[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <40573c8627b045c6be729bf5b83adb94@AEDXBMB01.helpag.com>
Date: Thu, 5 May 2016 12:35:56 +0000
From: Bhadresh Patel <Bhadresh.Patel@...pag.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] NetCommWireless HSPA 3G10WVE Wireless Router – Multiple vulnerabilities
Hello Team,
Sorry for the typo in earlier draft.
The correct CVE IDs are both year 2015.
1) Unauthorized access of router's network troubleshooting page
(ping.cgi) -- CVE-2015-6023
2) Command injection vulnerability on ping.cgi -- CVE-2015-6024
Regards,
-Bhadresh
On 05/03/2016 10:05 PM, Bhadresh Patel wrote:
> Title:
> ====
>
> NetCommWireless HSPA 3G10WVE Wireless Router – Multiple vulnerabilities
>
> Credit:
> ======
>
> Name: Bhadresh Patel
> Company/affiliation: HelpAG
> Website: www.helpag.com
>
> CVE:
> =====
>
> CVE-2015-6023, CVE-2016-6024
>
> Date:
> ====
>
> 03-05-2016 (dd/mm/yyyy)
>
> Vendor:
> ======
>
> NetComm Wireless is a leading developer and supplier of high performance
> communication devices that connect businesses and people to the internet.
>
> Products and services:
> Wireless 3G/4G broadband devices
> Custom engineered technologies
> Broadband communication devices
>
> Customers:
> Telecommunications carriers
> Internet Service Providers
> System Integrators
> Channel partners
> Enterprise customers
>
> Product:
> =======
>
> HSPA 3G10WVE is a wireless router
>
> It integrates a wireless LAN, HSPA module and voice gateway into one
> stylish unit. Insert an active HSPA SIM Card into the slot on the rear
> panel & get instant access to 3G internet connection. Etisalat HSPA
> 3G10WVE wireless router incorporates a WLAN 802.11b/g access point, two
> Ethernet 10/100Mbps ports for voice & fax. Featuring voice port which
> means that one can stay connected using the internet & phone. If one
> need a flexible internet connection for his business or at home; this is
> the perfect solution.
>
> Customer Product link: http://www.etisalat.ae/nrd/en/generic/3.5g_router.jsp
>
>
> Abstract:
> =======
>
> Multiple vulnerabilities in the HSPA 3G10WVE wireless router enable an
> anonymous unauthorized attacker to 1) bypass authentication and gain
> unauthorized access of router's network troubleshooting page (ping.cgi)
> and 2) exploit a command injection vulnerability on ping.cgi, which
> could result in a complete system/network compromise.
>
> Report-Timeline:
> ============
> 03-09-2015: Vendor notification
> 08-09-2015: Vendor Response/Feedback
> 02-05-2016: Vendor Fix/Patch
> 03-05-2016: Public Disclosure
>
> Affected Software Version:
> =============
>
> 3G10WVE-L101-S306ETS-C01_R03
>
>
> Exploitation-Technique:
> ===================
>
> Remote
>
>
> Severity Rating (CVSS):
> ===================
>
> 10.0 (Critical) (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
>
>
> Details:
> =======
>
> Below listed vulnerabilities enable an anonymous unauthorized attacker
> to gain access of network troubleshooting page (ping.cgi) on wireless
> router and inject commands to compromise full system/network.
>
> 1) Bypass authentication and gain unauthorized access vulnerability -
> CVE-2015-6023
> 2) Command injection vulnerability - CVE-2016-6024
>
> Vulnerable module/page/application: ping.cgi
>
> Vulnerable parameter: DIA_IPADDRESS
>
> Proof Of Concept:
> ================
>
> PoC URL:
> http(s)://<victim_IP>/ping.cgi?DIA_IPADDRESS=4.2.2.2;cat%20/etc/passwd
>
> PoC Video: https://www.youtube.com/watch?v=FS43MRG7RDk
>
> Patched/Fixed Firmware and notes:
> ==========================
>
> ftp://files.planetnetcomm.com/3G10WVE/3G10WVE-L101-S306ETS-C01_R05.bin
>
> NOTE: Verified only by Vendor
>
>
>
> Credits:
> =======
>
> Bhadresh Patel
> Senior Security Analyst
> HelpAG (www.helpag.com)
>
>
*******************************
Bhadresh Patel
Senior Security Analyst
Tel: +97144405666
Fax: +971 4 363 6742
Mob: +971529172297
Arjaan Office Tower, Office 1208
Dubai Internet City, Dubai
United Arab Emirates
*******************************
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists