Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Allied Telesis AT-RG634A Unauthenticated Webshell

Related Vulnerabilities: CVE-2014-1982  
Publish Date: 26 Mar 2014
Author: Sebastian Muniz
Source 
                							

                *Title:*
 
Allied Telesis AT-RG634A ADSL Broadband router hidden administrative
unauthenticated webshell.
 
*Vulnerability Information:*
- CVE: CVE-2014-1982
- Type of Vulnerability:
  - CWE-78  : OS Command Injection
  - CWE-306 : Missing Authentication for Critical Function
 
*Affected products:*
 
- Allied Telesis AT-RG634A ADSL Broadband router. (version 3.3+ and
probably others)
 
Other products like,
   - Allied Telesis iMG624A  (firmware version, 3.5)
   - Allied Telesis iMG616LH (firmware version, +2.4)
   - Allied Telesis iMG646BD (firmware version, 3.5)
 
*Vendor:*
- Allied Telesis : http://www.alliedtelesis.com//
 
 
has the same vulnerbility, but the vendor reports that the version
3.8.05 of the firmware has already addressed this issue, but we where
unable to test nor confirm this information.
 
*Security Patches / Workaround:*
 
- Allied Telesis has noted that the AT-RG634A product is no longer
supported, but gives a workaround
to mitigate the issue.
 
Configure the device so that only trusted devices can
access the target device using the following command,
 
"WEBSERVER SET MANAGEMENTIP <ip-address>"
 
*Short Description:*
 
The Allied Telesis AT-RG634A ADSL Broadband router has a hidden url
page in their admnistrative HTTP interface capable of executing
commands as admin without requiring any kind of authentication.
 
*Description:*
 
"The AT-RG634 is a full-featured, broadband media gateway and router
designed for cost-effective delivery of advanced IP Triple Play voice,
video and data services over an ADSL infrastructure. The RG634
supports Layer 3 functions, including NAT, DMZ, and Stateful
inspection firewall for delivery of revenue-generating services such
as home networking and security services." (from
www.alliedtelesis.com/p-2345.html)
 
The Allied Telesis AT-RG634A ADSL Broadband router has a hidden URL
(/cli.html) page to execute CLI command with admin priviledges,
available by default and without any kind of authentication.
 
Having as impact a total compromise of the target device.
 
*Steps to reproduce:*
 
- Connect via HTTP to the hidden page http://<device IP>/cli.html a
input box is shown, every command typed there will be executed as admin.
 
Entering the following lines in the hidden page (/cli.html) a new
telnet admin user called "eviluser" is added to the system.
 
>> system add login eviluser system set user eviluser access
>> superuser.
 
 
*Credits:*
 
This security issue was discovered and researched by Sebastian Muniz
(topo), Security Researcher of Groundworks Technologies
(http://www.groundworkstech.com)
 
 
*License:*
 
The contents of this advisory are copyright (c) 2014 Groundworks
Technologies,and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/


<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started