Wednesday, January 22, 2020

[SMC Networks] Remote Code execution (Authenticated) in SMC D3G0804W Router [CVE-2020-8087]

SMC Networks is an American Based Company, founded in 1972. The company develops network interface cards (NICs), stackable, dual speed hubs and ethernet switches, now venturing into the world of IoT.

The SMC Networks D3G0804W Router is described as:
"A multimedia Gateway that delivers video, and data for applications such as Home Security and Automation, and IPTV distribution. The Gateway is a versatile and robust all-in-one solutions that makes it ideal for homes and businesses to connect their local-area network (LAN) to the Internet."
--SMC Networks D3G0804W user manual.

Looking at Shodan, I've got that there is about 35630 devices

Navigating the router's functions, I found a functionality that allows an attacker to take full control of the device, this was possible due to the lack of controls in one of the connection tests of the device where it was exploited with the parameter pollution technique

Proof of concept:

We access to the router with the defaults credentials and see the default web portal, here we click on ‘Troubleshooting > ‘Diagnostic tools’.

Here we have a field to put a domain or ip to test a simple ping connection
We capture the request on Burp Suie and modify some parameters.
Original request:


To download a file on the router we test how the parameters work and the parameter ‘vlu_diagnostic_tools__ping_address’ is the only one who accept more than numbers so we duplicate the first parameter (parameter pollution) to solve the ‘spaces’ problem in the post request.
So in first parameter ‘vlu_diagnostic_tools__ping_address’ we need to put a ‘|’ and command wget, in the second parameter ‘vlu_diagnostic_tools__ping_address’ we put the URL to download the r file containing the reverse shell. After the URL we need to put a ‘#’ to comment the rest of the command and scape errors
Modified reques:

the content of ‘r' file
The file is successfully downloaded
Web server side:


Following the same steps (parameter pollution) we can execute ‘/bin/sh ./r’

Reverse shell:

And finnally we got the reverse shell

Special thanks to the collaborators: S4mnez & xpl0ited1



0 comentarios:

Post a Comment