NetCommWireless HSPA 3G10WVE Wireless Router – Multiple Vulnerabilities

• Exploit Database
• 106 阅读

• 作者： Bhadresh Patel
  日期： 2016-05-04
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/39762/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130

  Title: ====   NetCommWireless HSPA 3G10WVE Wireless Router – Multiple vulnerabilities   Credit: ======   Name: Bhadresh Patel Company/affiliation: HelpAG Website: www.helpag.com   CVE: =====   CVE-2015-6023, CVE-2015-6024   Date: ====   03-05-2016 (dd/mm/yyyy)   Vendor: ======   NetComm Wireless is a leading developer and supplier of high performance communication devices that connect businesses and people to the internet.   Products and services: Wireless 3G/4G broadband devices Custom engineered technologies Broadband communication devices   Customers: Telecommunications carriers Internet Service Providers System Integrators Channel partners Enterprise customers   Product: =======   HSPA 3G10WVE is a wireless router   It integrates a wireless LAN, HSPA module and voice gateway into one stylish unit. Insert an active HSPA SIM Card into the slot on the rear panel & get instant access to 3G internet connection. Etisalat HSPA 3G10WVE wireless router incorporates a WLAN 802.11b/g access point, two Ethernet 10/100Mbps ports for voice & fax. Featuring voice port which means that one can stay connected using the internet & phone. If one need a flexible internet connection for his business or at home; this is the perfect solution.   Customer Product link: http://www.etisalat.ae/nrd/en/generic/3.5g_router.jsp     Abstract: =======   Multiple vulnerabilities in the HSPA 3G10WVE wireless router enable an anonymous unauthorized attacker to 1) bypass authentication and gain unauthorized access of router&apos;s network troubleshooting page (ping.cgi) and 2) exploit a command injection vulnerability on ping.cgi, which could result in a complete system/network compromise.   Report-Timeline: ============ 03-09-2015: Vendor notification 08-09-2015: Vendor Response/Feedback 02-05-2016: Vendor Fix/Patch 03-05-2016: Public Disclosure   Affected Software Version: =============   3G10WVE-L101-S306ETS-C01_R03     Exploitation-Technique: ===================   Remote     Severity Rating (CVSS): ===================   10.0 (Critical) (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)     Details: =======   Below listed vulnerabilities enable an anonymous unauthorized attacker to gain access of network troubleshooting page (ping.cgi) on wireless router and inject commands to compromise full system/network.   1) Bypass authentication and gain unauthorized access vulnerability - CVE-2015-6023 2) Command injection vulnerability - CVE-2016-6024   Vulnerable module/page/application: ping.cgi   Vulnerable parameter: DIA_IPADDRESS   Proof Of Concept: ================   PoC URL: http(s)://<victim_IP>/ping.cgi?DIA_IPADDRESS=4.2.2.2;cat%20/etc/passwd   PoC Video: https://www.youtube.com/watch?v=FS43MRG7RDk   Patched/Fixed Firmware and notes: ==========================   ftp://files.planetnetcomm.com/3G10WVE/3G10WVE-L101-S306ETS-C01_R05.bin   NOTE: Verified only by Vendor       Credits: =======   Bhadresh Patel Senior Security Analyst HelpAG (www.helpag.com)