Multiple Vulnerabilities in TERACOM ROUTER
#Author: Ajay Gowtham aka AJOXR
#Contact: gowtham.ajay5 at gmail.com
#Vulnerability Type: Insecure Upload File Permissions
#Affected Module: Upload Functionality
#Criticality: Medium
#Device Model: BSNL Teracom T2-B-Gawv1.4U10Y-BI is WiFi enabled ADSL2+
compliant + WiFi
#Firmware: 10.4.3.12.12
----------------------------------------------------------------------------------------------
Firmware Re-write using Unrestricted Upload of File (Insecure File Contents)
Reference ID: CWE - 434
CVE - ID : CVE-2015-2049, CVE-2015-2876
Ref: https://cwe.mitre.org/data/definitions/434.html
Description: Teracom T2-B-Gawv1.4u10Y-BI Models are having clear type text
contents in Upload
File in Restore Configuration. After Modifying file uploaded malicious
scripts will be executed
in Firmware of the affected model. Which will allow an attacker to carry
out Arbitary Code
Execution.
Reproduce Vulnerability:
Step 1: Go to Admin Pannel, you can find Backup file options to backup
config.
Step 2: Modify Config file Conexant.icf with malicious commands using Text
Editor
Step 3: Re-upload to the device using restore options
Step 4: Router will restart and executes the malicious commands into router.
Step 5: User will be using Malicious Router without concern as it will
remain undetected also in
antivirus.
Solution: An update will be solution.
----------------------------------------------------------------------------------------------
Management Server Link Access to External Resource
Reference ID: CWE - 610
CVE - ID: CVE-2016-0071
Ref: https://cwe.mitre.org/data/definitions/610.html
Description: Teracom T2-B-Gawv1.4u10Y-BI Models accepting link
modifications as no Hard-coded
is provided in Management Server Module. Any User is able to change with
default credentials.
Step 1: Re-write the link in Management Server Module.
Step 2: Apply necessary changes with malicious link.
Step 3: Re-start the server and changes are made.
Solution: Hard code the link parameter to avoid adding external resource
link to the Router.
----------------------------------------------------------------------------------------------
PoC :
https://drive.google.com/folderview?id=0B2p8gG1WpnRnek9GaEl3SXVod3c&usp=sharing