Axesstel MV 410R Bypass / XSS

`Multiple Flaws in Axesstel MV 410R  
  
by Filip Palian <filip (dot) palian (at) pjwstk (dot) edu (dot) pl  
  
Description:  
Axesstel MV 410R is a device offered by the two leading polish telecom  
operators Orange and Polish Telecom to provide broadband Internet in  
CDMA technology and it's already widely in use.  
  
Overview:  
Axesstel MV 410R firmware and its default configuration has many flaws,  
which allows remote unauthorized access to device and the internal  
network behind it.  
  
#1 Access from the Internet to device enabled by default  
Anyone is able to automatically detect devices, which are online and  
conduct the attack. It's simplified even more as the oparator IP address  
space is reserved for the services using this device.  
  
#2 No HTTPS support for the web interface  
Communication to the web interface can be sniffed by the attacker.  
  
#3 System doesn't force administrator to change default password upon  
first login  
Many administrators leave it unchanged.  
  
#4 Brute-force attack on admin account  
Login attempts are not limited at all.  
  
#5 Denial of Service  
It's trivial to conduct a successful SYN flood attack from WAN and LAN.  
  
#6 Wi-Fi encryption is disabled by default  
Communication in the LAN can be sniffed by the attacker.  
#7 SSID broadcast is enabled by default  
Anyone can connect to the LAN without any problems.  
  
#8 Input data validation  
Validation in the web interface is realised by the JavaScript. Disabling  
it in the browser allows for inputing malicious content.  
  
#9 Executing CGI scripts via GET method  
It is possible to pass parameters directly to the CGI scripts via GET  
method. It bypasses JavaScript validation and simplifies the attack. For  
example execution of  
"http://192.168.0.1/cgi-bin/sysconf.cgi?RESTORE=RESTORE" (user  
confirmation not needed) will reset device to default configuration.  
  
#10 Permanent XSS  
It's possible to plant permanent XSS in the web interface using  
"http://192.168.0.1/cgi-bin/sysconf.cgi" script.  
  
#11 Automatic redirection  
Some scripts do the automatic redirection after execution. This feature  
may be used to hide for example a CSRF attack. evilsite.com leads to  
"http://192.168.0.1/cgi-bin/wireless.cgi" where script is executed and  
it autoredirects back to evilsite.com.  
  
Status:  
At the moment no fixes were provided by the vendor. As a workaround  
administrator should:  
#1 restrict access to device only from LAN  
#2 change the default administrator password (still can be sniffed in LAN)  
#3 enable Wi-Fi encryption  
#4 turn on clients MAC addresses filtering  
#5 turn off SSID broadcasting  
  
Disclousure timeline:  
11 V 2009: Detailed information with examples and PoCs sent to vendor  
([email protected]).  
12 V 2009: Initial vendor response.  
19 V 2009: Question about the status sent to the vendor.  
19 V 2009: No reasonable response from the vendor.  
9 VI 2009: Question about the status sent to the vendor.  
No response.  
16 VI 2009: Notification that bulletin will be released send to the vendor.  
17 VI 2009: No reasonable response from the vendor.  
19 VI 2009: Last notification that bulletin will be released send to the  
vendor.  
No response.  
23 VI 2009: Last notification that bulletin will be released send to the  
vendor.  
No response: "<[email protected]>: host  
mailin.tpsa.pl[212.160.172.68] said: 451 Unable  
to contact LDAP".  
25 VI 2009: Last and final notification that bulletin will be released  
send to the vendor.  
No response.  
02 VII 2009: Security bulletin released.  
Response: ?  
  
Rationale:  
The vendor hasn't responded neither responsibly nor reasonably within 34  
working days. The bulletin was released in hope that users will be able  
to protect themselves against these serious threats before vendor will  
realese fixes and before the bad guys will reach them first.  
  
Links:  
* http://orange.pl/  
* http://tp.pl/  
* http://www.axesstel.com/  
  
  
Best regards,  
Filip Palian  
`