Engenius ESR9850 - Authenticated Remote Code Execution

CVE-2015-1502

    Type

  • Command Injection

    • Severity

  • Medium

    • Affected products

  • Engenius ESR9850 Wireless Router

    • CVE Reference

  • CVE-2015-1502
Read more
Timeline
2015-01-14 Discovered the vulnerability.
 2015-01-16 Contacting of vendor Attempt #1 – No response
 2015-01-22 Contacting of vendor Attempt #2 – No response
 2015-01-27 Contacting of vendor Attempt #3 – No response
 2015-02-06 CVE ID issued by MITRE

Description

The Engenius ESR9850 Wireless Router is vulnerable to 'command injection' via the device's web administrative interface. Arbitrary commands can be executed and the outputs of injected commands can be observed partially (only a single line) from the HTTP response. In addition, due to the availability of the 'utelnetd' binary present in the device, a telnet service can be invoked through this command injection vulnerability and subsequently be connected via port 23 to a gain root shell access without requiring further authentication. This vulnerability requires authenticated access (HTTP basic authentication) to the web administrative interface.

*There is an option which allows administrative access through the internet via port 8080 but this has to be manually turned on by the administrator. By default, the web interface can only be accessed locally. When the option is enabled, the risk rating increases significantly.

Impact

An attacker could gain full administrative access (root) to the embedded operating system running Busybox 1.7.5 on Linux kernel 2.6.21. This allows the attacker to perform privileged actions beyond the device’s web administrative interface.

Cause

The URL that is vulnerable to command injection is located at http://[device_ip_address]/sysdiag.htm and the affected parameter is 'diagIPAddr'. The intended design of the page is to allow users to perform 'ping' action for diagnostic purposes. Although the page contains JavaScript to disallow user from submitting any other form of inputs except for an IP address, the HTTP request can be intercepted to bypass the client-side check. In addition, there is a lack of server-side validation on the ‘diagIPAddr’ parameter and the untrusted input is placed in-line with the shell statement. As a result, command injection can be achieved by appending ';' to the back of the normal input (in this case, an IP address) and followed by an arbitrary Linux command. 

Interim Workaround

Ensure that access to web administrative interface is protected with a strong password that is at least 12 characters long and contains at least once of every following instance:
• A uppercase alphabet
• A lowercase alphabet
• A number
• A special character
In addition, use HTTPS to prevent a Man-in-the-Middle attack that could compromise the credentials in-transit between the administrator and the router.

Solution

No official fix at this point in time, therefore the interim workaround should be ensured to be applied. It should also be noted that the product has been discontinued.

Technical Details

Please refer to the attached advisory.

Further Information

https://www.engeniustech.com/products/discontinued-eol/consumer/300mbps-wireless-n-router-with-gigabit.html