Technical Advisory – Multiple Vulnerabilities in Connectize G6 AC2100 Dual Band Gigabit WiFi Router (CVE-2023-24046, CVE-2023-24047, CVE-2023-24048, CVE-2023-24049, CVE-2023-24050, CVE-2023-24051, CVE-2023-24052)

Connectize’s G6 WiFi router was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local Wi-Fi network and browser. The Connectize G6 router is a general consumer Wi-Fi router with an integrated web admin interface for configuration, and is available for purchase by the general public. These vulnerabilities were discovered in firmware version 641.139.1.1256, and are believed to be present in all versions up to and including that version.

A total of seven vulnerabilities were uncovered, with links to the associated technical advisories, as well as detailed descriptions of each finding, below.

  1. Command Injection via Ping Diagnostic Functionality (CVE-2023-24046)
  2. Systemic Insecure Credential Management (CVE-2023-24047)
  3. Admin Panel Vulnerable to Cross Site Request Forgery (CVE-2023-24048)
  4. Weak Default Wi-Fi Network Password (CVE-2023-24049)
  5. Stored Cross Site Scripting using Wi-Fi Password Field (CVE-2023-24050)
  6. Admin Panel Account Lockout and Rate Limiting Bypass (CVE-2023-24051)
  7. Current Password Not Required When Changing Admin Password (CVE-2023-24052)

Attack Scenarios

The nature of these vulnerabilities allows a motivated attacker to perform an attack chain combining multiple of these issues, potentially leading to full unauthenticated access to the admin panel, a pivot point on the user’s home network for further attacks, and arbitrary JavaScript code execution in the victim’s browser.

Scenario 1 – Attacker Not on the Network

An attacker not present on the Wi-Fi network can obtain a foothold onto the network, as well as total admin panel compromise, via the following steps. First, the attacker sends a phishing email to the target. The email induces the victim into visiting the attacker’s website, and allows the attacker to send HTTP requests from the victim’s browser. If the victim is logged in to the administration panel of their router, the attacker can leverage CVE-2023-24048 to send requests to the web application on the victim’s behalf, effectively granting them administrative access at this time.

However, this is temporary – the attacker only has this access while the victim remains logged in to the administrative panel. The attacker’s next step is to change the victim’s password, guaranteeing them access to the admin panel and locking out the victim. They can perform this easily, as no prior passwords are required to perform this sensitive action (CVE-2023-24051).

From here, they can utilize CVE-2023-24046 to pivot their attack, as this vulnerability grants the attacker complete command line access to the router itself, and in doing so, gives the attacker a device on the victim’s network that they control. From here, they could transition to traditional network based post-exploitation attacks, such as sniffing traffic and attempting to exploit vulnerabilities on other machines in the network. Furthermore, due to the known insecure hashing algorithms used to protect the sensitive router credentials (CVE-2023-24047), they can ensure that even in the event they lose access to the admin panel, they can recover the password by checking the router’s /etc/passwd file.

Scenario 2 – Attacker on the Network

Alternatively, rather than starting with a targeted phishing attack, an attacker who already has access to the home network (such as a guest in the home) could attempt to elevate from a normal use to an administrator via brute force password guessing.

The admin panel has an account lockout preventing such things – after making three failed guesses, a user is informed they must wait 180 seconds before attempting another guess. However, as shown in (CVE-2023-24051), the attacker can refresh the browser to reset this timer, or could use automation to send these requests without the browser pop-up’s interference in the first place.

If the victim has set a strong password, this will still take a significant amount of time. However, as the router requires a minimum length of 5 characters rather than the industry-standard recommended minimum of 8 characters, it becomes a viable attack surface if the chosen password is weak. If the password was never changed from the default value – admin, the attacker can gain access in one guess (CVE-2023-24049).

They can, of course, also exploit any of the vulnerabilities noted under Scenario 1 in addition to the brute force approach.

Scenario 3 – Malware

Assuming our attacker has gained access to the admin panel, either via CSRF or via the brute force method, the attacker can choose to perform further exploits via cross-site scripting. They could choose to set the password for one of the two Wi-Fi networks (2.4 GHz or 5 GHz) to an exploit string, and upon the rightful admin logging in to investigate, the attacker is able to run arbitrary JavaScript on the attacker’s browser.

Disclosure

NCC Group attempted to get in contact with Connectize’s support team, reaching out via a customer support email address. After receiving no response to our initial email or a follow up email a reasonable amount of time later, it was decided to publicly release the following advisories in accordance with NCC Group’s responsible disclosure policies. From web searches and open source research, it appears that the Connectize vendor ceased trading some time in early 2023 – the last cached version of their website on the Internet archive was March 29th 2023. Their website no longer exists and there is no mechanism to contact them. The disclosure timeline can be found at the bottom of this page.

