Exploiting these issues could allow a remote attacker to bypass authentication or execute arbitrary commands in the context of the affected device. An error in the BigPond Wireless Broadband Gateway 3G21WB ping.cgi script could allow a remote attacker to execute arbitrary commands via DIA_IPADDRESS parameter.
The firmware running on the affected routers is subject to multiple security issues that allow an unauthenticated attacker to gain administrative access to the device and execute arbitrary commands. In the following paragraphs we describe the details of the vulnerabilities we identified.
a) Hard-coded credentials A user can authenticate to the web server running on the device using the credentials "Monitor:bigpond1". These credentials are hard-coded, and cannot be changed by a normal user.
b) Command-injection vulnerability The "ping.cgi" web page is subject to a command-injection vulnerability, as the server-side script does not properly validate user-supplied input.
The following URL exploits this issue, executing the "ls /" command:
http://<device IP address>/ping.cgi?DIA_IPADDRESS=;%20cat%20/etc/passwd
Disclosure Timeline:
17/09/2012 - Initial vendor contact.
18/09/2012 - Vendor replied asking for details.
19/09/2012 - The author replied and asked for a technical contact. Disclosure date set to October 10th, 2012 (3 weeks).
11/10/2012 - Still no response from the vendor. Disclosure.
