Writeup for CVE-2020-29669 by Maximilian Barz (Silky) and Daniel Schwendner (code-byter)
This is a writeup of exploiting the Macally WIFISD2-2A82 Travel Router (Firmware version: 2.000.010). The Guest user is able to reset its own password. This process has a vulnerability which can be used to take over the administrators account and results in shell access. As the admin user may read the /etc/shadow file, the password hashes of each user (including root) can be dumped. The root hash can be cracked easily which results in a complete system compromise. All this from the guest account which is meant to be given to guests.
Affected file: /protocol.csp
Login as guest account on the web interface. Default password for guest and admin is blank.
When authenticated successfully a similar screen should appear.
Navigate to the User manager in the settings menu, where you can change the password of your current user.
Guest is able to reset his own password, fill in the blank fields and capture the request in BurpSuite
Change the value of name to admin and forward the request.
In the web interface, a pop-up box will appear saying "Password changed successfully"
Login as admin via telnet with the previously set password.
Admin is able to read /etc/shadow file exposing the root hash.
The whole exploitation process is automated with a python script. To spawn a root shell (or crack the root hash) run macally_exploit.py.
python3 macally_exploit.py 10.10.10.254
CVE MITRE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29669.
Maximilian Barz (OSCP), Email: [email protected], Twitter: S1lky_1337
Daniel Schwendner, Email: [email protected], Instagram: code_byter