what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

T-Mobile Router Disclosure / Command Execution / Traversal / CSRF

T-Mobile Router Disclosure / Command Execution / Traversal / CSRF
Posted Jan 22, 2014
Authored by Johannes Greil | Site sec-consult.com

T-Mobile HOME NET Router LTE / Huawei B593u-12 version V100R001C54SP063 suffers from cross site request forgery, information disclosure, command injection, and directory traversal vulnerabilities.

tags | advisory, vulnerability, info disclosure, csrf
SHA-256 | 5ecc71b535700461b5eb90e9396b789a771cb54638c84b968532e6e4e659d99e

T-Mobile Router Disclosure / Command Execution / Traversal / CSRF

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20140122-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: T-Mobile HOME NET Router LTE / Huawei B593u-12
vulnerable version: V100R001C54SP063 (T-Mobile Austria)
fixed version: V100R001C55SP102 (T-Mobile Austria)
impact: Critical
homepage: http://www.t-mobile.at | http://www.huawei.com
found: 2013-12-12
by: J. Greil
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================


Business recommendation:
========================
By exploiting the critical vulnerabilities, an "unauthenticated" (guest)
attacker can gain administrative access to the router and manipulate settings.

Furthermore attacks of the internal clients are possible via Internet,
depending on the network setup of the mobile operator or customer (if the
router is reachable on the Internet via changed APN settings).


It is highly recommended not to use this product until a thorough security
review has been performed by security professionals. As a partial workaround,
the product should not be accessible from the Internet. Limit access only to
trusted (local) users internally. The firmware update has to be installed in
order to fix the identified vulnerabilities.

It is assumed that further critical vulnerabilities exist, as only a very
short crash test has been performed.


Vulnerability overview/description:
===================================
1) Access to sensitive configuration with guest session
-------------------------------------------------------
Attackers are able to login to the router interface with a password-less
"guest" session and can gain access to sensitive information such as
configuration settings: wireless passwords of all configured WLAN networks in
clear text, configured port mappings, DMZ hosts, attached network
devices/clients, etc.

Attackers with access to one SSID/WLAN network of the router are hence able to
access other wireless networks because passwords are stored in clear text.

It is also possible to exploit this issue over the Internet, depending on the
mobile operator / customer setup (changed APN settings). SEC Consult has
identified multiple routers via Google search that are reachable over the
Internet (no tests have been performed!).



2) Change arbitrary settings as guest
-------------------------------------
The guest user of the web interface is able to manipulate all settings of the
router via CGI scripts. It is even possible to change settings of the XML
configuration (curcfg.xml) on the device that is not accessible (even as
admin) within the web interface (no GUI).



3) OS command injection
-----------------------
The "ping" feature of the diagnostics page suffers from an OS command
injection vulnerability. Attackers are able to run arbitrary commands on the
device and gain access to sensitive information such as configuration files.
Furthermore internal clients can be attacked, there's even "tcpdump" available
on the router.

This vulnerability has already been mentioned on this blog, so credits go
here too ;)
http://blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html



4) USB management / FTP directory traversal
-------------------------------------------
The router offers the feature to share USB drives via FTP. It is possible to
exploit directory traversal when specifying the home path of the shared folder
and gain access to the root filesystem with read/write rights.

Unauthenticated "guest" attackers are also able to gain access to the router
via FTP even when there is no USB drive connected.

This vulnerability has already been mentioned on this blog, so credits go
here too ;)
http://blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html



5) Cross site request forgery
-----------------------------
An attacker can use Cross Site Request Forgery to perform arbitrary web
requests with the identity of the victim without being noticed by the victim.

It is possible to exploit the vulnerabilities mentioned in this advisory with
CSRF and therefore execute arbitrary OS commands on the router even when no
admin is actively logged in.




Proof of concept:
=================
1) Access to sensitive configuration with guest session
-------------------------------------------------------
Detailed proof of concept has been removed for this advisory.


2) Change arbitrary settings as guest
-------------------------------------
Guest users are able to change arbitrary settings via built-in CGI commands.
It is even possible to change settings that are not visible in the web
interface even as administrator.

Detailed proof of concept has been removed for this advisory.


3) OS command injection
-----------------------
The following CGI script suffers from OS command injection and can also be
exploited as guest user without password!

Detailed proof of concept has been removed for this advisory.


4) USB management / FTP directory traversal
-------------------------------------------
Detailed proof of concept has been removed for this advisory.


5) Cross site request forgery
-----------------------------
As no token or other measures against CSRF are in place, it can be exploited
via standard methods other the Internet. It is possible to login as guest user
remotely, receive the session cookie and then exploit the command execution
flaw.

No local user has to be actively logged in for that attack scenario!

Detailed proof of concept has been removed for this advisory.



Vulnerable / tested versions:
=============================
All vulnerabilities have been confirmed in the following device:

* T-Mobile Austria HOME NET Router (Huawei LTE B593u-12)

Latest firmware available (as of 12th December 2013): V100R001C54SP063
Downloaded from: http://www.t-mobile.at/info-und-support/dlc/DLC.php


It is assumed that different variants of this router from other Internet
service providers are affected too, depending on their firmware versions.
The router is being offered by many telecom operators world-wide and has a
large userbase.


Vendor contact timeline:
========================
2013-12-12: Contacting T-Mobile Austria via contacts from CERT.at
2013-12-13: Sending encrypted security advisory to T-Mobile Austria and Huawei
PSIRT
2013-12-19: T-Mobile confirms vulnerabilities and plans rollout of new
firmware for January 2014 and gives recommendations for customers
(see solution)
2014-01-08: Asking T-Mobile Austria for status update
2014-01-08: T-Mobile: New firmware rollout is already in progress, informing
CERT.at about status
2014-01-22: Coordinated release of security advisory without proof of concept



Solution:
=========
According to T-Mobile Austria, users will get a notification for the new
firmware release and urges all customers to upgrade the firmware.

The firmware can also be installed manually:
http://www.t-mobile.at/info-und-support/dlc/DLC.php

Fixed firmware version: V100R001C55SP102
Direct download: http://download.t-mobile.at/a/dlc/V100R001C55SP102.tar.bz2


Vendor information (German):
http://blog.t-mobile.at/2014/01/22/software-updates-zu-verhinderung-von-sicherheitsluecken/


Workaround:
===========
As a partial workaround, the product should not be configured to be accessible
from the Internet. Limit access only to trusted (local) users internally.


Advisory URL:
=============
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com

EOF J. Greil / @2014
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close