Lucene search
Ajay GowthamPACKETSTORM:138597HistorySep 03, 2016 - 12:00 a.m.
BSNL Teracom Router Firmware Rewrite / Link Modification
2016-09-0300:00:00
Ajay Gowtham
packetstormsecurity.com
156
0.567 Medium
EPSS
Percentile
97.7%
`Multiple Vulnerabilities in TERACOM ROUTER
#Author: Ajay Gowtham aka AJOXR
#Contact: gowtham.ajay5 at gmail.com
#Vulnerability Type: Insecure Upload File Permissions
#Affected Module: Upload Functionality
#Criticality: Medium
#Device Model: BSNL Teracom T2-B-Gawv1.4U10Y-BI is WiFi enabled ADSL2+
compliant + WiFi
#Firmware: 10.4.3.12.12
----------------------------------------------------------------------------------------------
Firmware Re-write using Unrestricted Upload of File (Insecure File Contents)
Reference ID: CWE - 434
CVE - ID : CVE-2015-2049, CVE-2015-2876
Ref: https://cwe.mitre.org/data/definitions/434.html
Description: Teracom T2-B-Gawv1.4u10Y-BI Models are having clear type text
contents in Upload
File in Restore Configuration. After Modifying file uploaded malicious
scripts will be executed
in Firmware of the affected model. Which will allow an attacker to carry
out Arbitary Code
Execution.
Reproduce Vulnerability:
Step 1: Go to Admin Pannel, you can find Backup file options to backup
config.
Step 2: Modify Config file Conexant.icf with malicious commands using Text
Editor
Step 3: Re-upload to the device using restore options
Step 4: Router will restart and executes the malicious commands into router.
Step 5: User will be using Malicious Router without concern as it will
remain undetected also in
antivirus.
Solution: An update will be solution.
----------------------------------------------------------------------------------------------
Management Server Link Access to External Resource
Reference ID: CWE - 610
CVE - ID: CVE-2016-0071
Ref: https://cwe.mitre.org/data/definitions/610.html
Description: Teracom T2-B-Gawv1.4u10Y-BI Models accepting link
modifications as no Hard-coded
is provided in Management Server Module. Any User is able to change with
default credentials.
Step 1: Re-write the link in Management Server Module.
Step 2: Apply necessary changes with malicious link.
Step 3: Re-start the server and changes are made.
Solution: Hard code the link parameter to avoid adding external resource
link to the Router.
----------------------------------------------------------------------------------------------
PoC :
https://drive.google.com/folderview?id=0B2p8gG1WpnRnek9GaEl3SXVod3c&usp=sharing
`
Related
packetstorm
packetstorm
D-Link DCS-931L Arbitrary File Upload
2016-01-06 00:00:00
prion
prion
Unrestricted file upload
2015-02-23 17:59:00
Unrestricted file upload
2015-12-31 05:59:00
Memory corruption
2016-02-10 11:59:00
zdt
zdt
D-Link DCS-931L - Arbitrary File Upload (Metasploit)
2016-01-07 00:00:00
cvelist
cvelist
cve
cve
nvd
nvd
cert
cert
D-Link DCS-93xL model family allows unrestricted upload
2015-03-16 00:00:00
Seagate and LaCie wireless storage products contain multiple vulnerabilities
2015-09-01 00:00:00
symantec
symantec
checkpoint_advisories
checkpoint_advisories
Microsoft Internet Explorer Memory Corruption (MS16-009: CVE-2016-0071)
2016-02-09 00:00:00
openvas
openvas
Microsoft Internet Explorer Multiple Vulnerabilities (3134220)
2016-02-10 00:00:00
nessus
nessus
MS16-009: Cumulative Security Update for Internet Explorer (3134220)
2016-02-09 00:00:00
mskb
mskb
MS16-009: Cumulative Security Update for Internet Explorer: February 9, 2016
2016-02-09 00:00:00