lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 13 Aug 2016 02:58:24 +0000 From: Sebastian Michel <s.michel@...net-systems.de> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] German Cable Provider Router (In)Security Hey Guys, im not sure if this is a new point. But i´m thinking about a possible security hole by design which exists at maybe many (german) cable providers. German cable providers like Unitymedia/Kabel Deutschland provides u a Fritzbox or any other Cable-Router for internet access. As you know, this routers have a mac-address on every Interface like on wifi, ethernet and so on. By default, the Wifi-SSID is public available. The SSID gives you he MAC to the wifi-iface, right? If so, then you can calculate the MAC of the other Interfaces by adding or substracting the last oktekt by one or maybe two. So, my theory: If you are able to fetch the SSID by wardriving, you should also get the MAC of the other interfaces, especialy of the cable-interface. Means: you should be able to calc the MAC of any interface of the device. If so: With a hardware debug interface you should be able to modify the firmware of a router like the well known Fritzbox. This should enable you the possibilty to modifiy the MAC of the interfaces. When im Right, then it must be easy by simply do some wardriving and collection some SSID´s from this provider. With this fetched and public available data i should be able to clone a Fritzbox. As i know, routers like the Fritbox get provisioned by the TR069 protocol. This means, the router Identifies it selfs via MAC against a TR069 provisioning-server to get its configuration on the first Contact. So with this in mind, i should be able to clone the router, identify against at an TR069 Server, grab the config from the TR069 provisioning-server and setup a clone oft he official customer router. Am i right or do miss something in this idea??? Mit freundlichen Grüßen, Sebastian Michel ________________________________ ProNet Systems UG & Co. KG Rathausplatz 7 59846 Sundern Tel.: +49 (0) 29 33 / 922 822 - 0 Fax: +49 (0) 29 33 / 922 822 - 99 Mail: s.michel@...net-systems.de<mailto:s.michel@...net-systems.de> Web: www.pronet-systems.de<http://www.pronet-systems.de> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail oder von Teilen dieser E-Mail ist nicht gestattet. Wir haben alle verkehrsüblichen Maßnahmen unternommen, um das Risiko der Verbreitung virenbefallener Software oder E-Mails zu minimieren. Dennoch raten wir Ihnen, Ihre eigenen Virenkontrollen auf alle Anhänge an dieser Nachricht durchzuführen. Wir schließen außer für den Fall von Vorsatz oder grober Fahrlässigkeit die Haftung für jeglichen Verlust oder Schäden durch virenbefallene Software oder E-Mails aus. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists