CVE 2019-19639: Hijacking Centurylink Routers
Insufficient access controls on admin functionality in Centurylink/Actiontec C3000A modem/routers allows anyone on the network to disable the administrator password and hijack the device by sending an HTTP POST request to a specific endpoint on the router’s built-in web server. This vulnerability affects at least the C3000A model and likely many others.
Finding the Bug
The bug hunt initially began by looking for potential Cross-Site Request Forgery (CSRF) vulnerabilities in sensitive functionality on the router’s web-based administrative management application. Inspecting traffic to/from the router’s built-in web server, we found that there were no protections against CSRF, such as tokens, but even more interestingly, we found that we were able to make any arbitrary request to the server while unauthenticated. This meant that CSRF and social engineering an admin was no longer needed, we only needed to know what specific request to send, which of course was trivial to obtain by inspecting traffic in an intercepting proxy. To make matters easier, rather than having to capture and inspect every request for all functionality, we isolated the option to completely disable the administrator password. The “advancedsetup_admin.cgi” endpoint accepts a POST request with the parameter “adminPwState” which, when set to the value “0”, completely disables the admin password. Because there are no authentication or authorization checks on the endpoint, it becomes possible for anyone with access to the network complete control over the functionality of the router.
The simplest route to exploitation of this vulnerability would be if the attacker were already positioned on the network; a common scenario where public or guest WiFi access is present. However, because there are also no CSRF protections, it's possible for a completely remote attacker to induce a victim on the network to click a malicious link which subsequently sends the aforementioned POST request to the required endpoint on behalf of the attacker.
In accordance with Lykosec policy, every reasonable effort was made to follow industry-standard responsible disclosure guidelines for this vulnerability. Five months had passed between initial disclosure and the final follow-up regarding the public patch release. CenturyLink advised us that a private fix had been completed and was pending public release for over three months. As of the date of this disclosure, the patch addressing the vulnerability has as of yet still not been publicly released.
12/09/2019 Disclosed to Centurylink
12/09/2019 CVE 2019-19639 assigned
12/13/2019 Reviewed and acknowledged by Centurylink
02/27/2020 Vendor fix released for private testing
04/08/2020 Follow-up on status of public release of fix
05/02/2020 Notified CenturyLink of pending disclosure
05/05/2020 Public disclosure