The following security-related issues have been found in the latest available firmware for the Nighthawk RAX43 consumer routing device (18.104.22.168 at the time of this writing).
Unauthenticated Command Injection / Authentication Bypass Buffer Overrun via LAN Interface
This vulnerability is a combination of two separate bugs.
The first of which is a buffer overrun in the URL parsing functionality of post requests intended for the cgi-bin endpoint.
When sending a POST request to the "cgi-bin" endpoint on the router, the request gets routed to a function that parses the URL, various path information, and parameters.
The structure of the expected URL is as follows:
HTTP://<router LAN IP>/cgi-bin/<CGI name>.cgi?<query string>
The query string in the above appears to be a character array with a static size of 256. There is an additional character array in this parsing function that appears to handle what debug output calls PATH_INFO and what we have assumed to be an API path of sorts. Under normal circumstances, it does not appear that this PATH_INFO variable is ever set to anything other than NULL. Due to an erroneous strlcpy() call in this parsing function, however, it is possible to overflow the query string parameter and cause the PATH_INFO variable to be set, which causes the designated cgi binary to run based on the API path provided without authentication being required. We have assigned this issue a CVSS score of CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L under identifier CVE-2021-20166.
The second bug occurs in the readycloud_control.cgi binary. When accessing the "/api/users" API endpoint, the "name" parameter is passed unsanitized into a system() call, which results in command injection as root. It should be noted that readycloud functionality does not need to be explicitly enabled to trigger this command injection due to the aforementioned bypass bug. All default configurations are vulnerable to this, including devices that have remote management enabled via the WAN. Under normal circumstances, this API path requires authentication in order to access. We have assigned a CVSS score of CVSS:3.0/AV:A/AC:L/PR:S/UI:N/S:U/C:H/I:H/A:H to this issue with identifier CVE-2021-201667
By combining these two flaws, unauthenticated command injection as root becomes possible. The following proof of concept demonstrates both flaws in tandem:
POST /cgi-bin/readycloud_control.cgi?1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111/api/users HTTP/1.1
"name":"';$(id > /tmp/id);'",
Default HTTP Communication - CVE-2021-20168
By default, all communication to/from the device is sent via HTTP, which causes potentially sensitive information (such as usernames and passwords) to be transmitted in cleartext. We recommend using HTTPS as the default.
We have assigned this issue a CVSS score of CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N.
Insufficient UART Protection Mechanisms - CVE-2021-20169
A malicious actor with physical access to the device is able to connect to the UART port via a serial connection, login with default credentials, and execute commands as the root user. These default credentials are admin:admin. We recommend disabling this UART console for production runs, or at least enforcing the same password mechanisms used for other functionality in the device (such as the web UI).
We have assigned this issue a CVSS score of CVSS:3.0/AV: P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Configuration Manipulation via Hardcoded Encryption Key - CVE-2021-20170
It does not appear that normal users are intended to be able to manipulate configuration backups due to the fact that they are encrypted. This encryption is accomplished via a password-protected zip file with a hardcoded password (RAX50w!a4udk). By unzipping the configuration using this password, a user can reconfigure settings not intended to be manipulated, re-zip the configuration, and restore a backup causing these settings to be changed.
We have assigned this issue a CVSS score of CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H.
Plaintext Password Storage - CVE-2021-20171
All usernames and passwords for the device's associated services are stored in plaintext on the device. For example, the admin password is stored in plaintext in the primary configuration file on the device.
We have assigned this issue a CVSS score of CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
Multiple Instances of Known Vulnerable jQuery Libraries
Several instances of jQuery libraries known to contain vulnerabilities are still in use (such as jquery 1.4.2).
Known Vulnerable minidlna.exe Service
The version of minidlna.exe running on the device contains publicly known vulnerabilities.