Exploit the possiblities

MitraStar DSL-100HN-T1/GPT-2541GNAC Privilege Escalation

MitraStar DSL-100HN-T1/GPT-2541GNAC Privilege Escalation
Posted Oct 28, 2017
Authored by j0lama

MitraStar DSL-100HN-T1 and GPT-2541GNAC routers suffer from a privilege escalation vulnerability.

tags | exploit
MD5 | 9bd18e64e9682092e8293cf4eeb301a2

MitraStar DSL-100HN-T1/GPT-2541GNAC Privilege Escalation

Change Mirror Download
# Exploit Title: Privilege escalation MitraStar routers
# Date: 28-10-2017
# Exploit Author: j0lama
# Vendor Homepage: http://www.mitrastar.com/
# Provider Homepage: https://www.movistar.com/
# Models affected: MitraStar DSL-100HN-T1 and MitraStar GPT-2541GNAC (HGU)
# Software versions: ES_113WJY0b16 (DSL-100HN-T1) and 1.00(VNJ0)b1 (GPT-2541GNAC)
# Vulnerability analysis: http://jolama.es/temas/router-attack/index.php

Description
-----------
SSH has a bad configuration that allows execute commands when you connect avoiding the default shell that the manufacturer provide us.

$ ssh 1234@ip /bin/sh

This give us a shell with root permissions.

Note: the password for 1234 user is under the router.

You can copy all file system to your local machine using scp.
In some of the MitraStar routers there is a zyad1234 user with password zyad1234 that have the same permissions of the 1234 user (root).


Solution
--------
In the latest firmware versions this have been fixed.
If you try to execute scp, the router's configuration file will be copy to your computer instead of any file as occurred before.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close