Author:
Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team

0x1. Background

The Cisco security bulletin in the middle of last month indicated that one of our super simple logical RCE vulnerability was fixed.

CVE-2020-3330, the details of the vulnerability are as follows:

0x2. Influence

Product : Cisco Small Business RV110W Wireless-N VPN Firewall

Affected versions: < 1.2.2.8

Firmware version talk about here：1.2.2.5 [2019-12-05 to 2020-06-17]

The number of public network devices that may be affected is shown as below.

0x3. Vulnerability hunting process

For the security research of IoT devices, port scanning is a basic operation, which can help us quickly discover potential attack surfaces.

The scan results surprised us a lot, the telnet service is enabled by default !

Moving on now, let's look at the strength of Cisco's passwords :)

Firstly, let us find where the telnet service is enabled. The suspicious target start_services was quickly located.

undefined4 start_services(void)
{
  int iVar1;
  int iVar2;
  FILE *__stream;
  char *__nptr;
  char acStack4112 [4096];

  __nptr = (char *)nvram_get("lan_ip_mode");
  if (__nptr == (char *)0x0) {
    __nptr = "";
  }
  iVar1 = atoi(__nptr);
  ...
  ...


  if (iVar1 == 2) {
  ...
  }
  else {
    start_upnp();
    start_igd();
    start_eapd();
    start_nas();
    start_zebra();
    start_snmp();
    start_upnp();
    start_wps(0);
    start_lltd();
    start_telnet();    <---  (1)
  }

If the value of "lan_ip_mode" is not the string "2", it will enter the logic of start_telnet function.

undefined4 start_telnet(void)

{
  char *__s1;
  int iVar1;
  undefined4 uVar2;
  FILE *__s;
  char **ppcVar3;
  char *local_158;
  undefined *local_154;
  undefined *local_150;
  char *local_14c;
  undefined *local_148;
  int local_144;
  undefined4 local_140;
  char *local_13c;
  undefined *local_138;
  undefined *local_134;
  int local_130;
  undefined *local_12c;
  char *local_128;
  undefined *local_124;
  int local_120;
  undefined4 local_11c;
  char acStack280 [256];

  __s1 = (char *)nvram_get("telnet_enable");                                <---  (2)
  if ((__s1 != (char *)0x0) && (iVar1 = strcmp(__s1,"1"), iVar1 != 0)) {
    return 0;
  }
  iVar1 = is_exist("/bin/login");
  if (iVar1 == 0) {
    __s = fopen("/dev/console","w");
    if (__s == (FILE *)0x0) {
      uVar2 = 0xffffffff;
    }
    else {
      fwrite("Start telnetd failed! Can\'t find /bin/login!\n",1,0x2d,__s);
      fclose(__s);
      uVar2 = 0xffffffff;
    }
  }
  else {
    __s1 = (char *)nvram_get("telnet_wan_enable");
...
...

The logic of start_telnet is simpler. It is judged that as long as the value of telnet_enable is null or "1", the telnet service will be started.

Do the values of lan_ip_mode and telnet_enable satisfy the conditions? ^_^

Let's check them using the command below:

In the subsequent logic, we found the password hash value of the administrator account, and the hash algorithm chosen was md5.

Once hashcat is started, we will get the plain text value of the hash quickly, which is a weak password (***** 123).

0x4.Vulnerability Exploit demo

0x5. Vulnerability Patch

The latest firmware version has deleted the start_telnet() function.

Note:

When this article was published, Cisco has officially fixed the vulnerability and the firmware has also been updated.

Ref：

https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-rv110w-static-cred-BMTWBWTy.html