Option CloudGate Insecure Direct Object References Authorization Bypass

Title: Option CloudGate Insecure Direct Object References Authorization Bypass
Advisory ID: ZSL-2016-5333
Type: Local/Remote
Impact: Security Bypass, Cross-Site Scripting
Risk: (3/5)
Release Date: 25.06.2016
Summary
The CloudGate M2M gateway from Option provides competitively priced LAN to WWAN routing and GPS functionality in a single basic unit certified on all major us cellular operators (CDMA/EV-DO and WCDMA/HSPA+). The CloudGate is simple to configure locally or remotely from your PC, tablet or Smartphone.
Description
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources and functionalities in the system directly, for example APIs, files, upload utilities, device settings, etc.
Vendor
Option NV - http://www.option.com
Affected Version
CG0192-11897
Tested On
lighttpd 1.4.39
firmware 2.62.4
Vendor Status
[11.06.2016] Vulnerability discovered.
[12.06.2016] Contact with the vendor.
[24.06.2016] No response from the vendor.
[25.06.2016] Public security advisory released.
PoC
cloudgate_mv.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/40016/
[2] https://cxsecurity.com/issue/WLB-2016060197
[3] https://packetstormsecurity.com/files/137654
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/114490
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/114491
Changelog
[25.06.2016] - Initial release
[28.06.2016] - Added reference [1], [2], [3], [4] and [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk