A critical vulnerabilities in Samsung’s WEA453e WLAN Access Point in August 2020, revealing a chain of exploits that culminate in unauthenticated remote code execution with root privileges.
The vulnerabilities represent a significant security risk, allowing attackers to completely compromise affected devices without requiring valid credentials.
The security investigation began with the discovery of a reflected cross-site scripting (XSS) vulnerability in the device’s web interface.
When navigating to nonexistent paths on the access point, the system generates error messages that reflect user input without proper sanitization.
Testing with a standard XSS payload <script>alert(1)</script> confirmed the vulnerability, causing JavaScript code to execute in the browser context.
The error message also revealed crucial information about the system’s file structure, displaying the absolute path “/tmp/www/” which proved instrumental in identifying subsequent vulnerabilities.
This information disclosure, combined with the XSS vulnerability, provided attackers with valuable reconnaissance data about the target system’s architecture.
Samsung WLAN AP Vulnerabilities
Building on the initial findings, researchers discovered a local file inclusion (LFI) vulnerability that allowed unauthorized access to system files.
Initial attempts to exploit this vulnerability through path traversal techniques using “../” sequences were unsuccessful for unauthenticated users, as the system redirected to the login page when attempting to access existing files.
However, after obtaining access using default credentials (root:sweap12~), researchers found a critical vulnerability in the Administration section under “Tech Support.”
This feature allows users to download compressed tar files through a request that includes “command1” and “command2” parameters containing Linux commands.
The system processes these commands to delete previous files and create new ones, with the request path following the pattern “(download)/the_path_of_the_newly_created_file.”
Unauthenticated Remote Code Execution
According to Report,Organizations using Samsung WEA453e access points should immediately implement security patches and review their network security configurations.
The most severe vulnerability emerged when researchers modified the command parameters to execute arbitrary system commands.
By changing “command1” to “ls -la | dd of=/tmp/a.txt” and adjusting the request path to “(download)/tmp/a.txt,” they successfully executed commands and retrieved the output.
The vulnerability proved even more accessible when researchers discovered that the request method could be changed from POST to GET, simplifying exploitation.
The critical breakthrough came when testing revealed that the exploit functions without authentication, establishing this as an unauthenticated remote code execution vulnerability.
Attackers can leverage this vulnerability to execute arbitrary commands with root privileges on vulnerable Samsung WEA453e devices without requiring valid login credentials.
The discovery of these chained vulnerabilities demonstrates how multiple security weaknesses can combine to create catastrophic security failures.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
