Multiple critical vulnerabilities in Ubee EVW3226 advanced wireless voice gateway

SEC Consult Vulnerability Lab Security Advisory < 20160602-0 >


title: Multiple critical vulnerabilities

product: Ubee EVW3226 Advanced wireless voice gateway

vulnerable version: Firmware EVW3226_1.0.20

fixed version: -

CVE number: -

impact: critical


found: 2016-01-09

by: Manuel Hofer (Office Vienna)

SEC Consult Vulnerability Lab


An integrated part of SEC Consult

Bangkok - Berlin - Linz - Montreal - Moscow

Singapore - Vienna (HQ) - Vilnius - Zurich



Vendor description:


"Ubee Interactive is on a mission. A mission that began with the development

of our industry-defining line of DOCSIS cable modems. And one that continues

with a drive toward becoming the leading business-to-business provider of

broadband connectivity products and solutions worldwide. Our current product

portfolio includes data, voice, video, mobility and portable devices."





Business recommendation:


Network security should not depend on the security of independent devices, such

as cable modems. An attacker with root access to such a device can enable

attacks on connected networks, such as administrative networks managed by the

ISP or other cable modem users.


Vulnerabilities described in this security advisory might be exploited in

combination with other vulnerabilities not associated with this product (XSS in

web forums accessing the modem, malvertising, etc.).


It is highly recommended by SEC Consult not to use this device until a

thorough security review has been performed by security professionals and all

identified issues have been resolved.


It is assumed that further critical vulnerabilities exist within the firmware

of this device.



Vulnerability overview/description:


1) Missing authentication for configuration download

The admin interface does not explicitly require any authentication prior to

downloading a previously requested configuration backup file.


2) Plaintext storage of administrative password

The password for the user "admin" is stored in clear text. An attacker with

access to the configuration file or the device itself, can easily obtain this

password. By exploiting issue 1) the clear text admin password can be retrieved.


3) "Encrypted" configuration backup not actually encrypted

A certain built in cgi action [removed] asks the user to provide a password in

order to "encrypt your configuration's backup". A quick analysis of this

function has shown that the configuration backup does not actually get encrypted,

and only a file "pass.txt" is appended to the archive containing the password

provided by the user, in cleartext. Additionally, this promotes a false sense of

security as in this case, an attacker with access to the configuration file can

easily obtain the clear text password for the admin interface.


4) Authenticated arbitrary file upload leading to arbitrary command execution

By analyzing the configuration file format and further exploiting a known

vulnerability inside the busybox tar implementation it is possible to upload

arbitrary files to the device. This enables an attacker to execute arbitrary

system commands and gain full root access on the device.


5) Heap-based buffer overflow vulnerability in URL decoding

The function responsible for URL decoding allocates the buffer for the decoded

string based on the number of '%' characters in the request string. This leads

to a heap based buffer overflow.



Proof of concept:


Since no public fix is available for any of the described vulnerabilities yet,

the proof of concept will not be published.



Vulnerable / tested versions:


The following firmware has been tested which was the most recent version

at the time of discovery:




Vendor contact timeline:


2016-01-13: Contacting for security contact of

UPC Austria (Liberty Global)

2016-01-17: Contacting vendor Ubee Interactive through

'' and ''

requesting security contact.

2016-01-17: Disclosure of identified vulnerabilities to UPC Austria in advance.

2016-01-20: No reply from Ubee Interactive. Requesting direct contact through

UPC Austria.

2016-01-22: Received contact at Ubee Interactive. Establishing contact with

<> again asking for public key to

send encrypted advisory.

2016-01-23: Sending unencrypted advisory to Michael Mao and Kyle Li at Ubee.

2016-02-29: Asking Ubee for status update.

2016-02-29: Ubee states vulnerabilities 1-4 are fixed. still working on 5.

Rollout to UPC customers will need more time.

2016-02-29: SEC Consult postpones release to 2016-04-04, after discussing the

issues with UPC Austria.

2016-04-04: Asking again for status of patch deployment. No answer, rescheduling.

2016-05-13: Announcing advisory release for 2016-06-02 to UPC and asking for

status of patch deployment again.

2016-05-13: UPC Austria replies. No details, status will be provided later.

2016-05-26: Asking again for status of patch deployment, reminding about release


2016-05-27: UPC Austria replies. Details on status will be provided next week.

2016-05-31: Advisory coordination with UPC.

2016-06-01: Receiving statement of UPC regarding patch status

2016-06-02: Public release of security advisory without detailed PoC as there

is no patch available.





There is no public patch available yet, it is currently in testing phase.


Here is a statement from UPC Austria concerning this issue:


"We are in close contact with the manufacturer and are working together on a

solution to the problems caused by the factory. The update will be implemented

some time in June following successful testing. In addition, UPC is continuing

with the modem swap project. Over the past 2 years, we have already provided more

than 200,000 customers in Austria and Switzerland with a new-generation modem

free of charge." (Source: UPC from 2016-06-01)





No workaround available.



Advisory URL:




SEC Consult Vulnerability Lab


SEC Consult

Bangkok - Berlin - Linz - Montreal - Moscow

Singapore - Vienna (HQ) - Vilnius - Zurich


About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.



Interested to work with the experts of SEC Consult?

Send us your application

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices



Mail: research at sec-consult dot com





EOF Manuel Hofer / 2016