CERIO 11nbg 2.4Ghz High Power Wireless Router (pekcmd) Rootshell Backdoors

Title: CERIO 11nbg 2.4Ghz High Power Wireless Router (pekcmd) Rootshell Backdoors
Advisory ID: ZSL-2017-5409
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 28.05.2017
CERIO's DT-300N A4 eXtreme Power 11n 2.4Ghz 2x2 High Power Wireless Access Point with built-in 10dBi patch antennas and also supports broadband wireless routing. DT-300N A4's wireless High Power design enhances the range and stability of the device's wireless signal in office and home environments. Another key hardware function of DT-300N A4 is its PoE Bridging feature, which allows subsequent devices to be powered through DT-300N A4's LAN port. This reduces device cabling and allows for more convenient deployment. DT-300N A4 utilizes a 533Mhz high power CPU base with 11n 2x2 transmission rates of 300Mbps. This powerful device can produce high level performance across multiple rooms or large spaces such as offices, schools, businesses and residential areas. DT-300N A4 is suitable for both indoor and outdoor deployment, and utilizes an IPX6 weatherproof housing. The DT-300N A4 hardware equipped with to bundles Cerio CenOS 5.0 Software Core. CenOS 5.0 devices can use integrated management functions of Control Access Point (CAP Mode) to manage an AP network.
Cerio Wireless Access Point and Router suffers from several vulnerabilities including: hard-coded and default credentials, information disclosure, command injection and hidden backdoors that allows escaping the restricted shell into a root shell via the 'pekcmd' binary. Given that all the processes run as root, an attacker can easily drop into the root shell with supplying hard-coded strings stored in .rodata segment assigned as static constant variables. The pekcmd shell has several hidden functionalities for enabling an advanced menu and modifying MAC settings as well as easily escapable regex function for shell characters.
CERIO Corporation - http://www.cerio.com.tw
Affected Version
DT-100G-N (fw: Cen-WR-G2H5 v1.0.6)
DT-300N (fw: Cen-CPE-N2H10A v1.0.14)
DT-300N (fw: Cen-CPE-N2H10A v1.1.6)
CW-300N (fw: Cen-CPE-N2H10A v1.0.22)
Kozumi? (fw: Cen-CPE-N5H5R v1.1.1)
Tested On
Cenwell Linux 802.11bgn MIMO Wireless AP(AR9341)
RALINK(R) Cen-CPE-N5H2 (Access Point)
CenOS 5.0/4.0/3.0
Vendor Status
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
[1] https://www.exploit-db.com/exploits/42079/
[2] https://cxsecurity.com/issue/WLB-2017050217
[3] https://packetstormsecurity.com/files/142730
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/127195
[28.05.2017] - Initial release
[30.05.2017] - Added reference [1] and [2]
[02.06.2017] - Added reference [3]
[02.08.2017] - Added reference [4]
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk