Microhard Systems 3G/4G Cellular Ethernet And Serial Gateway Hidden Features

2018.07.17
Credit: LiquidWorm
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Hidden Features Vendor: Microhard Systems Inc. Product web page: http://www.microhardcorp.com Affected version: IPn4G 1.1.0 build 1098 IPn3Gb 2.2.0 build 2160 IPn4Gb 1.1.6 build 1184-14 IPn4Gb 1.1.0 Rev 2 build 1090-2 IPn4Gb 1.1.0 Rev 2 build 1086 Bullet-3G 1.2.0 Rev A build 1032 VIP4Gb 1.1.6 build 1204 VIP4G 1.1.6 Rev 3.0 build 1184-14 VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 IPn3Gii / Bullet-3G 1.2.0 build 1076 IPn4Gii / Bullet-LTE 1.2.0 build 1078 BulletPlus 1.3.0 build 1036 Dragon-LTE 1.1.0 build 1036 Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! The IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. The all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. Desc: Plenty of undocumented and hidden features are present via the web management interface. These features allow an authenticated attacker to take full control of the device and/or modify internal OS settings, read arbitrary files or even render the device unusable. Tested on: httpd-ssl-1.0.0 Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2018-5482 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5482.php 13.03.2018 -- http://192.168.1.1/cgi-bin/webif/conf-bclc.sh - BCLC Configuration http://192.168.1.1/cgi-bin/webif/coova-chilli.sh - hotspot configuration http://192.168.1.1/cgi-bin/webif/hardware.sh - info hardware device model http://192.168.1.1/cgi-bin/webif/info-about.sh - vip 2.0 scrolling info http://192.168.1.1/cgi-bin/webif/info-notes.sh - notes (between adminz?) http://192.168.1.1/cgi-bin/webif/ipsec.sh - ipsec tool Usage: http://192.168.1.1/cgi-bin/webif/ipsec.sh?cmd=listall|status|enable-debug|disable-debug|cat-secrets|syslog|cat-conf|gre-tunnel|vpnlog http://192.168.1.1/cgi-bin/webif/ipsec.sh?cmd=syslog i tako dalje. http://192.168.1.1/cgi-bin/webif/log-browse.sh - netfilter log http://192.168.1.1/cgi-bin/webif/log-dmesg.sh - kernel ring buffer dmesg log, linux version i DMESG related shit. http://192.168.1.1/cgi-bin/webif/log-read.sh - syslog messages http://192.168.1.1/cgi-bin/webif/log-setup.sh - log settings (remote, local, kernel log, boot time log) http://192.168.1.1/cgi-bin/webif/mcast.sh - multicast configuration http://192.168.1.1/cgi-bin/webif/module-forceLN930upgrade.sh - ln930 upgrade forceably http://192.168.1.1/cgi-bin/webif/network-ddns.sh - DynDNS settings http://192.168.1.1/cgi-bin/webif/network-firewall.sh - Firewall configuration (more options than the documented firewall config page) http://192.168.1.1/cgi-bin/webif/network-gre.sh - add new tunnel override gre-summary http://192.168.1.1/cgi-bin/webif/network-hosts.sh - Configured hosts, add/remove hosts in /etc/hosts file. http://192.168.1.1/cgi-bin/webif/module-upgrade.sh - module upgrade module firmware upgrade http://192.168.1.1/cgi-bin/webif/network-misc.sh - networking tweaks, max conns, timeout, icmp timeout, udp stream timeout, etc. http://192.168.1.1/cgi-bin/webif/network-mroutes.sh - routes configuration, static, dynamic, summary http://192.168.1.1/cgi-bin/webif/network-qos.sh - QoS configuration, qos packages to install http://192.168.1.1/cgi-bin/webif/network-routes.sh - more routes info and edit page http://192.168.1.1/cgi-bin/webif/network-services.sh - UPnP configuration, miniupnd install and linuxigd install daemons http://192.168.1.1/cgi-bin/webif/network-vlan.sh - network VLANs configuration http://192.168.1.1/cgi-bin/webif/network-wakeonlan.sh - Wake-On-LAN http://192.168.1.1/cgi-bin/webif/network-wan.sh - network wan configuration http://192.168.1.1/cgi-bin/webif/network-wlan.sh - wireless configuration http://192.168.1.1/cgi-bin/webif/ptcheck.sh - Production Check Process, model info, voltage, version bla bla http://192.168.1.1/cgi-bin/webif/qos-class.sh - QoS class configuration, mode, wan/lan port http://192.168.1.1/cgi-bin/webif/qos-global.sh - qos global config http://192.168.1.1/cgi-bin/webif/qos-local.sh - qos local config http://192.168.1.1/cgi-bin/webif/qos-status.sh - qos statistics (qos mode is disabled ima poruka :P) http://192.168.1.1/cgi-bin/webif/radioip.sh - NanoIP Radio Configuration http://192.168.1.1/cgi-bin/webif/status-asterisk.sh - Asterisk Simple Management (install asterisk packages) http://192.168.1.1/cgi-bin/webif/status-basic.sh - device status, ram usage, tracked connections http://192.168.1.1/cgi-bin/webif/status-conntrackread.sh - contrack table from status-basic.sh ;] http://192.168.1.1/cgi-bin/webif/status-connection.sh - netstat info http://192.168.1.1/cgi-bin/webif/status-crontabs.sh - Cron Tables list http://192.168.1.1/cgi-bin/webif/status-interfaces.sh - network interfaces, wan, lan http://192.168.1.1/cgi-bin/webif/status-iperf.sh - iperf network performance measurement tool (application/transport layer) http://192.168.1.1/cgi-bin/webif/status-iptables.sh - iptables status details http://192.168.1.1/cgi-bin/webif/status-leases.sh - dhcp leases http://192.168.1.1/cgi-bin/webif/status-modules.sh - loaded kernel modules http://192.168.1.1/cgi-bin/webif/status-pppoe.sh - PPPoE status, connect, disconnect, reconnect, etc. http://192.168.1.1/cgi-bin/webif/status-processes.sh - running processes, once clicked stop refreshing, you have a chance to choose which process to send which signal from 31 signals. http://192.168.1.1/cgi-bin/webif/status-qos.sh - qos stats http://192.168.1.1/cgi-bin/webif/status-usb.sh - USB devices list http://192.168.1.1/cgi-bin/webif/system-ipkg.sh - Packages add repository, uninstall binaries. http://192.168.1.1/cgi-bin/webif/system-confman.sh - Backup and Restore, reset VIP421.config file http://192.168.1.1/cgi-bin/webif/system-crontabs.sh - crontab configuration, edit, add, remove jobs http://192.168.1.1/cgi-bin/webif/system-editor.sh - file editor, view, delete, modify any file http://192.168.1.1/cgi-bin/webif/system-mount.sh - mountpoints, create, remove, modify http://192.168.1.1/cgi-bin/webif/system-services.sh - available services, telnet, ssh, ftp, auto, enable, disable, port change. http://192.168.1.1/cgi-bin/webif/system-snmp.sh - SNMP settings, community name, v3 auth pass, trap name http://192.168.1.1/cgi-bin/webif/system-startup.sh - system startup, /etc/init.d/custom-user-startup file /etc/rc.common i tako dalje http://192.168.1.1/cgi-bin/webif/tools-iperf.sh - uperf network performance measurement tool http://192.168.1.1/cgi-bin/webif/tools-log-browser.sh - netfilter log http://192.168.1.1/cgi-bin/webif/tools-wlan-rxonlymode.sh - WLAN Rx Only Mode Configuration http://192.168.1.1/cgi-bin/webif/verizon.sh - Verizon Test Page, modify CGDCONT to test, Resume CGDCONT


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top