Unpatched Wi-Fi Extender Opens Home Networks to Remote Control

The Homeplug device, from Tenda, suffers from web server bugs as well as a DoS flaw.

A popular Wi-Fi extender for the home has multiple unpatched vulnerabilities, including the use of a weak, default password, according to researchers. Also, two of the bugs could allow complete remote control of the device.

The flaws have been found in Tenda PA6 Wi-Fi Powerline extender, version 1.0.1.21, which extends the wireless network throughout the house using HomePlug AV2 technology.

“A compromised device can become part of an internet of things (IoT) botnet that launches distributed denial-of-service (DDoS) attacks, used to pivot to other connected devices, leveraged to mine for cryptocurrency or used in various other unauthorized ways,” explained researchers at IBM X-Force, in a posting last week.

Web Server Woes

The first two bugs are a command-injection issue (CVE-2019-16213); and a critical buffer overflow (CVE-2019-19505). They are found in the extender device’s web server, under a process named “httpd.”

The command-injection vulnerability carries a rating of 8.8 out of 10 on the CVSS severity scale. It arises from the fact that under the “Powerline” section in the user interface (UI) of the extender’s web server, the user can see and change the name of the other powerline communication (PLC) devices which are attached to the same powerline network. An authenticated user can inject an arbitrary command just by changing the device name of an attached PLC adapter with a specially crafted string, the researchers noted. Since the web server is running with root privileges, an attacker could leverage this injection to fully compromise the device.

“The name entered by the user is concatenated as an argument to the ‘homeplugctl’ application and being executed by the system’ library function,” according to IBM X-Force. “This user input is just URL decoded, without any validation or sanitation.”

The second vulnerability is found in the “Wireless” section in the web-UI: By adding a device to the Wireless Access Control list with a specially crafted hostname, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. It’s listed as critical, with a 9.8 severity rating.

“It is possible to overwrite the return address register $ra and begin controlling program execution,” according to the analysis. “A motivated attacker can utilize this to potentially execute arbitrary code. Note that the overflow isn’t a result of an unsafe call to functions like strcpy or memcpy.”

Pivoting to a Remote Attack

Both bugs are post-authentication – so a user would need to be signed in to exploit the bugs. But there’s a big caveat to this: The web server itself is password-protected with the default (and very guessable) password “admin.”

“Both vulnerabilities in this web-UI allow an authenticated user to compromise the device with root privileges, and while authentication should provide a layer of security, in this case, with a weak and guessable password, it should not be considered adequate protection,” explained the researchers.

Similarly, the web server interface should only be accessible from the local network – however, a wrong setup and configuration can expose it to the internet and therefore remote attackers. And, IBM X-Force found that combining these vulnerabilities with a DNS rebinding technique provides the attacker with a remote vector that doesn’t depend on the user’s configuration.

“That remote attack vector is not far-fetched here, and using a technique called DNS rebinding, we were able to perform the same attack from a remote website, overcoming same-origin limitations by the browser,” said the researchers. “With this known technique, once the victim is tricked into visiting a malicious website, their entire local network is exposed to the attacker.”

DNS rebinding involves using a malicious JavaScript payload to scan the local network looking for vulnerable powerline extenders. If found, a login could be attempted using a list of popular passwords.

“In our demo we were able to get a reverse shell on the vulnerable device just by having someone with access to the device’s network visit our website,” said the researchers. This is significant as it allows an attacker to gain control over the vulnerable devices remotely just by having the victim visit a website.”

Pre-Auth Denial of Service

The third vulnerability (CVE-2019-19506), which rates 7.5 out of 10 on the severity scale, resides in a process named “homeplugd,” which is related to the extender device’s powerline functionality. By sending a specially crafted UDP packet, an attacker could exploit this vulnerability to cause the device to reboot. By causing a recurring reboot, the device will loop through restarts and not be able to carry out its functions or connect to the internet.

Unlike the other two bugs, an attacker in this case would not need to be authenticated.

“As we were inspecting the open ports and their corresponding services on the extender, we noticed the homeplugd process listening on UDP port 48912,” according to the analysis. “Reversing the binary revealed to us that no authentication was required to interact with this service.”

Patch Status

There are for now no patches for the issues.

“Unfortunately, despite repeated attempts to contact Tenda, IBM is yet to receive any reply to its emails and phone calls,” the researchers said. “It remains unknown whether the company is working on patches.”

Threatpost has also reached out to the vendor for more information.

To protect themselves, users should change default passwords on all devices that connect to the internet; update firmware regularly; and use use internal filtering controls or a firewall.

“While most flaws in popular software are addressed and patched, devices like powerline extenders, and even routers, do not seem to receive the same treatment, and are all too often left exposed to potential attacks,” the researchers concluded. “But these devices are not just a connectivity plug on the edge of the network. A critical enough vulnerability can be leveraged to reach other parts of the network. That is especially true for routers, but it also extends to other devices that have some sort of interface into the network.”

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles