cerne.xyz
Home

CVE-2020-12127

This vulnerability is an Information Disclosure vulnerability in the WAVLINK WN530H4 router.

There is an information leak located at the endpoint /cgi-bin/ExportAllSettings.sh. In this information leak, you can download all of the router settings, and even gain access to the username and password that is set.

The file appears to be a key-value pair with all of the router settings. This seems to be an intended feature from the router developers, however, the authentication bypass vulnerability causes this endpoint to be exposed. It is my opinion that regardless of the auth bypass, this endpoint should not be exposed – especially with unhashed passwords. Only information that can be directly configurable by the router’s administrator should be exposed for backup purposes.

Here is a sample of the data returned by that endpoint.


#The following line must not be removed.
##RT2860CONF
Default
WebInit=1
LOGO1=images/WAVLINK-logo.png
LOGO2=images/WAVLINK-logo.gif
HostName=WAVLINK
Login=admin2860
Password=Cerne123!
Login_def=admin
Password_def=admin
...

For more information and vulnerability analysis, please see my report on the WAVLINK WN530H4.