Wednesday, February 5, 2020

[PROSCEND]Authenticated Remote Code Execution in M302-L M302-LG M402-LG Industrial 4G LTE Cellular Router

  Proscend M302-L / M302-LG series are industrial-grade 4G LTE Cellular Routers with 4-port 10/100 Mbps Ethernet interfaces for mission-critical cellular communications. Featured with powerful network protocols and VPN tunnels, M302-L / M302-LG series Industrial 4G LTE Cellular Routers provide secure and reliable applications for mobile, M2M, and Industrial Internet of Things (IIoT) deployments.
To fulfill the market demand, Proscend M302-L / M302-LG series Industrial 4G LTE Cellular Routers are built with hardened industrial components, approving severe HALT (Highly Accelerated Life Test) certification and wide operation rage from -20 to 70°C for harsh environments. The M302-L / M302-LG series provide Dual SIM redundancy for seamless wireless connectivity. The M302-LG model is equipped with GPS function and displays accurate the routers position for quickly managing existing devices. With the user-friendly interface, the M302-L and the M302-LG enable fast and easy configuration to reduce complicated settings.
Enhancing machine and machine communications efficiently for industrial networking, Proscend M302-L / M302-LG series Industrial 4G LTE Cellular Routers are highly suitable and cost-effective for your industrial solutions.

Authenticated RCE

When you first access to the device, you were land at the system status page. I've noticed that at the bottom of the menu there is a Diagnosis section with a ping feature

Before accesing the ping feature you must login, in this case with the default credentials root:2wsx#EDC

Now we are at the ping page to test this feature against arbitrary code execution

We first tried to ping to localhost to map the HTTP request

I took a closer look to the command parameter, and I noticed that the full command is sent to the device, so I think there might be a chance to run any other OS command I want. I tested with the id command and it worked

The vulnerable version discovered with this are:
  • M302-L
  • M302-LG
  • M402-LG

I'm going to keep looking this vulnerability on other versions and updating this post...




0 comentarios:

Post a Comment