It is important that consumers are aware of the vulnerable Connectize devices. Any current owners and users of Connectize devices should seek to replace them with a different, more secure brand of device as soon as possible, since the vulnerabilities present in these devices will never be fixed as a result of the vendor no longer existing. Similarly, for consumers looking to purchase a Wi-Fi router – be aware that at the time of writing, many popular online stores still stock and sell these vulnerable Connectize devices. In the background NCC Group is currently liaising with some of these online stores in an attempt at ensuring these devices are withdrawn from sale.

Technical Advisories

Command Injection via Ping Diagnostic Functionality (CVE-2023-24046)

Vendor: Connectize
Vendor URL: https://iconnectize.com/
Versions affected: All versions up to and including 641.139.1.1256
Systems Affected: Connectize AC21000 Dual Band Gigabit Wi-Fi Router, Model G6
Author: Jay Houppermans
CVE Identifier: CVE-2023-24046
Severity: High 8.4 (CVSS v3.1 AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Summary

An attacker authenticated to the admin panel can run arbitrary commands on the physical device.

Impact

After exploitation, an attacker will have complete control over the target system, and will be in a position to perform post-exploitation tasks throughout the network.

Details

The ping functionality on the router diagnostics page http://192.168.5.1/diag_ping_admin.htm is used to set the IP address pings are sent to. However, an attacker can concatenate a command to the end of the address as follows, which then executes as a command on the underlying system.

The following request shows the output of the ls command, listing the files and directories at the root of the HTTP server.

Request

GET /getPingResult.asp?ip_version=0 target_addr=192.168.5.1;+ls; target_num=2 HTTP/1.1
Host: 192.168.5.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.5.1/diag_ping_admin.htm

Response

HTTP/1.1 200 OK
Date: Tue, 10 Jan 2023 22:59:36 GMT
Server: Boa/0.94.14rc21
Accept-Ranges: bytes
Connection: close
Pragma: no-cache
Cache-Control: no-store
Expires: 0
Content-Length: 371
Last-Modified: Tue, 10 Jan 2023 22:59:36 GMT
Content-Type: text/html

PING 192.168.5.1 (192.168.5.1): 56 data bytes
<br />64 bytes from 192.168.5.1: seq=0 ttl=64 time=0.293 ms
<br />64 bytes from 192.168.5.1: seq=1 ttl=64 time=0.262 ms
<br />
<br />--- 192.168.5.1 ping statistics ---
<br />2 packets transmitted, 2 packets received, 0% packet loss
<br />round-trip min/avg/max = 0.262/0.277/0.293 ms
<br />boa.conf
<br />mime.types
<br />

Observe the lines:

<br />boa.conf
<br />mime.types
<br />

These file names are present at the root of the /etc/boa directory of the router, indicating that the ls command successfully executed and the output was returned to the user.

An attacker can go further with this and construct a convenient user interface for interacting with the vulnerability in a shell-like manner. With such a shell an attacker can much more easily navigate the file system and run commands on the device. They can then elevate their access to something more direct, such as through activating the BusyBox Telnet functionality on the device and obtaining a telnet shell.

Recommendation

Connectize should implement input verification to be certain that the values passed to the target_addr parameter are only IP addresses, and do not contain any commands. Any value passed that is not an IP address or a domain name parameter should be dropped.

Systemic Insecure Credential Management (CVE-2023-24047)

Vendor: Connectize
Vendor URL: https://iconnectize.com/
Versions affected: All versions up to and including 641.139.1.1256
Systems Affected: Connectize AC21000 Dual Band Gigabit Wi-Fi Router, Model G6
Author: Jay Houppermans
CVE Identifier: CVE-2023-24047
Severity: Medium 4.5 (CVSS v3.1 AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Summary

The same password used for logging into the web admin interface is used as the root password for the device. Furthermore, the password is stored insecurely on the device via an outdated and insecure hashing algorithm.

Impact

Anyone capable of accessing the router’s file system is able to trivially recover both the Root password for the device and the password for the admin panel.

Details

The Connectize Router uses the admin panel password, as set by the user, as the root password on the device. The password is stored in /etc/passwd, and appears to be hashed using DES. DES is a known insecure hashing algorithm that should no longer be used. Because this hash can be performed very quickly, hashed passwords are vulnerable to brute-force cracking. An attacker with access to the hashed passwords is likely to be able to recover significant numbers of plaintext passwords using a tool such as hashcat.

