NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation

Title: NuCom 11N Wireless Router v5.07.90 Remote Privilege Escalation
Advisory ID: ZSL-2021-5629
Type: Local/Remote
Impact: Privilege Escalation
Risk: (4/5)
Release Date: 10.03.2021
Summary
The NC routers upgrades your network to the next generation of WiFi. With combined wireless speeds of up to 1750 Mbps, the device provides better speeds and wireless range. Includes 2 FXS ports for any VoIP service. If you prefer a wired connection, the NC routers have gigabit ports to provide an incredibly fast, lag-free experience. 3.0 ports allow you to power a robust home Internet network by sharing printers, flash storage, FTP servers, or media players.
Description
The application suffers from a privilege escalation vulnerability. The non-privileged default user (user:user) can elevate his/her privileges by sending a HTTP GET request to the configuration backup endpoint and disclose the http super password (admin credentials) in Base64 encoded value. Once authenticated as admin, an attacker will be granted access to the additional and privileged pages.
Vendor
NUEVAS COMUNICACIONES IBERIA, S.A. - https://www.nucom.es
Affected Version
5.07.90_multi_NCM01
5.07.89_multi_NCM01
5.07.72_multi_NCM01
Tested On
GoAhead-Webs
Tenda
Vendor Status
[01.03.2021] Vulnerability discovered.
[08.03.2021] Vendor contacted.
[09.03.2021] No response from the vendor.
[10.03.2021] Public security advisory released.
PoC
nucomrouter_privesc.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/161745
[2] https://www.exploit-db.com/exploits/49634
[3] https://cxsecurity.com/issue/WLB-2021030061
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/198068
Changelog
[10.03.2021] - Initial release
[11.03.2021] - Added reference [1], [2] and [3]
[12.03.2021] - Added reference [4]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk