mailing list archives
[GTA-2014-01] - Allied Telesis AT-RG634A ADSL Broadband router hidden administrative unauthenticated webshell.
From: Groundworks Technologies Advisories Team <advisories () groundworkstech com>
Date: Wed, 26 Mar 2014 10:39:24 -0300
-----BEGIN PGP SIGNED MESSAGE-----
Allied Telesis AT-RG634A ADSL Broadband router hidden administrative
- - CVE: CVE-2014-1982
- - Type of Vulnerability:
- CWE-78 : OS Command Injection
- CWE-306 : Missing Authentication for Critical Function
- - Allied Telesis AT-RG634A ADSL Broadband router. (version 3.3+ and
Other products like,
- Allied Telesis iMG624A (firmware version, 3.5)
- Allied Telesis iMG616LH (firmware version, +2.4)
- Allied Telesis iMG646BD (firmware version, 3.5)
- - Allied Telesis : http://www.alliedtelesis.com//
has the same vulnerbility, but the vendor reports that the version
3.8.05 of the firmware has already addressed this issue, but we where
unable to test nor confirm this information.
*Security Patches / Workaround:*
- - Allied Telesis has noted that the AT-RG634A product is no longer
supported, but gives a workaround
to mitigate the issue.
Configure the device so that only trusted devices can
access the target device using the following command,
"WEBSERVER SET MANAGEMENTIP <ip-address>"
The Allied Telesis AT-RG634A ADSL Broadband router has a hidden url
page in their admnistrative HTTP interface capable of executing
commands as admin without requiring any kind of authentication.
"The AT-RG634 is a full-featured, broadband media gateway and router
designed for cost-effective delivery of advanced IP Triple Play voice,
video and data services over an ADSL infrastructure. The RG634
supports Layer 3 functions, including NAT, DMZ, and Stateful
inspection firewall for delivery of revenue-generating services such
as home networking and security services." (from
The Allied Telesis AT-RG634A ADSL Broadband router has a hidden URL
(/cli.html) page to execute CLI command with admin priviledges,
available by default and without any kind of authentication.
Having as impact a total compromise of the target device.
*Steps to reproduce:*
- - Connect via HTTP to the hidden page http://<device IP>/cli.html a
input box is shown, every command typed there will be executed as admin.
Entering the following lines in the hidden page (/cli.html) a new
telnet admin user called "eviluser" is added to the system.
system add login eviluser system set user eviluser access
This security issue was discovered and researched by Sebastian Muniz
(topo), Security Researcher of Groundworks Technologies
The contents of this advisory are copyright (c) 2014 Groundworks
Technologies,and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/
- [GTA-2014-01] - Allied Telesis AT-RG634A ADSL Broadband router hidden administrative unauthenticated webshell. Groundworks Technologies Advisories Team (Mar 26)