Several other important passwords, such as the SMB fileshare password, were also observed to be hashed using DES.

Recommendation

Update the hashing algorithms used for device credentials to a more secure, modern algorithm. Furthermore, consider setting the root machine password to it’s own unique value, rather than setting it by the admin configuration panel password.

Admin Panel Vulnerable to Cross Site Request Forgery (CVE-2023-24048)

Vendor: Connectize
Vendor URL: https://iconnectize.com/
Versions affected: All versions up to and including 641.139.1.1256
Systems Affected: Connectize AC21000 Dual Band Gigabit Wi-Fi Router, Model G6
Author: Jay Houppermans
CVE Identifier: CVE-2023-24048
Severity: Medium 7.5 (CVSS v3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Summary

The web application authentication relies on state tracking to ensure that the user is properly authenticated. This can be bypassed, allowing unauthenticated users to submit requests to the application under certain conditions.

Impact

If an authenticated user visits an attacker-controlled website, the attacker could induce the victim’s browser to send local requests to the application on behalf of the victim user. These requests could be used to make changes to the site, such as changing the admin password or configuring remote logs. It could also be used to leverage other vulnerabilities, such as CVE-2023-24046, a command line injection vulnerability.

In order to perform this attack, the victim must be logged in to the administration panel on the device’s network, but the attacker can be positioned anywhere on the public internet.

Details

The Connectize admin panel application appears to track authentication via two mechanisms. First, ensuring the user is logged in (likely via IP based or MAC address based verification). Next, it tracks the recent actions taken by the user in an attempt to verify that the request was sent as part of the typical user activity flow. This second check can be bypassed in a way that grants any individual who launches a phishing campaign against a logged-in administrator access to the admin panel. This can be done using an attack known as CSRF, which is explained below.

The lack of sufficient protections illustrated in this finding apply to the whole application, but are most significant in the user flow for changing the administrator password. This flow begins with a POST request to /boafrm/formPasswordSetup.

POST /boafrm/formPasswordSetup HTTP/1.1
Host: 192.168.5.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 87
Origin: http://192.168.5.1
Connection: close
Referer: http://192.168.5.1/man_password.htm

submit-url=%2Fman_password.asp saveFlag=0 userName=admin newPass=myPassword confPass=myPassword

If a user sends this request without being logged in, they are redirected to the login page. If, however, a user sends this request while being logged in but before they have accessed the password request page at http://192.168.5.1/man_password.htm, they are assumed to have bypassed the normal user flow of the application and served a 403 Forbidden error. This appears to be intended to insure that only the authenticated user may send requests to the application as part of normal administrative duties.

However, an attacker can successfully fill the required conditions for this request by simply sending a HTTP GET request to the man_password.htm page, such as the following.

GET /man_password.htm HTTP/1.1
Host: 192.168.5.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.1/advanced.htm
Connection: close
Upgrade-Insecure-Requests: 1

They then receive a HTTP 200 response containing the contents of the web page.

An attacker, therefore, could bypass this check and allow themselves to programmatically change the password by simply using a tool or writing a script that sent the GET request to /man_password.htm shortly before performing the POST request to /boafrm/formPasswordSetup and changing the administrator password.

This attack can be through a phishing attack prompting the victim to navigate to an attacker’s website. The webpage would be configured as follows: Upon browsing to the website, the page sends a GET request from the victim’s browser to the address http://192.168.5.1/man_password.htm. If the victim has a Connectize G6 router and is currently logged in to the admin panel, this will respond with a 200 OK. The webpage would then send the second request, a POST request to http://192.168.5.1//boafrm/formPasswordSetup. This request will reset the victim’s router, and change the admin password to anything the attacker desires. They then have complete control of the router, and can send additional requests using their phishing site to make changes and configure the application as they wish. They could even make use of other findings, such as CVE-2023-24046, to take complete command of the device.

This type of attack is known as Cross-Site Request Forgery (CSRF). It is characterized by an attacker using a logged in victim’s session to perform actions on their behalf. CSRF is typically an attack that requires the victim to open the vulnerable website and the attacker’s phishing website, to transfer authentication cookies along with the requests. However, because the Connectize G6 router does not make use of session tokens, authentication cookies, or CSRF tokens, the attack works even if the phishing website is viewed in a different browser on the same machine that the victim had loaded the Connectize G6 admin panel on.

