what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mimosa DoS / Code Execution / File Disclosure

Mimosa DoS / Code Execution / File Disclosure
Posted May 12, 2017
Authored by Ian Ling

Various Mimosa products suffer from denial of service, information leakage, code execution, and file disclosure vulnerabilities.

tags | advisory, denial of service, vulnerability, code execution, info disclosure
SHA-256 | 7a6b33948781fb136bf41b92bc58cc0a1e46942a8f3b19bcf9a9eab576873d05

Mimosa DoS / Code Execution / File Disclosure

Change Mirror Download
[+] Credits: Ian Ling
[+] Website: iancaling.com
[+] Source: https://blog.iancaling.com/post/160596244178

Vendor:
=================
https://mimosa.co

Products:
======================
Access Points (e.g. A5) <2.2.3
Client Radios (e.g. C5) <=2.2.3
Backhaul Radios (e.g. B5) <=2.2.3

Vulnerability Types:
===================
Remote Command Execution (RCE), Denial of Service (DoS), Local File
Disclosure, and Information Leakage

Vulnerability Details:
=====================

Mimosa Client (e.g. C5) and Backhaul (e.g. B5) models (<2.2.4) are
vulnerable to multiple vulnerabilities, including local file disclosure,
remote command execution (RCE), information leakage, and
denial-of-service (DoS) vulnerabilities.

All vulnerabilities below affect versions <2.2.3, except for the last
one (authenticated RCE #2), which also affects version =2.2.3.

Mimosa APas (<2.2.3) are also vulnerable to the MQTT information leakage
vulnerability explained below.

--Information leakage in the web interface (leads to DoS): There is a
page in the web interface that will show you the deviceas serial number,
regardless of whether or not you have logged in. There is another page
(also accessible without authenticating) that allows you to remotely
factory reset the device simply by entering the serial number.

--Information leakage in the MQTT broker (leads to DoS): These devices
run Mosquitto, a lightweight message broker, to send information between
devices. By using the vendoras hard-coded credentials to connect to the
broker on any device (whether it be an AP, Client, or Backhaul model),
an attacker can view all the messages being sent between the devices. If
an attacker connects to an AP, the AP will leak information about any
clients connected to it, including the serial numbers, which can be used
to remotely factory reset the clients.

--Unauthenticated remote command execution (RCE) in the MQTT broker
(leads to DoS): By connecting to the MQTT broker on the wireless AP and
a wireless client, an attacker can gather enough information to craft a
command that reboots the client remotely when sent to the clientas MQTT
broker. This command can be re-sent endlessly to act as a DoS attack on
the client.

--Unauthenticated local file disclosure: In the deviceas web interface,
there is a page that allows an attacker to use an unsanitized GET
parameter to download files from the device as the root user. The
attacker can download any file from the deviceas filesystem, including
block device images. This can be used to view unsalted, MD5-hashed
administrator passwords, which can then be cracked, giving the attacker
full admin access to the deviceas web interface. This vulnerability can
also be used to view the plaintext pre-shared key (PSK) for encrypted
connections, or to view the deviceas serial number (which leads to DoS).

--Authenticated remote command execution #1: In the deviceas web
interface, after logging in, there is a page that allows you to ping
other hosts from the device and view the results. The user is allowed to
specify which host to ping, but this variable is not sanitized
server-side, which allows an attacker to pass a specially crafted string
to execute shell commands as the root user.

--Authenticated remote command execution #2: On the backend of the
deviceas web interface, there are more tests the user can run than just
the ping test mentioned above. These other tests are not all shown on
the webpage; some are only accessible by crafting a POST request with a
program like cURL. There is one test accessible via cURL that does not
properly sanitize user input, allowing an attacker to execute shell
commands as the root user.


Disclosure Timeline:
===================================
2017/04/05 a Vendor notified of some of the above vulnerabilities
2017/04/05 a Vendor acknowledgement
2017/04/07 a Vendor notified of web interface RCE #1
2017/04/07 a Vendor acknowledges web interface RCE #1
2017/04/11 a Vendor releases patch for all vulnerabilities that were
known at the time
2017/04/11 a Web interface RCE vulnerability #2 discovered and reported
to vendor
2017/04/12 a Vendor acknowledges vulnerability
2017/05/12 a Public disclosure


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close