what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Compal CH7465LG-LC Modem / Router Session Management / Command Injection

Compal CH7465LG-LC Modem / Router Session Management / Command Injection
Posted Jul 21, 2016
Authored by Gergely Eberhardt

The Compal CH7465LG-LC suffers session management, denial of service, unauthenticated configuration changes, and command injection vulnerabilities. Proof of concept included.

tags | exploit, denial of service, vulnerability, proof of concept, bypass
SHA-256 | 5d06e5b58ccc73b68e5bffdbf0373df8bb1bc1f24567e7cae58f2a5c6f1b02e6

Compal CH7465LG-LC Modem / Router Session Management / Command Injection

Change Mirror Download
Compal CH7465LG-LC modem/router multiple vulnerabilities
--------------------------------------------------------

The following vulnerabilities are the result of a quick check (~3 hours)
of the Mercury modem. We performed a systematic and deeper evaluation of
this device also, which result will be described in a separate report
[2] and advisory.

Platforms / Firmware confirmed affected:
- Compal CH7465LG-LC, CH7465LG-NCIP-4.50.18.13-NOSH

Vulnerabilities
---------------
Insecure session management
The web interface uses cookies, but is not verified. Thus, if admin
login is successful, the IP address and the browser type of the admin
user are stored and everybody can access the management interface with
the same IP and the same user-agent.

Information leakage
Some information requests can be performed without authentication. For
example an attacker can obtain the following information pieces:
- Global settings (SW version, vendor name, etc.)
- CSRF token
- Event log
- LAN user table
- Ping response

Unauthenticated deny of service attack
Factory reset can be initiated without authentication with a simple POST
request to the getter.xml.

Unauthenticated configuration changes
Some settings modification can be performed without authentication, for
example the first install flag and the ping command.

Unauthenticated command injection
The ping diagnostic function is vulnerable to system command injection,
because parameters are checked only at the client side. Using the
following ping target, the attacker can gain local root access to the
device:
atoken=<csrf_token>&fun=126&Type=0&Target_IP=127.0.0.1&Ping_Size=64;nc
-l -p 1337 -e /bin/sh;&Num_Ping=3&Ping_Interval=1a

Timeline
--------
- 2015.10.21: SEARCH-LAB received two sample boxes from the Compal
Mercury devices from UPC Magyarorszag
- 2015.10.21: Within three hours we reported a remotely exploitable
vulnerability on the device
- 2015.10.21: Liberty Global asked for a commercial proposal on
executing an overall security evaluation of the Compal device.
- 2015.10.24: A proposal was sent to Liberty Global.
- 2015.11.09: Liberty Global asked to execute the evaluation as a pilot
project without financial compensation.
- 2015.12.07: End Use Certificate for Dual-Use Items was asked from
Liberty Global as the developer of the device is located in China.
- 2016.01.07: The 99-page-long Evaluation Report on Compal Mercury modem
was sent to Liberty Global with the restriction that they are not
allowed to forward it outside of the European Union until a signed End
Use Certificate is received.
- 2016.01.07: First reaction to the report said: aBloody hell, that is
not a small document ;)a
- 2016.01.11: Liberty Global sent the signed End Use Certificate for
Dual-Use Items to SEARCH-LAB
- 2016.01.27: UPC Magyarorszag send out a repeated warning to its end
users about the importance of the change of the default passphrases.
- 2016.02.16: Face to face meeting with Liberty Global security
personnel in Amsterdam headquarters
- 2016.02.18: A proposal was sent to Liberty Global suggesting a
wardriving experiment in Budapest, Hungary to measure the rate of end
users who are still using the default passphrases.

Recommendations
---------------
We do not know about any possible solution. Firmware update should
install the ISP after the fix will be ready.

Credits
-------
This vulnerability was discovered and researched by Gergely Eberhardt
from SEARCH-LAB Ltd. (www.search-lab.hu)

References
----------
[1] http://www.search-lab.hu/advisories/secadv-20150720
[2] http://www.search-lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close