About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

QualComm QCMAP Vulns- 285

Ori Hollander, Asaf Karas - vdooPosted 5 Years Ago
  • QCMAP (Qualcomm Mobile Access Point) architecture is a software suite in charge of the handling devices. This interface allows for administrative configuring of the devices using the MDM modem, such as LTE routers, mobile hotspots and smart meters.
  • The web administrative portal is vulnerable to a classic command injection on the web interface. Simply appending a semi colon, then with the specified command, results in RCE.
  • The web admin portal uses a bunch of CGI scripts in order to run actions on the device. Because of this, the standard set of memory corruption vulnerabilities apply! In one of the CGI scripts, that parses the parameters, there is a finite amount of space for the number of parameters. So, by adding a crazy amount of parameters, this buffer can be overflowed.
  • An additional issue is a NULL pointer dereference because of bad string parsing. The strstr function returns a pointer to a substring in a string. However, there is a chance that NOTHING is returned from this and this case needs to be checked.
  • An additional command injection exists within a basic CLI interface that is restricted to what the user can do. Once of these functions has a really simple command injection vulnerability in it.
  • Overall, cool findings in a classically bad IoT device.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed