Skip to content
cyberexploits
webappwebtext

NetCommWireless HSPA 3G10WVE Wireless Router - Multiple Vulnerabilities

NetCommWireless HSPA 3G10WVE Wireless Router - Multiple Vulnerabilities

Published on 2016-05-04

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/cgi/webapps/39762.txt7eac4c3a
raw
Title:

====



NetCommWireless HSPA 3G10WVE Wireless Router – Multiple vulnerabilities



Credit:

======



Name: Bhadresh Patel

Company/affiliation: HelpAG

Website: www.helpag.com



CVE:

=====



CVE-2015-6023, CVE-2015-6024



Date:

====



03-05-2016 (dd/mm/yyyy)



Vendor:

======



NetComm Wireless is a leading developer and supplier of high performance

communication devices that connect businesses and people to the internet.



Products and services:

Wireless 3G/4G broadband devices

Custom engineered technologies

Broadband communication devices



Customers:

Telecommunications carriers

Internet Service Providers

System Integrators

Channel partners

Enterprise customers



Product:

=======



HSPA 3G10WVE is a wireless router



It integrates a wireless LAN, HSPA module and voice gateway into one

stylish unit. Insert an active HSPA SIM Card into the slot on the rear

panel & get instant access to 3G internet connection. Etisalat HSPA

3G10WVE wireless router incorporates a WLAN 802.11b/g access point, two

Ethernet 10/100Mbps ports for voice & fax. Featuring voice port which

means that one can stay connected using the internet & phone. If one

need a flexible internet connection for his business or at home; this is

the perfect solution.



Customer Product link: http://www.etisalat.ae/nrd/en/generic/3.5g_router.jsp





Abstract:

=======



Multiple vulnerabilities in the HSPA 3G10WVE wireless router enable an

anonymous unauthorized attacker to 1) bypass authentication and gain

unauthorized access of router's network troubleshooting page (ping.cgi)

and 2) exploit a command injection vulnerability on ping.cgi, which

could result in a complete system/network compromise.



Report-Timeline:

============

03-09-2015: Vendor notification

08-09-2015: Vendor Response/Feedback

02-05-2016: Vendor Fix/Patch

03-05-2016: Public Disclosure



Affected Software Version:

=============



3G10WVE-L101-S306ETS-C01_R03





Exploitation-Technique:

===================



Remote





Severity Rating (CVSS):

===================



10.0 (Critical) (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)





Details:

=======



Below listed vulnerabilities enable an anonymous unauthorized attacker

to gain access of network troubleshooting page (ping.cgi) on wireless

router and inject commands to compromise full system/network.



1) Bypass authentication and gain unauthorized access vulnerability -

CVE-2015-6023

2) Command injection vulnerability - CVE-2016-6024



Vulnerable module/page/application: ping.cgi



Vulnerable parameter: DIA_IPADDRESS



Proof Of Concept:

================



PoC URL:

http(s)://<victim_IP>/ping.cgi?DIA_IPADDRESS=4.2.2.2;cat%20/etc/passwd



PoC Video: https://www.youtube.com/watch?v=FS43MRG7RDk



Patched/Fixed Firmware and notes:

==========================



ftp://files.planetnetcomm.com/3G10WVE/3G10WVE-L101-S306ETS-C01_R05.bin



NOTE: Verified only by Vendor







Credits:

=======



Bhadresh Patel

Senior Security Analyst

HelpAG (www.helpag.com)

View on GitHub