NetCommWireless HSPA 3G10WVE Wireless Router – Multiple vulnerabilities

vendor:

HSPA 3G10WVE Wireless Router

by:

Bhadresh Patel

9,8

CVSS

CRITICAL

Bypass authentication and command injection

287, 78

CWE

Product Name: HSPA 3G10WVE Wireless Router

Affected Version From: 3G10WVE-L101-S306ETS-C01_R03

Affected Version To: 3G10WVE-L101-S306ETS-C01_R03

Patch Exists: YES

Related CWE: CVE-2015-6023, CVE-2015-6024

CPE: h:netcomm_wireless:hspa_3g10wve_wireless_router

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2016

NetCommWireless HSPA 3G10WVE Wireless Router – Multiple vulnerabilities

Multiple vulnerabilities in the HSPA 3G10WVE wireless router enable an anonymous unauthorized attacker to 1) bypass authentication and gain unauthorized access of router's network troubleshooting page (ping.cgi) and 2) exploit a command injection vulnerability on ping.cgi, which could result in a complete system/network compromise.

Mitigation:

The vendor has released a patch to address the vulnerabilities.

Source

Exploit-DB raw data:

Title:
====

NetCommWireless HSPA 3G10WVE Wireless Router – Multiple vulnerabilities

Credit:
======

Name: Bhadresh Patel
Company/affiliation: HelpAG
Website: www.helpag.com

CVE:
=====

CVE-2015-6023, CVE-2015-6024

Date:
====

03-05-2016 (dd/mm/yyyy)

Vendor:
======

NetComm Wireless is a leading developer and supplier of high performance
communication devices that connect businesses and people to the internet.

Products and services:
Wireless 3G/4G broadband devices
Custom engineered technologies
Broadband communication devices

Customers:
Telecommunications carriers
Internet Service Providers
System Integrators
Channel partners
Enterprise customers

Product:
=======

HSPA 3G10WVE is a wireless router

It integrates a wireless LAN, HSPA module and voice gateway into one
stylish unit. Insert an active HSPA SIM Card into the slot on the rear
panel & get instant access to 3G internet connection. Etisalat HSPA
3G10WVE wireless router incorporates a WLAN 802.11b/g access point, two
Ethernet 10/100Mbps ports for voice & fax. Featuring voice port which
means that one can stay connected using the internet & phone. If one
need a flexible internet connection for his business or at home; this is
the perfect solution.

Customer Product link: http://www.etisalat.ae/nrd/en/generic/3.5g_router.jsp


Abstract:
=======

Multiple vulnerabilities in the HSPA 3G10WVE wireless router enable an
anonymous unauthorized attacker to 1) bypass authentication and gain
unauthorized access of router's network troubleshooting page (ping.cgi)
and 2) exploit a command injection vulnerability on ping.cgi, which
could result in a complete system/network compromise.

Report-Timeline:
============
03-09-2015: Vendor notification
08-09-2015: Vendor Response/Feedback
02-05-2016: Vendor Fix/Patch
03-05-2016: Public Disclosure

Affected Software Version:
=============

3G10WVE-L101-S306ETS-C01_R03


Exploitation-Technique:
===================

Remote


Severity Rating (CVSS):
===================

10.0 (Critical) (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


Details:
=======

Below listed vulnerabilities enable an anonymous unauthorized attacker
to gain access of network troubleshooting page (ping.cgi) on wireless
router and inject commands to compromise full system/network.

1) Bypass authentication and gain unauthorized access vulnerability -
CVE-2015-6023
2) Command injection vulnerability - CVE-2016-6024

Vulnerable module/page/application: ping.cgi

Vulnerable parameter: DIA_IPADDRESS

Proof Of Concept:
================

PoC URL:
http(s)://<victim_IP>/ping.cgi?DIA_IPADDRESS=4.2.2.2;cat%20/etc/passwd

PoC Video: https://www.youtube.com/watch?v=FS43MRG7RDk

Patched/Fixed Firmware and notes:
==========================

ftp://files.planetnetcomm.com/3G10WVE/3G10WVE-L101-S306ETS-C01_R05.bin

NOTE: Verified only by Vendor



Credits:
=======

Bhadresh Patel
Senior Security Analyst
HelpAG (www.helpag.com)