First Router Bug (or a feature?). You decide :)

Nitesh Surana
4 min readNov 20, 2020

--

Fig 0. Genexis Platinum 4410 Router

A quick run of a UPnP based credential exposure in Genexis Platinum 4410 v2.1.34H Home Router.

There are references to various blogs of super awesome folks in Infosec, huge shoutouts to you! Thank you for the awesome work!

CVE-2020–25988 has been published completely on 2nd December, 2020.

Product: Genexis Platinum 4410 Router v2.1
Version Affected: P4410-v2.1.34H
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score: 6.5 Medium

Description:

While playing around with the ‘Genexis Platinum 4410 Router V2.1.34H’, it was found that network-adjacent attackers could fetch the credentials of the ‘admin’ user and use it to login to the router panel by querying the upnp service running on port 5555. The ‘X_GetAccess’ action leaks the ‘admin’ user’s credentials in plaintext.

Background:

UPnP is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise-class devices. [1]

The upnp stack has 6 layers:

  1. Addressing
  2. Discovery
  3. Description
  4. Control
  5. Eventing
  6. Presentation [2]

and it uses the following protocols:

  • SSDP: Simple Service Discovery Protocol, for discovering UPnP devices on the local network.
  • SCPD: Service Control Point Definition, for defining the actions offered by the various services.
  • SOAP: Simple Object Access Protocol, for actually calling actions. [3]

Once a device (personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices) has been assigned an IP Address and the upnp services are enumerated, the description of the available UPnP services can be fetched (in XML format).

A user can then fetch the router details (eg. External facing IP Address, DNS Server IPs etc) by querying the UPnP service actions, using crafted POST messages based on the SOAP.

The description of a devices’ upnp services contains the possible ‘actions’ (similar to function calls) and in this case, one of the ‘actions’ that any adjacent network user could perform is ‘X_GetAccess’ , to view the credentials of the ‘admin’ user. This does seem like a functionality at the beginning, but this can be abused since anyone on the same network (wireless or physical) can fetch the ‘admin’ user’s credentials.

PoC:

On looking around for tools related to UPnP testing, I found a tool ‘UPnP-Pentest Toolkit’ opensourced by the NCC Group [4].

Using the tool, one can discover devices that are based on UPnP and enumerate the device description. The device description is populated in an XML file and using the SOAP protocol, an attacker on the adjacent network [5] can request for and fetch the credentials of the ‘admin’ user.

Fig 1. List of ‘Actions’ (not comprehensive)

The action of interest is ‘X_GetAccess’ and the request and response look like this (admin:idontwantyoutoseethis) -

Fig 2. Cleartext Credentials of ‘admin’ user.

Proof Of Concept [Script] [Video] -

The above script is adapted from upnpy module and works when there’s only one UPnP device on the network. (Well, you can specify which upnp device do you want to look into).

Impact:

An network adjacent attacker can fetch the cleartext credentials of ‘admin’ account and login to the router’s admin panel by sending a POST request to the UPnP Service running on port 5555 in Genexis Platinum 4410 Router V2.1.34H.

Remediation:

Uncheck the ‘Enable UPnP’, which is enabled by default out of the box. However, ISPs use UPnP remotely to upgrade firmwares, perform maintenance and troubleshooting tasks.

Fig 3. Uncheck ‘Enable UPnP’

Notes:

There are two CVEs on the same product but for an older version:

  1. Authentication Bypass on login page due to client side validation: https://nvd.nist.gov/vuln/detail/CVE-2020-6170
  2. Remotely change the WIFI access point’s password (CSRF): https://nvd.nist.gov/vuln/detail/CVE-2020-25015

As you may have noticed, the above two issues do not discuss the UPnP service and the second one is based on a 1-Click Password change. Upon checking for the above two security issues on the router that I had, none were found in the updated version.

Throughout the process of finding things on Google, I learned that UPnP is more of a feature but then, it has been abused by botnets and in amplification attacks. I stumbled upon great content from Bsides and learned and fetched my zeroth CVE.

So, what do you do when you have a router in your home?

Drink all the juice and hack all the things!

~ A Tiny Speck of Dust, trying his shot. [After all, we’re all alike.]

References:

  1. https://en.wikipedia.org/wiki/Universal_Plug_and_Play
  2. http://www.upnp-hacks.org/upnp.html
  3. https://www.electricmonk.nl/log/2016/07/05/exploring-upnp-with-python/
  4. https://github.com/nccgroup/UPnP-Pentest-Toolkit
  5. https://www.first.org/cvss/specification-document
  6. https://nvd.nist.gov/vuln/detail/CVE-2020-25988

--

--