CVE-2020-18330

Vulnerability

The ChinaMobile PLC Wireless Router model GPN2.4P21-C-CN running firmware version W2000EN-01 (hardware platform Gpn2.4P21-C_WIFI-V0.05) is shipped and deployed without an administrative password on port 8080. The web configuration interface is accessible at http://:8080. Additionally, a directory traversal vulnerability exists in the /cgi-bin/webproc endpoint, allowing retrieval of arbitrary files such as /etc/shadow via a crafted getpage parameter [1].

Exploitation

An attacker with network access to the router's port 8080 can exploit the blank password to directly access the configuration interface. Alternatively, the directory traversal can be triggered by sending a GET request to /cgi-bin/webproc?getpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow&errorpage=html/main.html&var:language=zh_cn&var:menu=setup&var:page=connected&var:retag=1&var:subpage=- [1]. No authentication is required for either attack vector.

Impact

Successful exploitation allows an attacker to change router configuration, potentially gaining access to the internal network. The directory traversal reveals the /etc/shadow file, exposing hashed passwords for the root and #tw user accounts [1]. This can lead to full compromise of the device and lateral movement within the network.

Mitigation

Adding a password to the admin user accounts reduces the risk of exploitation via the blank password. However, the directory traversal vulnerability remains, and the #tw account password cannot be changed by the user [1]. No official firmware patch has been released as of the publication date. Over 4,300 devices were identified as vulnerable via Shodan, primarily in South America and Asia [1].