Vulners
Lucene search
MitraStar DSL-100HN-T1/GPT-2541GNAC - Privilege Escalation Vulnerability
# Exploit Title: Privilege escalation MitraStar routers
# Date: 28-10-2017
# Exploit Author: j0lama
# Vendor Homepage: http://www.mitrastar.com/
# Provider Homepage: https://www.movistar.com/
# Models affected: MitraStar DSL-100HN-T1 and MitraStar GPT-2541GNAC (HGU)
# Software versions: ES_113WJY0b16 (DSL-100HN-T1) and 1.00(VNJ0)b1 (GPT-2541GNAC)
# Vulnerability analysis: http://jolama.es/temas/router-attack/index.php
Description
-----------
SSH has a bad configuration that allows execute commands when you connect avoiding the default shell that the manufacturer provide us.
$ ssh [email protected] /bin/sh
This give us a shell with root permissions.
Note: the password for 1234 user is under the router.
You can copy all file system to your local machine using scp.
In some of the MitraStar routers there is a zyad1234 user with password zyad1234 that have the same permissions of the 1234 user (root).
Solution
--------
In the latest firmware versions this have been fixed.
If you try to execute scp, the router's configuration file will be copy to your computer instead of any file as occurred before.
# 0day.today [2018-01-10] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Oct 2017 00:00Current
7.1High risk
Vulners AI Score7.1