lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 13 Aug 2016 02:58:24 +0000
From: Sebastian Michel <s.michel@...net-systems.de>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] German Cable Provider Router (In)Security

Hey Guys,

im not sure if this is a new point. But i´m thinking about a possible security hole by design
which exists at maybe many (german) cable providers.

German cable providers like Unitymedia/Kabel Deutschland provides u a Fritzbox or any other
Cable-Router for internet access. As you know, this routers have a mac-address on every
Interface like on wifi, ethernet and so on.

By default, the Wifi-SSID is public available. The SSID gives you he MAC to the wifi-iface, right?
If so, then you can calculate the MAC of the other Interfaces by adding or substracting the last
oktekt by one or maybe two.

So, my theory:

If you are able to fetch the SSID by wardriving, you should also get the MAC of the other interfaces,
especialy of the cable-interface.

Means: you should be able to calc the MAC of any interface of the device.

If so:

With a hardware debug interface you should be able to modify the firmware of a router like the well known
Fritzbox. This should enable you the possibilty to modifiy the MAC of the interfaces. When im
Right, then it must be easy by simply do some wardriving and collection some SSID´s from this provider.

With this fetched and public available data i should be able to clone a Fritzbox.

As i know, routers like the Fritbox get provisioned by the TR069 protocol. This means, the router
Identifies it selfs via MAC against a TR069 provisioning-server to get its configuration on the first
Contact. So with this in mind, i should be able to clone the router, identify against at an TR069 Server,
grab the config from the TR069 provisioning-server and setup a clone oft he official customer router.

Am i right or do miss something in this idea???



Mit freundlichen Grüßen,

Sebastian Michel

________________________________

ProNet Systems UG & Co. KG
Rathausplatz 7
59846 Sundern

Tel.: +49 (0) 29 33 / 922 822 - 0
Fax: +49 (0) 29 33 / 922 822 - 99
Mail: s.michel@...net-systems.de<mailto:s.michel@...net-systems.de>
Web: www.pronet-systems.de<http://www.pronet-systems.de>




Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail oder
von Teilen dieser E-Mail ist nicht gestattet.

Wir haben alle verkehrsüblichen Maßnahmen unternommen, um das Risiko der Verbreitung virenbefallener Software oder E-Mails zu minimieren. Dennoch
raten wir Ihnen, Ihre eigenen Virenkontrollen auf alle Anhänge an dieser Nachricht durchzuführen. Wir schließen außer für den Fall von Vorsatz oder grober
Fahrlässigkeit die Haftung für jeglichen Verlust oder Schäden durch virenbefallene Software oder E-Mails aus.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists