Talos Vulnerability Report TALOS-2023-1873 LevelOne WBR-6013 boa formSysCmd leftover debug code vulnerability July 8, 2024 CVE Number CVE-2023-49593 SUMMARY Leftover debug code exists in the boa formSysCmd functionality of LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623. A specially crafted network request can lead to arbitrary command execution. CONFIRMED VULNERABLE VERSIONS The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor. LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623 PRODUCT URLS WBR-6013 – https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103 CVSSv3 SCORE 7.2 – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CWE CWE-489 – Leftover Debug Code DETAILS The WBR-6013 is a SOHO wireless router produced by LevelOne. The WBR-6013 router has a web server called boa. The version used in the device is a Realtek’SDK that uses boa. One of the SDK’s API is /boafrm/formSysCmd. This is allegedly a debugging functionality that allows execution of arbitrary commands in the linux system running on the device. Supposedly, this functionality has not been removed prior to release, as there is no documented functionality to execute commands in the linux system. Following the formSysCmd that handles the /boafrm/formSysCmd API: void formSysCmd(void *wp) { […] uVar1 = get_request_param(wp,"submit-url",""); syscmd_ptr = (char *)get_request_param(wp,"sysCmd",""); if (*syscmd_ptr !=…Read More