NetCommWireless HSPA 3G10WVE Wireless Router – Multiple Vulnerabilities

• Exploit Database
• 36 阅读

• 作者： Bhadresh Patel
  日期： 2016-05-04
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/39762/

• Title:
  ====
  
  NetCommWireless HSPA 3G10WVE Wireless Router – Multiple vulnerabilities
  
  Credit:
  ======
  
  Name: Bhadresh Patel
  Company/affiliation: HelpAG
  Website: www.helpag.com
  
  CVE:
  =====
  
  CVE-2015-6023, CVE-2015-6024
  
  Date:
  ====
  
  03-05-2016 (dd/mm/yyyy)
  
  Vendor:
  ======
  
  NetComm Wireless is a leading developer and supplier of high performance
  communication devices that connect businesses and people to the internet.
  
  Products and services:
  Wireless 3G/4G broadband devices
  Custom engineered technologies
  Broadband communication devices
  
  Customers:
  Telecommunications carriers
  Internet Service Providers
  System Integrators
  Channel partners
  Enterprise customers
  
  Product:
  =======
  
  HSPA 3G10WVE is a wireless router
  
  It integrates a wireless LAN, HSPA module and voice gateway into one
  stylish unit. Insert an active HSPA SIM Card into the slot on the rear
  panel & get instant access to 3G internet connection. Etisalat HSPA
  3G10WVE wireless router incorporates a WLAN 802.11b/g access point, two
  Ethernet 10/100Mbps ports for voice & fax. Featuring voice port which
  means that one can stay connected using the internet & phone. If one
  need a flexible internet connection for his business or at home; this is
  the perfect solution.
  
  Customer Product link: http://www.etisalat.ae/nrd/en/generic/3.5g_router.jsp
  
  
  Abstract:
  =======
  
  Multiple vulnerabilities in the HSPA 3G10WVE wireless router enable an
  anonymous unauthorized attacker to 1) bypass authentication and gain
  unauthorized access of router's network troubleshooting page (ping.cgi)
  and 2) exploit a command injection vulnerability on ping.cgi, which
  could result in a complete system/network compromise.
  
  Report-Timeline:
  ============
  03-09-2015: Vendor notification
  08-09-2015: Vendor Response/Feedback
  02-05-2016: Vendor Fix/Patch
  03-05-2016: Public Disclosure
  
  Affected Software Version:
  =============
  
  3G10WVE-L101-S306ETS-C01_R03
  
  
  Exploitation-Technique:
  ===================
  
  Remote
  
  
  Severity Rating (CVSS):
  ===================
  
  10.0 (Critical) (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
  
  
  Details:
  =======
  
  Below listed vulnerabilities enable an anonymous unauthorized attacker
  to gain access of network troubleshooting page (ping.cgi) on wireless
  router and inject commands to compromise full system/network.
  
  1) Bypass authentication and gain unauthorized access vulnerability -
  CVE-2015-6023
  2) Command injection vulnerability - CVE-2016-6024
  
  Vulnerable module/page/application: ping.cgi
  
  Vulnerable parameter: DIA_IPADDRESS
  
  Proof Of Concept:
  ================
  
  PoC URL:
  http(s)://<victim_IP>/ping.cgi?DIA_IPADDRESS=4.2.2.2;cat%20/etc/passwd
  
  PoC Video: https://www.youtube.com/watch?v=FS43MRG7RDk
  
  Patched/Fixed Firmware and notes:
  ==========================
  
  ftp://files.planetnetcomm.com/3G10WVE/3G10WVE-L101-S306ETS-C01_R05.bin
  
  NOTE: Verified only by Vendor
  
  
  
  Credits:
  =======
  
  Bhadresh Patel
  Senior Security Analyst
  HelpAG (www.helpag.com)