Telesquare SKT LTE Router SDT-CS3B1 WebDAV HTTP Methods Arbitrary File Events
Title: Telesquare SKT LTE Router SDT-CS3B1 WebDAV HTTP Methods Arbitrary File Events
Advisory ID: ZSL-2017-5446
Type: Local/Remote
Impact: Security Bypass, Exposure of System Information, DoS, System Access
Risk: (4/5)
Release Date: 27.12.2017
LteVer: ML300S5XEA41_090 1 0.1.0
Modem model: PM-L300S
[04.01.2018] - Added reference [1]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2017-5446
Type: Local/Remote
Impact: Security Bypass, Exposure of System Information, DoS, System Access
Risk: (4/5)
Release Date: 27.12.2017
Summary
We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product.Description
WebDAV is enabled with directory listing and dangerous HTTP methods allowed: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK and UNLOCK. The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. An attacker can place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of the server (by uploading server-executable code), or other attacks. The other methods can be used to delete/move/overwrite/create files and cause denial of service scenarios and/or phishing attacks.Vendor
Telesquare Co., Ltd. - http://www.telesquare.co.krAffected Version
FwVer: SDT-CS3B1, sw version 1.2.0LteVer: ML300S5XEA41_090 1 0.1.0
Modem model: PM-L300S
Tested On
lighttpd/1.4.20Vendor Status
N/APoC
sdt-cs3b1_webdav.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://cxsecurity.com/issue/WLB-2017120301Changelog
[27.12.2017] - Initial release[04.01.2018] - Added reference [1]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
