-medium wp-image-3629\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-23-combo-215x300.jpg 215w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-23-combo.jpg 533w\" sizes=\"auto, (max-width: 215px) 100vw, 215px\" \/><\/a><\/p>\n<p>Unauthorized users can not execute statements -> AUTHORIZED_GROUP=-1<\/p>\n<p>But, the functions sub_405CF8() is executed before sess_validate()<\/p>\n<p>sub_405CF8() is where you get the AUTHORIZED_GROUP value.<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-4.jpg\" data-slb-active=\"1\" data-slb-asset=\"543716788\" data-slb-internal=\"0\" data-slb-group=\"3627\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-4-300x77.jpg\" alt=\"\" width=\"300\" height=\"77\" class=\"alignnone size-medium wp-image-3632\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-4-300x77.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-4-768x197.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-4-1024x263.jpg 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-4.jpg 1249w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Therefore, If you put AUTHORIZED_GROUP=1 in the request value, you can execute the statement as an authorized user.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a84b5e5cd64f574134413\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> $ curl -d &#8220;SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1&#8221; &#8220;http:\/\/[IP]\/getcfg.php&#8221;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0007 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3627\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/Trendnet-1-300x271.jpg\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 14 Feb 2018 08:58:11 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes an information disclosure found in the following TrendNet routers: TEW-751DR &#8211; v1.03B03 TEW-752DRU &#8211; v1.03B01 TEW733GR &#8211; v1.03B01 TRENDnet\u2019s &#8220;N600 Dual Band Wireless Router, model TEW-751DR, offers proven concurrent Dual Band 300 Mbps Wireless N networking. Embedded GREENnet technology reduces power consumption by up to 50%. For your convenience &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3627\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 TrendNet AUTHORIZED_GROUP Information Disclosure<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[12135,10757,12136],"class_list":["post-11493","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-information-disclosure","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11493"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11493\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11493"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}