In the following paragraphs we describe the details of the vulnerabilities we identified.
a) Hard-coded credentials
A user can authenticate to the web server running on the device using the
credentials "Monitor:bigpond1". These credentials are hard-coded, and cannot
be changed by a normal user.
b) Command-injection vulnerability
The "ping.cgi" web page is subject to a command-injection vulnerability, as
the server-side script does not properly validate user-supplied input.
The following URL exploits this issue, executing the "ls /" command:
We are not aware of an updated firmware that corrects the issues described in
this advisory. We suggest users to disable web access on the WAN side.
17/09/2012 - Initial vendor contact.
18/09/2012 - Vendor replied asking for details.
19/09/2012 - The author replied and asked for a technical
contact. Disclosure date set to October 10th, 2012 (3
19/09/2012 - Vendor replied, providing the phone contact number of the
Technical Support Department.
20/09/2012 - The author replied, asking to keep all the communication
through e-mail, in order to keep track of the whole
24/09/2012 - No response from the vendor. The author re-sent the last
04/10/2012 - No response from the vendor. The author re-sent the last
11/10/2012 - Still no response from the vendor. Disclosure.