BSNL Teracom Router Firmware Rewrite / Link Modification

2016.09.07
Credit: Ajay Gowtham
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

Multiple Vulnerabilities in TERACOM ROUTER #Author: Ajay Gowtham aka AJOXR #Contact: gowtham.ajay5 at gmail.com #Vulnerability Type: Insecure Upload File Permissions #Affected Module: Upload Functionality #Criticality: Medium #Device Model: BSNL Teracom T2-B-Gawv1.4U10Y-BI is WiFi enabled ADSL2+ compliant + WiFi #Firmware: 10.4.3.12.12 ---------------------------------------------------------------------------------------------- Firmware Re-write using Unrestricted Upload of File (Insecure File Contents) Reference ID: CWE - 434 CVE - ID : CVE-2015-2049, CVE-2015-2876 Ref: https://cwe.mitre.org/data/definitions/434.html Description: Teracom T2-B-Gawv1.4u10Y-BI Models are having clear type text contents in Upload File in Restore Configuration. After Modifying file uploaded malicious scripts will be executed in Firmware of the affected model. Which will allow an attacker to carry out Arbitary Code Execution. Reproduce Vulnerability: Step 1: Go to Admin Pannel, you can find Backup file options to backup config. Step 2: Modify Config file Conexant.icf with malicious commands using Text Editor Step 3: Re-upload to the device using restore options Step 4: Router will restart and executes the malicious commands into router. Step 5: User will be using Malicious Router without concern as it will remain undetected also in antivirus. Solution: An update will be solution. ---------------------------------------------------------------------------------------------- Management Server Link Access to External Resource Reference ID: CWE - 610 CVE - ID: CVE-2016-0071 Ref: https://cwe.mitre.org/data/definitions/610.html Description: Teracom T2-B-Gawv1.4u10Y-BI Models accepting link modifications as no Hard-coded is provided in Management Server Module. Any User is able to change with default credentials. Step 1: Re-write the link in Management Server Module. Step 2: Apply necessary changes with malicious link. Step 3: Re-start the server and changes are made. Solution: Hard code the link parameter to avoid adding external resource link to the Router. ---------------------------------------------------------------------------------------------- PoC : https://drive.google.com/folderview?id=0B2p8gG1WpnRnek9GaEl3SXVod3c&usp=sharing

References:

https://drive.google.com/folderview?id=0B2p8gG1WpnRnek9GaEl3SXVod3c&usp=sharing


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top