Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

BSNL Teracom Router Firmware Rewrite / Link Modification

Related Vulnerabilities: CVE-2015-2049   CVE-2015-2876   CVE-2016-0071  
Publish Date: 03 Sep 2016
Author: Ajay Gowtham
Source 
                Multiple Vulnerabilities in TERACOM ROUTER

#Author: Ajay Gowtham aka AJOXR
#Contact: gowtham.ajay5 at gmail.com
#Vulnerability Type: Insecure Upload File Permissions
#Affected Module: Upload Functionality
#Criticality: Medium
#Device Model: BSNL Teracom T2-B-Gawv1.4U10Y-BI is WiFi enabled ADSL2+
compliant + WiFi
#Firmware: 10.4.3.12.12
----------------------------------------------------------------------------------------------
Firmware Re-write using Unrestricted Upload of File (Insecure File Contents)

Reference ID: CWE - 434
CVE - ID :  CVE-2015-2049, CVE-2015-2876

Ref: https://cwe.mitre.org/data/definitions/434.html

Description: Teracom T2-B-Gawv1.4u10Y-BI Models are having clear type text
contents in Upload
File in Restore Configuration. After Modifying file uploaded malicious
scripts will be executed
in Firmware of the affected model. Which will allow an attacker to carry
out Arbitary Code
Execution.

Reproduce Vulnerability:

Step 1: Go to Admin Pannel, you can find Backup file options to backup
config.
Step 2: Modify Config file Conexant.icf with malicious commands using Text
Editor
Step 3: Re-upload to the device using restore options
Step 4: Router will restart and executes the malicious commands into router.
Step 5: User will be using Malicious Router without concern as it will
remain undetected also in
antivirus.

Solution: An update will be solution.
----------------------------------------------------------------------------------------------
Management Server Link Access to External Resource

Reference ID: CWE - 610
CVE - ID: CVE-2016-0071

Ref: https://cwe.mitre.org/data/definitions/610.html

Description: Teracom T2-B-Gawv1.4u10Y-BI Models accepting link
modifications as no Hard-coded
is provided in Management Server Module. Any User is able to change with
default credentials.

Step 1: Re-write the link in Management Server Module.
Step 2: Apply necessary changes with malicious link.
Step 3: Re-start the server and changes are made.

Solution: Hard code the link parameter to avoid adding external resource
link to the Router.
----------------------------------------------------------------------------------------------

PoC :
https://drive.google.com/folderview?id=0B2p8gG1WpnRnek9GaEl3SXVod3c&usp=sharing
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started