FDEU-CVE-2023-77dc

Summary

Mezon SWC-9200 router is vulnerable to remote code execution.

Tech details

Mezon SWC-9200 router contains unauthenticated remote code execution vulnerability that can be triggered by injecting arbitrary shell commands into an HTTP parameter of Diagnostics.cgi endpoint. Additionally, it has an SSH server running on custom port 5000 that allows root login with a hardcoded password which is the same for all devices.

About Mezon

Mezon was a brand of WiMAX provider in Lithuania by LRTC (Lithuanian Radio and Television Centre). Users could use either USB modems or white label (Seowon) routers with Mezon brand. In 2018 the WiMAX (also sometimes called 3.5G) network was shut down and Mezon switched to LTE. In 2020 Bite acquired Mezon for 20M euros.

SWC-9200

The router has: Mediatek ARM processor, WiMAX modem, network switch (2 LAN ports), RJ-14 phone socket and 2.4 ghz wifi. Unfortunately, we have been late to the party and got access to the router in 2023 after its WAN uplink had been already not functional. But it is still available on the second-hand aftermarket:

https://www.skelbiu.lt/skelbimai/modemai-45040675.html

mezon-skelbiu.png

Random reboots

Before we move to the vulnerabilities, one thing that needs to be mentioned, is how hard it was to attack the device, that reboots every 5 minutes. We thought it was some kind of hardware malfunction and were about to give up. But later we figured out, it was a "watchdog" script that kept rebooting the device because of WiMAX unavailability:

#!/bin/sh
#################################################################################
# created by TOTC xxxx xxxx x.xxxxx@lrtc.lt
# (v0.1). Modified and adapded fo SWC-9200 by TOTC z.zzzzz@lrtc.lt
#################################################################################
PERIOD=120
OUT_OF_COVERAGE_TIME=30
STARTUP_TIME=60

### palaukiame, kol CPE startuos ir prisijungs prie WiMAX tinklo

sleep $STARTUP_TIME

### paleidziame watchcat'a

while true
    do
    GW=`ip route list | grep default | awk '{print $3}'`

    # tikriname ar CPE turi default gw
    if [ "x$GW" != "x" ]; then
        ping -c 3 $GW 1>/dev/null 2>&1
        else
        # default GW nerastas rebootiname CPE
        reboot
    fi
    RC=$?

Thanks guys, who wrote that script, you really made our job harder.

RCE

The web UI of the router has a Diagnostics page which allows to send ping command. Pretty quickly an RCE has been discovered:

mezon-rce.png

What was more surprising is that this page was available without authentication. You could send a direct HTTP request to /cgi-bin/diagnostic.cgi endpoint to execute the code.

Using a tiny 1-minute window between reboots we made a full flash dump and started analyzing it.

Root access

Another issue that came very quickly was SSH server running on port 5000. It refused the default admin password. It also refused to accept the root's password from /etc/shadow which was wimax. After doing the reverse engineer of the firmware we found that the custom shell cli.elf had a hardcoded root password:

t}PXbq|E

The password is hardcoded in the firmware. And the SSH instance is bind to 0.0.0.0:5000. That means, if the firewall rules allow remote access to that port, every SWC-9200 can be compromised not only by triggering RCE from LAN, but also by connecting as root remotely.

Some info

# cat /proc/cpuinfo
Processor    : ARM926EJ-S rev 5 (v5l)
BogoMIPS    : 184.72
Features    : swp half thumb fastmult edsp java
CPU implementer    : 0x41
CPU architecture: 5TEJ
CPU variant    : 0x0
CPU part    : 0x926
CPU revision    : 5
Cache type    : write-back
Cache clean    : cp15 c7 ops
Cache lockdown    : format C
Cache format    : Harvard
I size        : 32768
I assoc        : 4
I line length    : 32
I sets        : 256
D size        : 32768
D assoc        : 4
D line length    : 32
D sets        : 256

Hardware    : MT7108
Revision    : 0000
Serial        : 0000000000000000

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00040000 "Redboot"
mtd1: 01600000 00040000 "etc_plus"

# netstat -atn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:5060            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:4004            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:6789            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2601            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:17109           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1723            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:17119           0.0.0.0:*               LISTEN
tcp        0      0 192.168.1.1:5000        192.168.1.2:37790       ESTABLISHED

Timeline

2023-05-30 - requested MITRE CVE (no answer)
2023-05-31 - pinged Bite if the router is still supported
2023-06-01 - got answer from Bite that routers are out of bug bounty scope,
             but asked for details for free
2023-06-02 - sent executive summary
2023-06-12 - got confirmation from Bite that router is EOL and WiMAX network is down,
             users and company are not affected
2023-06-15 - pinged MITRE if CVE has been assigned (no answer)
2023-06-19 - full disclosure