Exploiting Samsung Router WLAN AP WEA453e

by | Nov 27, 2020 | 0 comments

Exploiting_Samsung_Router_1
<script>alert(1)</script>
Exploiting_Samsung_Router_2

I Fired up BurpSuite and found something interesting, when I gave a path to a file that doesn’t exist, I got the error message. But when I entered a file that does exist, I got redirected to the login page:

Exploiting_Samsung_Router_3
Exploiting_Samsung_Router_4

At this point, I figured that an LFI from here is impossible, but maybe with an authenticated user, I could get more findings.

I quickly googled the default credentials (root:sweap12~) and logged in. I then found a very interesting request in the Administration tab. Under “Tech Support” there is a button that lets you download some sort of compressed file in tar format.

 

Exploiting_Samsung_Router_5
Exploiting_Samsung_Router_6

Jackpot!

It looks like the request is vulnerable to Local File Inclusion and Remote Code Execution!

We can see that the requests includes the “command1” and “command2” parameters which includes Linux commands

command1 –  deletes the previous file
command2 –  creates the new one

The path which the request is sent to is:

(download)/the_path_of_the_newly_created_file

From this request, we will be able to run a command, save the output to a file, and read the file.

We’ll start with the LFI and try to change the request path to a file in a known local path, like “/etc/shadow”:

Exploiting_Samsung_Router_7

I managed to read “/etc/shadow” which shows us that the server is running under root privileges.

Vulnerability #3: Remote code execution (RCE)

The next step is to replace the current commands with our own crafted command and read the output.

I changed the value of “command1” to:

ls -la | dd of=/tmp/a.txt

This command lists the current directory contents and saves the output to “/tmp/a.txt”.

In addition, I changed the request path to “(download)/tmp/a.txt” in order to read the output of the command.

Exploiting_Samsung_Router_8

I tried to change the request method from POST to GET for easier exploitation and it worked as well:

Exploiting_Samsung_Router_9_edited

The last thing I did was to try the exploit without being logged on with a valid user and to my delight, it worked like a charm. This shows this is an Unauthenticated Remote Code Execution.

You can find vulnerable instances using a google dork:

intitle:"Samsung WLAN AP"
Exploiting_Samsung_Router_10

Or using a shodan query:

title:"Samsung WLAN AP"
Exploiting_Samsung_Router_11

The relevant team at Samsung has been informed and they have confirmed that these vulnerabilities have been patched in version 5.2.4.T1.

This article was written by Omri Inbar, who is a dear friend of mine.
He is a Hacker who likes to find vulnerabilities and bug bounties in his spare time, and kick my ass daily at the office  playing ping pong 😭

IF YOU GOT ANY VALUE SHARE 😄