Hard-coded BigPond 3G21WB Credentials and Command-Injection Vulnerability
23 Oct. 2012
Summary
The firmware running on the affected routers is subject to multiple security issues that allow an unauthenticated attacker to gain administrative access to the device and execute arbitrary commands.
Credit:
The information has been provided by Roberto Paleari.
In the following paragraphs we describe the details of the vulnerabilities we identified.
a) Hard-coded credentials
A user can authenticate to the web server running on the device using the
credentials "Monitor:bigpond1". These credentials are hard-coded, and cannot
be changed by a normal user.
b) Command-injection vulnerability
The "ping.cgi" web page is subject to a command-injection vulnerability, as
the server-side script does not properly validate user-supplied input.
The following URL exploits this issue, executing the "ls /" command:
http:///ping.cgi?DIA_IPADDRESS=;%20cat%20/etc/passwd
[REMEDIATION]
We are not aware of an updated firmware that corrects the issues described in
this advisory. We suggest users to disable web access on the WAN side.
Disclosure Timeline:
17/09/2012 - Initial vendor contact.
18/09/2012 - Vendor replied asking for details.
19/09/2012 - The author replied and asked for a technical
contact. Disclosure date set to October 10th, 2012 (3
weeks).
19/09/2012 - Vendor replied, providing the phone contact number of the
Technical Support Department.
20/09/2012 - The author replied, asking to keep all the communication
through e-mail, in order to keep track of the whole
conversation.
24/09/2012 - No response from the vendor. The author re-sent the last
e-mail.
04/10/2012 - No response from the vendor. The author re-sent the last
e-mail (again).
11/10/2012 - Still no response from the vendor. Disclosure.
