Title: NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation
Advisory ID: ZSL-2021-5629
Type: Local/Remote
Impact: Privilege Escalation
Risk: (4/5)
Release Date: 10.03.2021

Summary

The NC routers upgrades your network to the next generation of WiFi. With combined wireless speeds of up to 1750 Mbps, the device provides better speeds and wireless range. Includes 2 FXS ports for any VoIP service. If you prefer a wired connection, the NC routers have gigabit ports to provide an incredibly fast, lag-free experience. 3.0 ports allow you to power a robust home Internet network by sharing printers, flash storage, FTP servers, or media players.

Description

The application suffers from a privilege escalation vulnerability. The non-privileged default user (user:user) can elevate his/her privileges by sending a HTTP GET request to the configuration backup endpoint and disclose the http super password (admin credentials) in Base64 encoded value. Once authenticated as admin, an attacker will be granted access to the additional and privileged pages.

Vendor

NUEVAS COMUNICACIONES IBERIA, S.A. - https://www.nucom.es

Affected Version

5.07.90_multi_NCM01
5.07.89_multi_NCM01
5.07.72_multi_NCM01

Tested On

GoAhead-Webs
Tenda

Vendor Status

[01.03.2021] Vulnerability discovered.
[08.03.2021] Vendor contacted.
[09.03.2021] No response from the vendor.
[10.03.2021] Public security advisory released.

PoC

nucomrouter_privesc.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/161745
[2] https://www.exploit-db.com/exploits/49634
[3] https://cxsecurity.com/issue/WLB-2021030061
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/198068

Changelog

[10.03.2021] - Initial release
[11.03.2021] - Added reference [1], [2] and [3]
[12.03.2021] - Added reference [4]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk