Telesquare SKT LTE Router SDT-CS3B1 CSRF System Command Execution

2017-12-27T00:00:00
ID ZSL-2017-5443
Type zeroscience
Reporter Gjoko Krstic
Modified 2017-12-27T00:00:00

Description

Title: Telesquare SKT LTE Router SDT-CS3B1 CSRF System Command Execution
Advisory ID: ZSL-2017-5443
Type: Local/Remote
Impact: Cross-Site Scripting, System Access
Risk: (4/5)
Release Date: 27.12.2017

Summary

We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product.

Description

The router suffers from authenticated arbitrary system command execution. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Vendor

Telesquare Co., Ltd. - <http://www.telesquare.co.kr>

Affected Version

FwVer: SDT-CS3B1, sw version 1.2.0
LteVer: ML300S5XEA41_090 1 0.1.0
Modem model: PM-L300S

Tested On

lighttpd/1.4.20

Vendor Status

N/A

PoC

sdt-cs3b1_csrfrce.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://cxsecurity.com/issue/WLB-2017120299>
[2] <https://packetstormsecurity.com/files/145550>
[3] <https://www.exploit-db.com/exploits/43400/>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/136839>

Changelog

[27.12.2017] - Initial release
[04.01.2018] - Added reference [1], [2], [3] and [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;