CVE-2017-11361 in Inteno
Summary
by MITRE
Inteno routers have a JUCI ACL misconfiguration that allows the "user" account to read files, write to files, and add root SSH keys via JSON commands to ubus. (Exploitation is sometimes easy because the "user" password might be "user" or might match the Wi-Fi key.)
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/26/2019
The vulnerability CVE-2017-11361 represents a critical access control flaw in Inteno routers that stems from improper JUCI (JavaScript User Control Interface) Access Control List configuration. This misconfiguration creates a privilege escalation pathway where the default "user" account can execute arbitrary JSON commands through the ubus daemon interface, effectively bypassing normal security boundaries. The vulnerability resides in the router's web-based management interface which fails to properly enforce access controls between different user roles, allowing low-privilege users to perform administrative functions that should be restricted to root-level accounts.
The technical implementation of this vulnerability leverages the ubus daemon's JSON-RPC interface which serves as the communication layer between the web interface and underlying system functions. When the "user" account authenticates through JUCI, the system incorrectly grants access to ubus methods that should only be available to administrators or root users. This misconfiguration enables the attacker to invoke file system operations including read, write, and execute permissions on system files, while also allowing the addition of SSH public keys that would grant persistent root access to the device. The flaw exists in the application layer where user permissions are not properly validated before executing system-level commands through the ubus interface.
The operational impact of this vulnerability is severe as it provides attackers with complete system compromise capabilities. Once exploited, attackers can read sensitive system files including configuration files, authentication data, and network settings that would normally be restricted. The ability to write files allows for arbitrary code execution and system modification, while adding SSH keys creates persistent backdoor access that survives reboots. The vulnerability's exploitation ease factor is particularly concerning as default credentials often remain unchanged, with the "user" password frequently set to "user" or matching the wireless network password, making automated exploitation straightforward. This vulnerability affects a significant number of Inteno router models and represents a classic example of insecure direct object reference and privilege escalation issues.
Security mitigations for this vulnerability should focus on immediate credential changes and network segmentation. Organizations must ensure that default passwords are changed immediately upon deployment, with strong password policies enforced for all administrative accounts. Network administrators should implement proper access controls and restrict external access to router management interfaces through firewall rules. The ubus daemon configuration should be reviewed to ensure proper access control lists are enforced, and the JUCI interface should be updated to properly validate user privileges before executing system commands. This vulnerability aligns with CWE-284 (Improper Access Control) and CWE-798 (Use of Hard-coded Credentials) and maps to ATT&CK techniques including T1078 (Valid Accounts) and T1543 (Create or Modify System Process) for exploitation. Regular security audits of network device configurations and firmware updates are essential to prevent similar vulnerabilities from being exploited in the future.