BSNL Teracom Router Firmware Rewrite / Link Modification

2016-09-03T00:00:00
ID PACKETSTORM:138597
Type packetstorm
Reporter Ajay Gowtham
Modified 2016-09-03T00:00:00

Description

                                        
                                            `Multiple Vulnerabilities in TERACOM ROUTER  
  
#Author: Ajay Gowtham aka AJOXR  
#Contact: gowtham.ajay5 at gmail.com  
#Vulnerability Type: Insecure Upload File Permissions  
#Affected Module: Upload Functionality  
#Criticality: Medium  
#Device Model: BSNL Teracom T2-B-Gawv1.4U10Y-BI is WiFi enabled ADSL2+  
compliant + WiFi  
#Firmware: 10.4.3.12.12  
----------------------------------------------------------------------------------------------  
Firmware Re-write using Unrestricted Upload of File (Insecure File Contents)  
  
Reference ID: CWE - 434  
CVE - ID : CVE-2015-2049, CVE-2015-2876  
  
Ref: https://cwe.mitre.org/data/definitions/434.html  
  
Description: Teracom T2-B-Gawv1.4u10Y-BI Models are having clear type text  
contents in Upload  
File in Restore Configuration. After Modifying file uploaded malicious  
scripts will be executed  
in Firmware of the affected model. Which will allow an attacker to carry  
out Arbitary Code  
Execution.  
  
Reproduce Vulnerability:  
  
Step 1: Go to Admin Pannel, you can find Backup file options to backup  
config.  
Step 2: Modify Config file Conexant.icf with malicious commands using Text  
Editor  
Step 3: Re-upload to the device using restore options  
Step 4: Router will restart and executes the malicious commands into router.  
Step 5: User will be using Malicious Router without concern as it will  
remain undetected also in  
antivirus.  
  
Solution: An update will be solution.  
----------------------------------------------------------------------------------------------  
Management Server Link Access to External Resource  
  
Reference ID: CWE - 610  
CVE - ID: CVE-2016-0071  
  
Ref: https://cwe.mitre.org/data/definitions/610.html  
  
Description: Teracom T2-B-Gawv1.4u10Y-BI Models accepting link  
modifications as no Hard-coded  
is provided in Management Server Module. Any User is able to change with  
default credentials.  
  
Step 1: Re-write the link in Management Server Module.  
Step 2: Apply necessary changes with malicious link.  
Step 3: Re-start the server and changes are made.  
  
Solution: Hard code the link parameter to avoid adding external resource  
link to the Router.  
----------------------------------------------------------------------------------------------  
  
PoC :  
https://drive.google.com/folderview?id=0B2p8gG1WpnRnek9GaEl3SXVod3c&usp=sharing  
`