3 scary tools that use Shodan search engine 3 ways to become root by exploiting the .bashrc file A hidden web shell in the plug-in wireless Planex MZK-DP150N | CVE-2021-37289 Are professional hackers also excellent magicians? Bob’s Cap - CTF Challenge Build your own WiFi Pineapple Tetra for $7. Crack Me 1 - CTF Challenge Crack Me 2 - CTF Challenge CTF Flag Mart - CTF Challenge Damn Cheap Cipher 2 - CTF Challenge Emoji - CTF Challenge Flask Task - CTF Challenge Hacker Kombat (THE GAME) - CTF Challenge Hackermon - CTF Challenge I Love Listings - CTF Challenge JabberJaw - Convert your router in portable network attack device. Not So Simple Cipher - CTF Challenge Pug a Plenty - CTF Challenge Secure any URL or Qr Code with a password! Simple Cipher - CTF Challenge Triva Unsecured - CTF Challenge VPN Ivacy, insecure design vulnerability discovered. Zipper - CTF Challenge

[CVE-2021-37289] A Hidden Web Shell Discovered in the Planex MZK-DP150N Plug-in Wireless LAN Router.

During my last vacation under the sun in Okinawa, I stayed in a beautiful hotel in front of the sea. One day while having my breakfast, I realized that my hotel room was equipped with a small plug-in wireless LAN router from Planex. This device allows a user to share the internet connection of the entire hotel by using a WIFI hotspot for each room. Useful to avoid network spoofing!

After some research on the internet, it was found that Planex is a Japanese brand specializing in routers. I then wondered if these boxes were configured differently from the usual TP-Link, ZTE and other Huawei modems that I am used to using. I then decided to check and see what this Japanese brand has inside!

I took my laptop and connected to the wireless plug-in with the WiFi password kindly given to me by the hotel staff. It was an 8 digit key, which takes less than 10 hours to crack by the way with a brute-force attack... But this is not the topic of this article!

Once connected, I had to know my local IP address and the plug-in wireless Planex IP address in order to connect to the web administration interface.

— IP address check

192.168.111.1 seems to be the IP address of the web administration interface. Alright I tried to connect, but an .htpasswd was set and asked me for a username and password which I did not have.

I thought it was probably well protected, but I still wanted to try the classic admin:admin default credentials anyways. However, it did not work... so I started to think that I should go and look for the default passwords of Planex devices on the internet. Before i did this though, I wanted to have a last try with the famous combo admin:password... and It worked!

— Boom! We got in! :)

So I finally got inside the web administration interface! The interface seemed to be empty though since there was only 4 buttons displayed. The four buttons displayed were: Change SSID and WIFI password, network settings, update the device by uploading a binary file, and a last button allowing a user to change the .htpasswd that protects the access to the web administration interface.

— Planex admin interface menu options

I then started to look at the source code of the home page and the different files called during the loading of the page.

In the JavaScript file ezUtil.js, there was a link that appeared to send a request directly to the product sheet on the official website of Planex.

I could then learn that the code name of the plug-in wireless router is MZK-DP150N.

— ezUtil.js file contents

Another thing I noticed was that it was possible to download the latest firmware for the Planex MZK-DP150N device, which I did. I thought that maybe I could find something inside, who knows!

Once the firmware was downloaded, I use a tool called binwalk to de-compile it.

— binwalk command to decompile the firmware image

I started my investigation by navigating around in the web folder. I found several interesting files, but one in particular caught my attention. This was the file "syscmd.asp".

— syscmd.asp source code

While reading the HTML code, a sentence said: "Run a system command as root:", really?

Well, let's try!

Back on the web administration interface, I appended the endpoint "/syscmd.asp" to the IP address and surprise, I could access to a hidden page that allowed me to interact directly with the system by entering shell commands 😲. 

— syscmd.asd endpoint

A web shell directly integrate in the firmware? No way!

By looking at different binary packages present, I could see that it was possible to activate the demon telnetd using busybox. Once executed, I checked if the telnet port was open using NMAP.

— NMAP scan

Yes, it was open! The telnet connection required a username and password which was the same as the credentials we used to login to the web administration interface earlier. I connected through the telnet port, and boom! Connected 😋

I'm not sure why this web shell was left there. Maybe for debugging purposes I guess. In any case, I made a CVE request to MITRE and notified the vendor of this vulnerability.

Thanks for reading this article! I hope you could learn something through my research! If you liked what you read, please share and follow my twitter at @0xSamy_