lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 22 Dec 2008 19:16:29 +0100
From: ISecAuditors Security Advisories <advisories@...cauditors.com>
To: bugtraq@...urityfocus.com
Subject: [ISecAuditors Security Advisories] Multiple vulnerabilities in WiFi
 router COMTREND CT-536/HG-536+

=============================================
INTERNET SECURITY AUDITORS ALERT 2007-002
- Original release date: 31st January, 2007
- Last revised: 22th December, 2008
- Discovered by: Daniel Fernandez Bleda
- Severity: 5/5
=============================================

I. VULNERABILITY
-------------------------
Multiple vulnerabilities in WiFi router COMTREND CT-536/HG-536+

II. BACKGROUND
-------------------------
The CT-536 is an 802.11g (54Mbps) wireless and wired Local Area
Network (WLAN) ADSL router. Four 10/100 Base-T Ethernet and single USB
ports provide wired LAN connectivity with an integrated 802.11g WiFi
WLAN Access Point (AP) for wireless connectivity. The CT-536 ADSL
router provides state of the art security features such as WPA data
encryption; Firewall, VPN pass through.

III. DESCRIPTION
-------------------------
Improper validation of micro_httpd server permits multiple attacks
though this stateless server. Also, access control is defficient and
do not control access at all. Credentials are send in clear text so
"user" could get them easily.

Some fields and data are not filtered so XSS attacks and bofs can DoS
the httpd config server. Some cases the result also applies not only
to http and the router needs reboot, loosing the configuration and
reseting to default values. This means default passwords, open
wireless network, etc.

IV. PROOF OF CONCEPT
-------------------------
1. User "user" (least privileged user, read only and limited access
configuration reding)  can ask a not allowed resource and the server
will return the page asked. Included the password change resource:

http://192.168.0.1/password.html

2. The router sends the 3 users passwords in clear inside the html to
make a fast check during the password change.

3. Some points in the configuration description options are
vulenrables to Cross Site SCripting attacks due improper validatation:

http://192.168.0.1/scvrtsrv.cmd?action=add&srvName=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&srvAddr=192.168.1.1&proto=1,&eStart=1,&eEnd=1,&iStart=1,&iEnd=1

4. Some resources (i.e. NAT table are vulnerable to Buffer overflows
attacks) through the description fields that seems to kill the
micro_httpd server although the router continues routing. Also similar
behaviour is seen when asking for URLs that add %13 and %10 chars,
without matching micro_httpd checks "..", "../", "/../".

5. User "user" accesses with "admin" privileges when connecting
through TELNET service.

6. User "support" seems to not exist at all.

7. SSH service cannot substitute TELNET or HTTP due it seems not
exists at all in the router!

V. BUSINESS IMPACT
-------------------------
DoS of the Web Configuration interface although the router continues
routing.
DoS of router, causing a set to reset configuration, meaning the start
up of Wireless interface (activated by default) without any type of
protection and having the possibility to access the router or the network.
Reset of router configuration.
Access with "admin" (privileged) permissions to user "user".

VI. SYSTEMS AFFECTED
-------------------------
Firmware until version A101-302JAZ-C01_R05 (current)

VII. SOLUTION
-------------------------
Change the router.

VIII. REFERENCES
-------------------------
http://www.comtrend.com
http://www.acme.com/software/micro_httpd/
http://www.jazztel.com

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Daniel Fernandez Bleda (dfernandez (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
January   30, 2007: Initial release
April     18, 2007: First contact with the vendor. Minor corrections.
November  09, 2007: Some corrections applied.

XI. DISCLOSURE TIMELINE
-------------------------
January   30, 2007: Vulnerability acquired by
                    Internet Security Auditors
April     18, 2007: Initial vendor notification sent. No response.
May       01, 2007: Second vendor notification.
                    Response: will be studied.
May       22, 2007: Third vendor contact. Reported to their vendor for
                    analysis.
August    07, 2007: Fourth Vendor contact. Problem seems to be not
                    much easy to correct. R/D Dept are studying the
                    solution.
November  09, 2007: Fifth Vendor contact. No response.
November  19, 2007: Sixth Vendor contact. No response.
December  07, 2007: Seventh Vendor contact. Chipset vendor is working.
November  11, 2008: Last Vendor contact. No response
December  22, 2008: Published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