exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

T-Mobile Router Disclosure / Command Execution / Traversal / CSRF

T-Mobile Router Disclosure / Command Execution / Traversal / CSRF
Posted Jan 22, 2014
Authored by Johannes Greil | Site sec-consult.com

T-Mobile HOME NET Router LTE / Huawei B593u-12 version V100R001C54SP063 suffers from cross site request forgery, information disclosure, command injection, and directory traversal vulnerabilities.

tags | advisory, vulnerability, info disclosure, csrf
SHA-256 | 5ecc71b535700461b5eb90e9396b789a771cb54638c84b968532e6e4e659d99e

T-Mobile Router Disclosure / Command Execution / Traversal / CSRF

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20140122-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: T-Mobile HOME NET Router LTE / Huawei B593u-12
vulnerable version: V100R001C54SP063 (T-Mobile Austria)
fixed version: V100R001C55SP102 (T-Mobile Austria)
impact: Critical
homepage: http://www.t-mobile.at | http://www.huawei.com
found: 2013-12-12
by: J. Greil
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================


Business recommendation:
========================
By exploiting the critical vulnerabilities, an "unauthenticated" (guest)
attacker can gain administrative access to the router and manipulate settings.

Furthermore attacks of the internal clients are possible via Internet,
depending on the network setup of the mobile operator or customer (if the
router is reachable on the Internet via changed APN settings).


It is highly recommended not to use this product until a thorough security
review has been performed by security professionals. As a partial workaround,
the product should not be accessible from the Internet. Limit access only to
trusted (local) users internally. The firmware update has to be installed in
order to fix the identified vulnerabilities.

It is assumed that further critical vulnerabilities exist, as only a very
short crash test has been performed.


Vulnerability overview/description:
===================================
1) Access to sensitive configuration with guest session
-------------------------------------------------------
Attackers are able to login to the router interface with a password-less
"guest" session and can gain access to sensitive information such as
configuration settings: wireless passwords of all configured WLAN networks in
clear text, configured port mappings, DMZ hosts, attached network
devices/clients, etc.

Attackers with access to one SSID/WLAN network of the router are hence able to
access other wireless networks because passwords are stored in clear text.

It is also possible to exploit this issue over the Internet, depending on the
mobile operator / customer setup (changed APN settings). SEC Consult has
identified multiple routers via Google search that are reachable over the
Internet (no tests have been performed!).



2) Change arbitrary settings as guest
-------------------------------------
The guest user of the web interface is able to manipulate all settings of the
router via CGI scripts. It is even possible to change settings of the XML
configuration (curcfg.xml) on the device that is not accessible (even as
admin) within the web interface (no GUI).



3) OS command injection
-----------------------
The "ping" feature of the diagnostics page suffers from an OS command
injection vulnerability. Attackers are able to run arbitrary commands on the
device and gain access to sensitive information such as configuration files.
Furthermore internal clients can be attacked, there's even "tcpdump" available
on the router.

This vulnerability has already been mentioned on this blog, so credits go
here too ;)
http://blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html



4) USB management / FTP directory traversal
-------------------------------------------
The router offers the feature to share USB drives via FTP. It is possible to
exploit directory traversal when specifying the home path of the shared folder
and gain access to the root filesystem with read/write rights.

Unauthenticated "guest" attackers are also able to gain access to the router
via FTP even when there is no USB drive connected.

This vulnerability has already been mentioned on this blog, so credits go
here too ;)
http://blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html



5) Cross site request forgery
-----------------------------
An attacker can use Cross Site Request Forgery to perform arbitrary web
requests with the identity of the victim without being noticed by the victim.

It is possible to exploit the vulnerabilities mentioned in this advisory with
CSRF and therefore execute arbitrary OS commands on the router even when no
admin is actively logged in.




Proof of concept:
=================
1) Access to sensitive configuration with guest session
-------------------------------------------------------
Detailed proof of concept has been removed for this advisory.


2) Change arbitrary settings as guest
-------------------------------------
Guest users are able to change arbitrary settings via built-in CGI commands.
It is even possible to change settings that are not visible in the web
interface even as administrator.

Detailed proof of concept has been removed for this advisory.


3) OS command injection
-----------------------
The following CGI script suffers from OS command injection and can also be
exploited as guest user without password!

Detailed proof of concept has been removed for this advisory.


4) USB management / FTP directory traversal
-------------------------------------------
Detailed proof of concept has been removed for this advisory.


5) Cross site request forgery
-----------------------------
As no token or other measures against CSRF are in place, it can be exploited
via standard methods other the Internet. It is possible to login as guest user
remotely, receive the session cookie and then exploit the command execution
flaw.

No local user has to be actively logged in for that attack scenario!

Detailed proof of concept has been removed for this advisory.



Vulnerable / tested versions:
=============================
All vulnerabilities have been confirmed in the following device:

* T-Mobile Austria HOME NET Router (Huawei LTE B593u-12)

Latest firmware available (as of 12th December 2013): V100R001C54SP063
Downloaded from: http://www.t-mobile.at/info-und-support/dlc/DLC.php


It is assumed that different variants of this router from other Internet
service providers are affected too, depending on their firmware versions.
The router is being offered by many telecom operators world-wide and has a
large userbase.


Vendor contact timeline:
========================
2013-12-12: Contacting T-Mobile Austria via contacts from CERT.at
2013-12-13: Sending encrypted security advisory to T-Mobile Austria and Huawei
PSIRT
2013-12-19: T-Mobile confirms vulnerabilities and plans rollout of new
firmware for January 2014 and gives recommendations for customers
(see solution)
2014-01-08: Asking T-Mobile Austria for status update
2014-01-08: T-Mobile: New firmware rollout is already in progress, informing
CERT.at about status
2014-01-22: Coordinated release of security advisory without proof of concept



Solution:
=========
According to T-Mobile Austria, users will get a notification for the new
firmware release and urges all customers to upgrade the firmware.

The firmware can also be installed manually:
http://www.t-mobile.at/info-und-support/dlc/DLC.php

Fixed firmware version: V100R001C55SP102
Direct download: http://download.t-mobile.at/a/dlc/V100R001C55SP102.tar.bz2


Vendor information (German):
http://blog.t-mobile.at/2014/01/22/software-updates-zu-verhinderung-von-sicherheitsluecken/


Workaround:
===========
As a partial workaround, the product should not be configured to be accessible
from the Internet. Limit access only to trusted (local) users internally.


Advisory URL:
=============
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com

EOF J. Greil / @2014
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close