GWN Cloud – An IDOR coming back from the dead

logo black1

Could the same vulnerability happen after 3 years ? Is this acceptable ? Are companies learning from our reports or are they just blindly fixing the issue without fixing the root cause and applying proactive measures to prevent them from happenning again ?
If you are still reading this I guess you already know the answer to those questions.

Playing with George

Back when I was working in Pentest Partners in 2020 I found a typical user add to organization issue on Grand Stream cloud as you can see in here caused by an IDOR. Fast forward to 2023. I was trying to explain to George, my 7 year old son what an IDOR is and  what’s the difference between authentication and authorization (yes I know too young for that, but he has a legacy to keep!) when I reused the same request :

POST /app/user/save HTTP/1.1
Host: www.gwn.cloudConnection:
closeContent-Length: 72
Accept: application/json, text/plain, */*
Origin: https://www.gwn.cloud
Content-Type: application/json;charset=UTF-8
Referer: https://www.gwn.cloud/account/users
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SESSION=7672dd7d-58a7-47f2-8bbc-3534108e4987
{“email”:”[email protected]”,”roleId”:2,”networkIds”:[xxx],

I could add any network id on the networkIds array and it would instantly make me an admin on that network. Imagine my suprise when this request worked again!

Severity

Back in 2020 it was mostly a data leak and a potential GDPR violation on this as you could leak  ssh and WIFI psk of a lot of networks but you still needed physical proximity to get access to said networks.

01a2023 03 17 13 03 48 GWN.Cloud
WPA2 PSK viewable for a network my new user does not own (my own network)

This is no longer the case though. GWN new devices have VPN capabilities and router capabilities and as you can guess all of them are managed from GWN.cloud. This means that (under certain circumstances) you can access remote networks by connecting to their VPN server and having direct access to the remote network! (and all that with a simple IDOR).

01b2023 03 17 13 42 48 GWN.Cloud
VPN management is not supported in my network but it is on others.

Disclosure

We (me and my son) notified grandstream with a ticket on 30th of January 2023. Their response was :

Thank you for reporting this to us.

Please note that the case has been reported internally in order to be fixed. We will inform you once there is an update.
Best regards.

I chased again after 15 days and then after 45 days (today) my tickets was closed. After checking with grandstream they said:

Hi Vangelis,
Please note that the fix for this issue is included in the latest GWN Cloud version 1.1.23.44. Thanks.
Best regards,

So it was fixed but they neglected to inform me for it , which is ok as I guess.

Postmortem

How could this happen ?
The same vulnerability happenning after 3 years on the exact same product is in my humble opinion unacceptable as it means that you learn nothing from the previous vulnerability.
I believe that bugs and vulnerabilities are bound to happen and will happen to every system. Its how you react to them and the lessons you learned from them that distinct a great from a not so great company.
Grandstream answered and fixed the vulnerability in a timely manner, but I can safely assume that the next time a developer touches that code he might remove the authorization check and there will be no automated test catching that or any penetration testing done on the application.It is essential to conduct regular security testing and assessments, implement adequate security measures, and maintain vigilance to prevent vulnerabilities from persisting or resurfucing in any application.Considering that this is a company that sells networks equipment and firewalls this is not a great sign.

Plus side

I could explain the release and maintenace cycle of  software to my son and how to properly do it. As this was cloud as always no CVE was assigned.