Authorization Bypass in all ADB Broadband Gateways / Routers

Project Description

All ADB broadband gateways / routers based on the Epicentro platform used by many telecommunication providers (ISPs) world-wide are affected by an authorization bypass vulnerability where attackers are able access and manipulate settings within the web interface which are forbidden to user (e.g. by the ISP). An attacker would be able to enable the Telnet server or other settings as well!

Also see our other two advisories regarding critical ADB vulnerabilities as they have been split up for better readability:
Local root jailbreak via network file sharing flaw in all ADB Broadband Gateways / Routers
Privilege escalation via linux group manipulation in all ADB Broadband Gateways / Routers


Vendor description

“ADB creates and delivers the right solutions that enable our customers to reduce integration and service delivery challenges to increase ARPU and reduce churn. We combine ADB know-how and products with those from a number of third party industry leaders to deliver complete solutions that benefit from collaborative thinking and best in class technologies.”

Source: https://www.adbglobal.com/about-adb/

“Founded in 1995, ADB initially focused on developing and marketing software for digital TV processors and expanded its business to the design and manufacture of digital TV equipment in 1997. The company sold its first set-top box in 1997 and since then has been delivering a number of set-top boxes, and Gateway devices, together with advanced software platforms. ADB has sold over 60 million devices worldwide to cable, satellite, IPTV and broadband operators. ADB employs over 500 people, of which 70% are in engineering functions.”

Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast

Business recommendation

By exploiting the authorization bypass vulnerability on affected and unpatched devices an attacker is able to gain access to settings that are otherwise forbidden for the user, e.g. through strict settings set by the ISP. It is also possible to manipulate settings to e.g. enable the telnet server for remote access if it had been previously disabled by the ISP. The attacker needs some user account, regardless of the permissions, for login, e.g. the default one provided by the ISP or printed on the device can be used.

It is highly recommended by SEC Consult to perform a thorough security review by security professionals for this platform. It is assumed that further critical vulnerabilities exist within the firmware of this device.

Vulnerability overview/description

1) Authorization bypass vulnerability (CVE-2018-13109)

Depending on the firmware version/feature-set of the ISP deploying the ADB device, a standard user account may not have all settings enabled within the web GUI.

An authenticated attacker is able to bypass those restrictions by adding a second slash in front of the forbidden entry of the path in the URL. It is possible to access forbidden entries within the first layer of the web GUI, any further subsequent layers/paths (sub menus) were not possible to access during testing but further exploitation can’t be ruled out entirely.

Proof of concept

1) Authorization bypass vulnerability (CVE-2018-13109)

Assume the following URL is blocked/forbidden within the web GUI settings:

http://$IP/ui/dboard/settings/management/telnetserver

Adding a second slash in front of the blocked entry “telnetserver” will enable full access including write permissions to change settings:

http://$IP/ui/dboard/settings/management//telnetserver

This works for many other settings within the web GUI!

In our tests it was not possible to access subsequent layers, e.g.:
Assume that both the proxy menu and submenu “rtsp” settings are blocked, a second slash will not enable access to the RTSP settings:

http://$IP/ui/dboard/settings/proxy//rtsp

Nevertheless, it can’t be ruled out that sub menus can be accessed too when further deeper tests are being performed.

Vulnerable / tested versions

The following devices & firmware have been tested which were the most recent versions at the time of discovery:

The firmware versions depend on the ISP / customer of ADB and may vary!

  • ADB P.RG AV4202N – E_3.3.0, latest firmware version, depending on ISP
  • ADB DV 2210 – E_5.3.0, latest firmware version, depending on ISP
  • ADB VV 5522 – E_8.3.0, latest firmware version, depending on ISP
  • ADB VV 2220 – E_9.0.6, latest firmware version, depending on ISP
  • etc.

It has been confirmed by ADB that all their ADB modems / gateways / routers based on the Epicentro platform are affected by this vulnerability in all firmware versions for all their customers (ISPs) at the time of identification of the vulnerability except those devices which have a custom UI developed for the ISP.

Vendor contact timeline

2016-07-01:Contacting vendor ADB, sending encrypted advisory, asking about affected devices
2016-07-08:Receiving information about affected devices
2016-07 – 2017-04:Further coordination, waiting for firmware release, implementation & rollout phases for their customers
2018-07-04:Embargo lifted, public release of security advisory

Solution

The firmware versions depend on the ISP / customer of ADB and may vary!

Patch version:

  • ADB P.RG AV4202N >= E_3.3.2, firmware version depending on ISP
  • ADB DV2210 >= E_5.3.2, firmware version depending on ISP
  • ADB VV5522 >= E_8.3.2, firmware version depending on ISP
  • ADB VV2220 >= E_9.3.2, firmware version depending on ISP
  • etc.

Workaround

Restrict access to the web interface and only allow trusted users.
Change any default/weak passwords to strong credentials.
Don’t allow remote access to the web GUI via Internet.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF J. Greil / @2018

Project Details

  • TitleAuthorization Bypass
  • ProductAll ADB Broadband Gateways / Routers (based on Epicentro platform)
  • Vulnerable versionHardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.
  • Fixed versionsee "Solution" section below
  • CVE numberCVE-2018-13109
  • ImpactCritical
  • Homepagehttp://www.adbglobal.com
  • Found2016-06-28
  • ByJohannes Greil (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back