Wavlink Quantum D4G Zero Day — Part 04

Today’s post will be covering a combination of two vulnerabilities, resulting in an admin credential dump. Before we get into it, as always this material is for educational purposes and awareness, no unethical behavior with this information is encouraged.

For the first part of this let us cover once again another CGI bin issue similar to our zero-day posted in part 02 of this series. The device allows administrators to backup device settings, a common feature across many different devices. For this device specifically, the endpoint /cgi-bin/ExportAllSettings.sh is called to receive a download of the device settings backed up and encrypted as shown below. To get this backup downloaded, however, no credentials are required, any user reaching out to this endpoint will receive this encrypted backup file. This is unintended, but not terrible, as they can’t really do anything with this file, after all, it’s just settings and it also is encrypted using AES-256-CBC, something you are not exactly going to crack very easily with a good password.

At first coming across this does not seem like a big deal, however upon analyzing the script used to pack up this backup data and encrypt it we discover the following:

Yes, you are seeing that correctly… they are using a hard-coded password to encrypt this data. Still not a terrible thing since it’s just backup data right? Wrong…

Yep, they for some reason stored the administrator password in this backup, maybe they intended to carry the password over in backup as well? Any-who, as always I am trying to keep this short and to the point, and with that I hope you learned something and had fun.