Hello Team, Sorry for the typo in earlier draft.
The correct CVE IDs are both year 2015. 1) Unauthorized access of router's network troubleshooting page (ping.cgi) -- CVE-2015-6023 2) Command injection vulnerability on ping.cgi -- CVE-2015-6024 Regards, -Bhadresh On 05/03/2016 10:05 PM, Bhadresh Patel wrote: > Title: > ==== > > NetCommWireless HSPA 3G10WVE Wireless Router – Multiple vulnerabilities > > Credit: > ====== > > Name: Bhadresh Patel > Company/affiliation: HelpAG > Website: www.helpag.com > > CVE: > ===== > > CVE-2015-6023, CVE-2016-6024 > > Date: > ==== > > 03-05-2016 (dd/mm/yyyy) > > Vendor: > ====== > > NetComm Wireless is a leading developer and supplier of high performance > communication devices that connect businesses and people to the internet. > > Products and services: > Wireless 3G/4G broadband devices > Custom engineered technologies > Broadband communication devices > > Customers: > Telecommunications carriers > Internet Service Providers > System Integrators > Channel partners > Enterprise customers > > Product: > ======= > > HSPA 3G10WVE is a wireless router > > It integrates a wireless LAN, HSPA module and voice gateway into one > stylish unit. Insert an active HSPA SIM Card into the slot on the rear > panel & get instant access to 3G internet connection. Etisalat HSPA > 3G10WVE wireless router incorporates a WLAN 802.11b/g access point, two > Ethernet 10/100Mbps ports for voice & fax. Featuring voice port which > means that one can stay connected using the internet & phone. If one > need a flexible internet connection for his business or at home; this is > the perfect solution. > > Customer Product link: http://www.etisalat.ae/nrd/en/generic/3.5g_router.jsp > > > Abstract: > ======= > > Multiple vulnerabilities in the HSPA 3G10WVE wireless router enable an > anonymous unauthorized attacker to 1) bypass authentication and gain > unauthorized access of router's network troubleshooting page (ping.cgi) > and 2) exploit a command injection vulnerability on ping.cgi, which > could result in a complete system/network compromise. > > Report-Timeline: > ============ > 03-09-2015: Vendor notification > 08-09-2015: Vendor Response/Feedback > 02-05-2016: Vendor Fix/Patch > 03-05-2016: Public Disclosure > > Affected Software Version: > ============= > > 3G10WVE-L101-S306ETS-C01_R03 > > > Exploitation-Technique: > =================== > > Remote > > > Severity Rating (CVSS): > =================== > > 10.0 (Critical) (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) > > > Details: > ======= > > Below listed vulnerabilities enable an anonymous unauthorized attacker > to gain access of network troubleshooting page (ping.cgi) on wireless > router and inject commands to compromise full system/network. > > 1) Bypass authentication and gain unauthorized access vulnerability - > CVE-2015-6023 > 2) Command injection vulnerability - CVE-2016-6024 > > Vulnerable module/page/application: ping.cgi > > Vulnerable parameter: DIA_IPADDRESS > > Proof Of Concept: > ================ > > PoC URL: > http(s)://<victim_IP>/ping.cgi?DIA_IPADDRESS=4.2.2.2;cat%20/etc/passwd > > PoC Video: https://www.youtube.com/watch?v=FS43MRG7RDk > > Patched/Fixed Firmware and notes: > ========================== > > ftp://files.planetnetcomm.com/3G10WVE/3G10WVE-L101-S306ETS-C01_R05.bin > > NOTE: Verified only by Vendor > > > > Credits: > ======= > > Bhadresh Patel > Senior Security Analyst > HelpAG (www.helpag.com) > > ******************************* Bhadresh Patel Senior Security Analyst Tel: +97144405666 Fax: +971 4 363 6742 Mob: +971529172297 Arjaan Office Tower, Office 1208 Dubai Internet City, Dubai United Arab Emirates ******************************* _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
