exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microhard Systems 3G/4G Cellular Ethernet And Serial Gateway Open Redirect

Microhard Systems 3G/4G Cellular Ethernet And Serial Gateway Open Redirect
Posted Jul 16, 2018
Authored by LiquidWorm | Site zeroscience.mk

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway systems suffer from an open redirection vulnerability. Many versions are affected.

tags | exploit
SHA-256 | b1c65c098fae18056a37bc3af2bb913a417646dd7ca9e523569cd1287a6f4f60

Microhard Systems 3G/4G Cellular Ethernet And Serial Gateway Open Redirect

Change Mirror Download

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Open Redirect


Vendor: Microhard Systems Inc.
Product web page: http://www.microhardcorp.com
Affected version: IPn4G 1.1.0 build 1098
IPn3Gb 2.2.0 build 2160
IPn4Gb 1.1.6 build 1184-14
IPn4Gb 1.1.0 Rev 2 build 1090-2
IPn4Gb 1.1.0 Rev 2 build 1086
Bullet-3G 1.2.0 Rev A build 1032
VIP4Gb 1.1.6 build 1204
VIP4G 1.1.6 Rev 3.0 build 1184-14
VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
IPn3Gii / Bullet-3G 1.2.0 build 1076
IPn4Gii / Bullet-LTE 1.2.0 build 1078
BulletPlus 1.3.0 build 1036
Dragon-LTE 1.1.0 build 1036

Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
RS232/485/422 devices!

The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
the widespread deployment of cellular network infrastructure for critical data collection.
From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
provides robust and secure wireless communication of Serial, USB and Ethernet data.

The all new Bullet-3G provides a compact, robust, feature packed industrial strength
wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
to the next level by providing features such as Ethernet with PoE, RS232 Serial port
and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
worth looking at!

The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
system integration and design flexibility with dual Ethernet Ports and high power
802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
Control Lists, the Dragon-LTE provides a solution for any cellular application!

The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
network infrastructure for critical data communications. The VIP4Gb provides simultaneous
network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.

Desc: Input passed via the 'prev' GET parameter in 'config.sh' script is not properly
verified before being used to redirect users. This can be exploited to redirect a user
to an arbitrary website e.g. when a user clicks a specially crafted link to the affected
script hosted on a trusted domain.

=========================================================================================
/www/cgi-bin/webif/config.sh:
-----------------------------

1: #!/usr/bin/webif-page
2: <?
3: . /usr/lib/webif/webif.sh
4: #sleep 3
5: update_changes
6:
7: if [ "$FORM_mode" != "clear" ]; then
8: case "$CHANGES" in
9: ""|0)FORM_mode=nochange
10: esac
11: fi
12: case "$FORM_mode" in
13: nochange) header "$FORM_cat" "" "@TR<<No config change.|No configuration changes were made.>>"
14: echo "${FORM_prev:+<meta http-equiv=\"refresh\" content=\"2; URL=$FORM_prev\" />}"
15: ;;
16: clear)
17: rm -r /tmp/.webif/* >&- 2>&-
18: rm /tmp/.uci/* >&- 2>&-
19: header "$FORM_cat" "" "@TR<<Config discarded.|Your configuration changes have been discarded.>>"
20: CHANGES=""
21: echo "${FORM_prev:+<meta http-equiv=\"refresh\" content=\"1; URL=$FORM_prev\" />}"
22: ;;
...
...

=========================================================================================

Tested on: httpd-ssl-1.0.0
Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2018-5483
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5483.php


13.03.2018

--


http://192.168.1.1:8080/cgi-bin/webif/config.sh?mode=clear&cat=Tools&prev=https://www.zeroscience.mk
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close