Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Network Appliances :: bt-21263.htm

Axesstel MV 410R multiple flaws



Multiple Flaws in Axesstel MV 410R
Multiple Flaws in Axesstel MV 410R



Multiple Flaws in Axesstel MV 410R

by Filip Palian "http://192.168.0.1/cgi-bin/sysconf.cgi?RESTORE=RESTORE" (user 
confirmation not needed) will reset device to default configuration.

#10 Permanent XSS
It's possible to plant permanent XSS in the web interface using
"http://192.168.0.1/cgi-bin/sysconf.cgi" script. 

#11 Automatic redirection
Some scripts do the automatic redirection after execution. This feature
may be used to hide for example a CSRF attack.  evilsite.com leads to
"http://192.168.0.1/cgi-bin/wireless.cgi" where script is executed and 
it autoredirects back to evilsite.com.

Status:
At the moment no fixes were provided by the vendor. As a workaround
administrator should:
#1 restrict access to device only from LAN
#2 change the default administrator password (still can be sniffed in LAN)
#3 enable Wi-Fi encryption
#4 turn on clients MAC addresses filtering
#5 turn off SSID broadcasting

Disclousure timeline:
11 V 2009: Detailed information with examples and PoCs sent to vendor
(cert@telekomunikacja.pl). 
    12 V 2009: Initial vendor response.
19 V 2009: Question about the status sent to the vendor.
    19 V 2009: No reasonable response from the vendor.
9 VI 2009: Question about the status sent to the vendor.
    No response.
16 VI 2009: Notification that bulletin will be released send to the vendor.
    17 VI 2009: No reasonable response from the vendor.
19 VI 2009: Last notification that bulletin will be released send to the
vendor.
    No response.
23 VI 2009: Last notification that bulletin will be released send to the
vendor.
No response: ": host 
mailin.tpsa.pl[212.160.172.68] said: 451 Unable
    to contact LDAP".
25 VI 2009: Last and final notification that bulletin will be released
send to the vendor.
    No response.
02 VII 2009: Security bulletin released.
    Response: ?

Rationale:
The vendor hasn't responded neither responsibly nor reasonably within 34
working days. The bulletin was released in hope that users will be able
to protect themselves against these serious threats before vendor will
realese fixes and before the bad guys will reach them first.

Links:
* http://orange.pl/ 
* http://tp.pl/ 
* http://www.axesstel.com/ 


Best regards,
Filip Palian


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH