Netis Routers - Remote Code Execution (CVE-2019-19356)

Filter by category:

January 27, 2020 by Elias Issa
NetisRCE_digitalsecurity

Introduction

During a security assessment of one of our customers, we came across an important vulnerability (CVE-2019-19356) on a NETIS WF2419 router. The vulnerability is an authenticated Remote Code Execution (RCE) as root through the NETIS router Web management page.

Based on our findings, the vulnerability has been found on firmware version V1.2.31805 and on the last available firmware version V2.2.36123. Other models and firmware may also be vulnerable.
Actually, the model WF2419 mentioned was end of life product since long time ago.

At the time of the reporting, the model mentioned was already considered to have reach end of life, which means that no fix would be provided for this vulnerability. We would recommend upgrading to a newer device model.

 


Vulnerability Details


In order to exploit the vulnerability, a few prerequisites are required. Indeed, we need to reach the router Web management page. Moreover, if an authentication is enforced, we would need to authenticate by trying weak/default password, by performing Man-In-The-Middle attacks, or using any other mean.

Once authenticated, we can notice the "System Tools" menu, which has a "Diagnostic Tools" link. The "Diagnostic Tools" allows performing UNIX "ping" and "tracert" system commands. The IP Address or the Domain Name could be specified in the form. The operating system would then run the chosen command on the specified IP Address and display the command output on the web page.

On the "ping" command, a filter in place prevents performing executing other commands than the “ping” command. It was not possible to bypass that filter.
However, in the "tracert" command, it was possible to perform OS command execution by using the “|” operator:

Netis_digitalsecurity
Figure 1: Firmware version V1.2.31805

Netis_digitalsecurity

Figure 2: Firmware version V2.2.36123

When performing this action, two different HTTP requests are sent:
The first request containing the command to execute and the IP address:


Netis_digitalsecurity

Figure 3: HTTP request to send the command and the IP address


The server then answers indicating whether the command succeeded or not:

Netis_digitalsecurity
Figure 4: Server indicating the command succeeded

The application then performs a second HTTP request in order to retrieve the command results:

Netis_digitalsecurity
Figure 5: HTTP request to retrieve the command results

The server then answers with a JSON structure, which contains the command result.
An exploit has been developed in order to exploit the vulnerability:
 
Netis_digitalsecurity
Figure 6: "ls" command output

This exploit can be found at https://github.com/shadowgatt/CVE-2019-19356
Moreover, by reading the “/etc/passwd” file, we can get access to the root user’s hash:

Netis-digitalsecurity
Figure 7: root user's hash

After launching an automated attack, we were able to quickly recover the clear text password. Indeed, the used password is very weak.


 

Risks and impacts


The NETIS WF2419 router is suitable for home and small businesses usage. It may also be found in some bigger company for guest Wi-Fi usage.  As said in introduction, other NETIS models may also be vulnerable.
After doing some research, it appears that about 12 000 (more than 200 for the WF2419) of NETIS routers are accessible online, mainly in Asia.
This vulnerability can thus affect home users as well as corporate users. An attacker can perform various actions such as traffic sniffing, local network compromising, DNS poisoning or even installing malware in order to add the router to a botnet.


 

Disclosure Timeline


10 May, 2019: digital.security reported the vulnerability to two NETIS support emails that bounced
13 May, 2019: digital.security reported the vulnerability to generic NETIS email contact
3 July, 2019: In the lack of response, a reminder was sent out
30 September, 2019: digital.security notified NETIS that we're going to publish the vulnerability
30 September, 2019: NETIS answered they would check the issue
8 October, 2019: digital.security send details of the vulnerability
9 October, 2019: NETIS said that the product is End of life and will not fix
4 February, 2020: Public disclosure of the issue and released advisory



Conclusion


In conclusion, due to a lack of user input, a malicious user is able to execute system commands on the router device.  This vulnerability could have been avoided by using APIs instead of inserting user inputs in system commands.

digital.security has evaluated the vulnerability as high security level risk. It is important for NETIS users to upgrade to a new product immediately, as those devices are EOL according to the vendor.

Another way to mitigate the risks of this vulnerability would be to change the “root” user password, enforce authentication using strong password on the web management page and force the use of HTTPS for accessing the web management page.