Menu

Search for hundreds of thousands of exploits

"NetCommWireless HSPA 3G10WVE Wireless Router - Multiple Vulnerabilities"

Author

Exploit author

"Bhadresh Patel"

Platform

Exploit platform

cgi

Release date

Exploit published date

2016-05-04

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
Title:
====

NetCommWireless HSPA 3G10WVE Wireless Router  Multiple vulnerabilities

Credit:
======

Name: Bhadresh Patel
Company/affiliation: HelpAG
Website: www.helpag.com

CVE:
=====

CVE-2015-6023, CVE-2015-6024

Date:
====

03-05-2016 (dd/mm/yyyy)

Vendor:
======

NetComm Wireless is a leading developer and supplier of high performance
communication devices that connect businesses and people to the internet.

Products and services:
Wireless 3G/4G broadband devices
Custom engineered technologies
Broadband communication devices

Customers:
Telecommunications carriers
Internet Service Providers
System Integrators
Channel partners
Enterprise customers

Product:
=======

HSPA 3G10WVE is a wireless router

It integrates a wireless LAN, HSPA module and voice gateway into one
stylish unit. Insert an active HSPA SIM Card into the slot on the rear
panel & get instant access to 3G internet connection. Etisalat HSPA
3G10WVE wireless router incorporates a WLAN 802.11b/g access point, two
Ethernet 10/100Mbps ports for voice & fax. Featuring voice port which
means that one can stay connected using the internet & phone. If one
need a flexible internet connection for his business or at home; this is
the perfect solution.

Customer Product link: http://www.etisalat.ae/nrd/en/generic/3.5g_router.jsp


Abstract:
=======

Multiple vulnerabilities in the HSPA 3G10WVE wireless router enable an
anonymous unauthorized attacker to 1) bypass authentication and gain
unauthorized access of router's network troubleshooting page (ping.cgi)
and 2) exploit a command injection vulnerability on ping.cgi, which
could result in a complete system/network compromise.

Report-Timeline:
============
03-09-2015: Vendor notification
08-09-2015: Vendor Response/Feedback
02-05-2016: Vendor Fix/Patch
03-05-2016: Public Disclosure

Affected Software Version:
=============

3G10WVE-L101-S306ETS-C01_R03


Exploitation-Technique:
===================

Remote


Severity Rating (CVSS):
===================

10.0 (Critical) (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


Details:
=======

Below listed vulnerabilities enable an anonymous unauthorized attacker
to gain access of network troubleshooting page (ping.cgi) on wireless
router and inject commands to compromise full system/network.

1) Bypass authentication and gain unauthorized access vulnerability -
CVE-2015-6023
2) Command injection vulnerability - CVE-2016-6024

Vulnerable module/page/application: ping.cgi

Vulnerable parameter: DIA_IPADDRESS

Proof Of Concept:
================

PoC URL:
http(s)://<victim_IP>/ping.cgi?DIA_IPADDRESS=4.2.2.2;cat%20/etc/passwd

PoC Video: https://www.youtube.com/watch?v=FS43MRG7RDk

Patched/Fixed Firmware and notes:
==========================

ftp://files.planetnetcomm.com/3G10WVE/3G10WVE-L101-S306ETS-C01_R05.bin

NOTE: Verified only by Vendor



Credits:
=======

Bhadresh Patel
Senior Security Analyst
HelpAG (www.helpag.com)
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-19 "Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection" webapps cgi "Gabriele Zuddas"
2020-10-29 "Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)" webapps cgi "Valerio Alessandroni"
2020-04-23 "Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)" webapps cgi "Dhiraj Mishra"
2020-04-10 "Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal" webapps cgi "Basim Alabdullah"
2020-03-30 "Zen Load Balancer 3.10.1 - Remote Code Execution" webapps cgi "Cody Sixteen"
2020-02-11 "CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting" webapps cgi Luca.Chiou
2019-09-09 "Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure" webapps cgi LiquidWorm
2019-07-12 "Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution" webapps cgi "Chris Lyne"
2019-02-18 "Master IP CAM 01 3.3.4.2103 - Remote Command Execution" webapps cgi "Raffaele Sabato"
2019-02-11 "Smoothwall Express 3.1-SP4 - Cross-Site Scripting" webapps cgi "Ozer Goker"
Release Date Title Type Platform Author
2020-08-10 "ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)" webapps java "Bhadresh Patel"
2019-09-02 "Wolters Kluwer TeamMate 3.1 - Cross-Site Request Forgery" webapps multiple "Bhadresh Patel"
2017-05-25 "Sophos Cyberoam - Cross-site scripting" webapps hardware "Bhadresh Patel"
2017-04-18 "Microsoft Word - '.RTF' Remote Code Execution" remote windows "Bhadresh Patel"
2016-05-04 "NetCommWireless HSPA 3G10WVE Wireless Router - Multiple Vulnerabilities" webapps cgi "Bhadresh Patel"
2015-11-16 "D-Link DIR-816L Wireless Router - Cross-Site Request Forgery" webapps hardware "Bhadresh Patel"
2014-01-24 "Ammyy Admin 3.2 - Authentication Bypass" local windows "Bhadresh Patel"
2013-03-29 "SynConnect Pms - 'index.php?loginid' SQL Injection" webapps php "Bhadresh Patel" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected