Zero Science Lab » Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service

Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service

Title: Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service
Advisory ID: ZSL-2017-5444
Type: Local/Remote
Impact: DoS
Risk: (3/5)
Release Date: 27.12.2017

Summary

We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product.

Description

The router suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario.

--------------------------------------------------------------------------------


  /lte/lteuicc.shtml:

 -------------------



 858: function RebootRequest()

 859: {

 860:     var url = "../cgi-bin/lte.cgi?";

 861:     var param = "Command=Reboot";

 862:     XHRPost(RebootHandle, url, param, false ); //sync call

 863: }

--------------------------------------------------------------------------------

Vendor

Telesquare Co., Ltd. - http://www.telesquare.co.kr

Affected Version

FwVer: SDT-CS3B1, sw version 1.2.0
LteVer: ML300S5XEA41_090 1 0.1.0
Modem model: PM-L300S

Tested On

lighttpd/1.4.20

Vendor Status

N/A

PoC

b00t.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://cxsecurity.com/issue/WLB-2017120300
[2] https://packetstormsecurity.com/files/145555
[3] https://www.exploit-db.com/exploits/43401/
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/136825

Changelog

[27.12.2017] - Initial release
[04.01.2018] - Added reference [1], [2], [3] and [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk