This is a repost of an analysis of mine that has been posted on Zimperium’s blog, basically I’ve found that the following products are vulnerable to remote command execution, plus other various logic errors n’ stuff:
- YateBTS <= 5.0.0
- OpenBTS <= 4.0.0
- OpenBTS-UMTS <= 1.0.0
- Osmo-TRX/Osmo-BTS <= 0.1.10
- Other products that share the same transceiver code base.
Long story short, they bind the transceiver server process to
INADDR_ANY instead of
INADDR_LOOPBACK, this makes it reachable by anyone on the same network (no authentication mechanism was implemented), moreover there’s an exploitable stack buffer overflow on the control socket, if you rely on both of this issues … well, you’ve got the idea :)
All details and the analysis itself can be found here.