Recommendation

Implement a CSRF token as part of the authentication model. If possible, replace the state-based authentication with a more traditional authentication system, such as session cookie based authentication.

Applications can be protected from CSRF attacks by rejecting state-changing requests that do not originate from the application itself. The primary method of verifying that a request originated from the application rather than an external site is to require all state-changing requests to contain an extra parameter known as a CSRF token. These tokens are random values generated by the server, then returned to the browser in the body of a response or in a cookie submitted as an additional parameter with every request.

Because an attacking site cannot read the application’s cookies or responses, they will be unable to submit the correct value, and any forged request will be rejected.

Weak Default Wi-Fi Network Password (CVE-2023-24049)

Vendor: Connectize
Vendor URL: https://iconnectize.com/
Versions affected: All versions up to and including 641.139.1.1256
Systems Affected: Connectize AC21000 Dual Band Gigabit Wi-Fi Router, Model G6
Author: Jay Houppermans
CVE Identifier: CVE-2023-24049
Severity: Medium 4.6 (CVSS v3.1 AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

Summary

It was found that the default password to both the router and the admin panel of the Connectize G6 router were trivially guessable by attackers, and are not required to be reset upon initial configuration.

Furthermore, the router provides the option to automatically set the admin panel password to the same password used to connect to the Wi-Fi.

Impact

An attacker present on the 2.4 or 5 GHz Wi-Fi Networks could trivially guess both the Wi-Fi network password and the admin password, if they have been left unchanged from their factory default. This would allow the attacker to gain complete admin access to the router.

Additionally, in some configurations, a user with credentials sufficient to connect to the Wi-Fi network could have full admin access to the router by default.

Details

The device default Wi-Fi password is admin, as described both in the router instruction manual and the sticker at the bottom of the sheet. This password can also be used to log on to the configuration panel.

Upon initial setup, the user is prompted to set a new password. However, they can bypass this by selecting the “Skip Wizard” option, leaving the passwords at the default.

Furthermore, if a user does proceed to set a new Wi-Fi password, they are presented with a checkbox that sets the admin panel login password to the same value as the Wi-Fi password. This grants full administrative access to all users with access to the Wi-Fi password, even when a non-default password is used.

Recommendation

Connectize should ensure that the router requires users to always change the Wi-Fi password from default upon first login, and should remove the “Skip Wizard” functionality that allows users to bypass this.

Additionally, Connectize should remove the option to set the admin interface password to the same password as the Wi-Fi password shown during initial configuration.

Stored Cross Site Scripting using Wi-Fi Password Field (CVE-2023-24050)

Vendor: Connectize
Vendor URL: https://iconnectize.com/
Versions affected: All versions up to and including 641.139.1.1256
Systems Affected: Connectize AC21000 Dual Band Gigabit Wi-Fi Router, Model G6
Author: Jay Houppermans
CVE Identifier: CVE-2023-24050
Severity: Medium 4.3 (CVSS v3.1 AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L)

Summary

An attacker who can change the Wi-Fi password can change the password to a carefully crafted Cross Site Scripting string, such as "><script>alert(1)</script>. This string is stored in the router’s data storage application, then incorporated in pages throughout the application, allowing an attacker to run arbitrary JavaScript whenever the string is loaded onto a page.

As this finding requires an attacker to be authenticated, the impact is somewhat limited. However, it can be exploited unauthenticated when combined with attacks such as CVE-2023-24048. Additionally, in a circumstance where multiple individuals share the admin panel credentials, one user could run arbitrary JavaScript in the browsers of all other users.

Impact

An attacker that has gained access to the admin panel can run arbitrary JavaScript code whenever anyone logs in or views various pages in the admin panel. This could be used to query external webpages, steal sensitive information, or perform other privileged actions.

Details

Cross-site scripting (XSS) is a vulnerability class related to web application input and output validation. In stored cross-site scripting, the application accepts input from an end user, stores it, and later displays it without properly encoding HTML metacharacters. This allows an attacker to inject JavaScript code into future views of the resulting page. A user may fall victim to the attack just by using the application, provided that they have connected to either of the Wi-Fi networks or the LAN network provided by the router.

The attacker does not need to change the passwords for both the 2.4 and 5 GHz bands. Simply changing one is sufficient, potentially allowing this attack to go undetected by people using the other network.

Recommendation

When including user submitted data in responses to end users, encode the output based on the appropriate context of where the output is included.

Content placed into HTML needs to be HTML-encoded. To work in all situations, HTML encoding functions should encode the following characters: single and double quotes, backticks, angle brackets, forward and backslashes, equals signs, and ampersands. User-submitted data should not be included in dynamically-generated JavaScript snippets. Instead, encode and return the content in a separate HTML element or API request.

Admin Panel Account Lockout and Rate Limiting Bypass (CVE-2023-24051)

Vendor: Connectize
Vendor URL: https://iconnectize.com/
Versions affected: All versions up to and including 641.139.1.1256
Systems Affected: Connectize AC21000 Dual Band Gigabit Wi-Fi Router, Model G6
Author: Jay Houppermans
CVE Identifier: CVE-2023-24051
Severity: Medium 4.3 (CVSS v3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Summary

Applications often make use of rate limiting to prevent brute-force password attempts, sometimes enforced via “locking out” a user and preventing them from making further attempts at guessing the password. The Connectize G6 admin panel contains this functionality, but enforces it on the client-side. This allows a user to bypass it in two different ways.

Impact

An attacker attempting to guess the admin password for the router could make as many attempts as they wish without any limitations or restrictions. Given that the minimum password length is 5 characters, an attacker’s ability to guess the admin password is only limited by their network speed. An attacker with a sufficiently good connection could iterate through all possible five-character passwords reasonably quickly, gaining complete control of the admin panel if a password of minimum length was set.

Details

There are two methods to bypass the lockout functionality. Anyone accessing the user interface at 192.168.5.1 via a web browser may attempt to guess the password. After three failed attempts, a popup informs the user they must wait 180 seconds before guessing again.

If the user then refreshes the page, the popup is no longer shown, and the user may make another guess. If this guess is correct, the user is logged in to the admin panel, bypassing the lockout.

Alternatively, a user submitting HTTP requests directly to the application, such as through tools like Burp Suite or Postman, is never shown this prompt to begin with. Failed login requests return a HTTP 302 redirecting the user to the login page, while successful ones redirect the user to the index of the application.

An attacker could trivially automate sending hundreds or thousands of requests in this way, and never encounter the lockout mechanism.

Recommendation

Ensure that the rate limiting is implemented in the application’s server side code, rather than the client side JavaScript. They should also prevent both of these bypasses from occurring, and help mitigate brute force attacks against the application.

Current Password Not Required When Changing Admin Password (CVE-2023-24052)

Vendor: Connectize
Vendor URL: https://iconnectize.com/
Versions affected: All versions up to and including 641.139.1.1256
Systems Affected: Connectize AC21000 Dual Band Gigabit Wi-Fi Router, Model G6
Author: Jay Houppermans
CVE Identifier: CVE-2023-24052
Severity: Medium 4.3 (CVSS v3.1 AV:A/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N)

Summary

The admin panel web application does not require the user to provide the current admin password when changing the credentials.

Impact

An attacker who has gained access to the admin panel without obtaining the credentials first could change the password, locking out the legitimate users and granting themselves indefinite access until the device is factory reset.

Details

It is considered best practice to require a user to authenticate before changing or accessing sensitive information, such as an administrative password. A user who gains access to the admin panel via an unrelated vulnerability, or via access to a logged in computer owned by the legitimate user, could trivially change the password.

Given that the admin panel is also vulnerable to CSRF attacks, as described in CVE-2023-24048, this in effect allows anyone who is successful in a CSRF phishing attempt to change the admin password.

Recommendation

Require users to provide the old password when they change the administrator password.

Disclosure Timeline

March 3rd, 2023: NCC reached out to Connectize, announcing to the vendor that vulnerabilities were found in one of their devices and attempting to initiate secure conversation regarding these vulnerabilities.

April 7th, 2023: NCC reached out to Connectize again (not having heard from them in response to the prior email) to inform them of intent to publicly disclose the bugs unless they can confirm they respond to us within the next 30 days.

As of the publishing date of this Technical Advisory, no further communication has occurred and it appears that the Connectize vendor has ceased trading.

It is important that consumers are aware of the vulnerable Connectize devices. Any current owners and users of Connectize devices should seek to replace them with a different, more secure brand of device as soon as possible, since the vulnerabilities present in these devices will never be fixed as a result of the vendor no longer existing. Similarly, for consumers looking to purchase a Wi-Fi router – be aware that at the time of writing, many popular online stores still stock and sell these vulnerable Connectize devices. In the background NCC Group is currently liaising with some of these online stores in an attempt at ensuring these devices are withdrawn from sale.

Thanks to

David Goldsmith, Nicholas Bidron, and Eli Sohl for their support throughout the research and disclosure process.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Written by: Jay Houppermans

Call us before you need us.

Our experts will help you.

Get in touch
%d