← Advisories

Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service

Medium

Advisory ID

ZSL-2017-5444

Release Date

27 December 2017

Vendor

Telesquare Co., Ltd. - http://www.telesquare.co.kr

Affected Version

FwVer: SDT-CS3B1, sw version 1.2.0, LteVer: ML300S5XEA41_090 1 0.1.0, Modem model: PM-L300S

CVE

CVE-2017-20222

Tested On

lighttpd/1.4.20

Summary

We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product.

Description

The router suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario.

  /lte/lteuicc.shtml:
 -------------------

function RebootRequest()
{
    var url = "../cgi-bin/lte.cgi?";
    var param = "Command=Reboot";
    XHRPost(RebootHandle, url, param, false ); //sync call
}

Proof of Concept

b00t.pyTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://cxsecurity.com/issue/WLB-2017120300

[2]https://packetstormsecurity.com/files/145555

[3]https://www.exploit-db.com/exploits/43401/

[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/136825

[5]https://www.cve.org/CVERecord?id=CVE-2017-20222

Changelog

27.12.2017Initial release

04.01.2018Added reference [1], [2], [3] and [4]

24.03.2026Added reference [5]