lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <b7a807650607161426t271e31a2leeea0ec9d7aae6c3@mail.gmail.com>
Date: Sun, 16 Jul 2006 22:26:02 +0100
From: pagvacito <unknown.pentester@...il.com>
To: bugtraq@...urityfocus.com
Subject: Unauthenticated access to BT Voyager config file and PPP credentials embedded in HTML form

The following is the updated version of a post sent to FD
[http://seclists.org/lists/fulldisclosure/2006/Jul/0137.html] ...



Title: Unauthenticated access to BT Voyager config file and PPP
credentials embedded in HTML form



Successfully tested against:

- BT Voyager 2091 Wireless ADSL
- Firmware 2.21.05.08m_A2pB018c1.d16d
- Firmware 3.01m (last version available as in 4 July, 2006)

Note: vendor was contacted to voyager2[ a t ]bt.com but did NOT respond



Description:

A POST request to "/psiBackupInfo" with a "Content-length" equals to
zero (no variables submitted) returns the router's config file WITHOUT
providing authentication credentials.

POST /psiBackupInfo HTTP/1.1
Host: 192.168.1.1
Connection: close
Content-Length: 0
<CRLF>
<CRLF>

Also, making a regular GET request to "/connect.html" returns the PPP
username and password. Note that if tested in a web browser the user
will be redirected to another page immediately after receiving the
credentials. So I recommend testing this with telnet, netcat, some
MITM proxy like Paros, or the script provided
("btvoyager_getconfig.sh"). Additionally you can test it a web browser
with JavaScript disabled (in order to block the JavaScript redirect
code).

GET /connect.html HTTP/1.1
Host: 192.168.1.1
Connection: close
<CRLF>
<CRLF>



Screenshots:

- http://ikwt.com/projects/config_file_crack.jpg
- http://ikwt.com/projects/leaked_ppp_creds.jpg



PoC Scripts:

- http://ikwt.com/projects/btvoyager_getconfig.sh - gets config file
without authentication (the config file includes sensitive info such
as router's admin username and password, WEP key and PPP username and
password)
- http://ikwt.com/projects/btvoyager_getpppcreds.sh - gets PPP
credentials without authentication
- http://ikwt.com/projects/btvoyager_decoder.c - decodes credentials
found in config file (strings made of hex values)



Attack Scenarios:

BT Voyager's web interface is only enabled for internal use by
default. Also, the 2091 and other BT Voyager models come with an
encryption key set by default from factory. That means that whoever
exploits this vulnerability would more likely be an internal attacker.
Typically someone who already had legitimate access to the LAN, or an
external attacker that cracks the encryption key and then becomes an
internal user.

It is possible to enable the web interface for Internet use in BT
Voyager routers, but this is NOT the default setup. So, although there
might be some BT Voyagers' web interfaces out there on the Internet at
this moment, I'm sure it's not that many.

BT Voyagers are usually found in homes and SOHOs. So home users and
small offices using a vulnerable model will be affected by this bug.


References:

http://www.bt.com/voyager
http://www.voyager.bt.com/gpl.htm
http://www.faster.bt.com/faqs.asp




-- 
pagvac
[http://ikwt.com/]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