lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Sep 2012 13:00:21 GMT From: come2waraxe@...oo.com To: bugtraq@...urityfocus.com Subject: [waraxe-2012-SA#090] - Insecure SSL Connection in Thomson SpeedTouch ST780 [waraxe-2012-SA#090] - Insecure SSL Connection in Thomson SpeedTouch ST780 =============================================================================== Author: Janek Vind "waraxe" Date: 25. September 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-90.html Description of vulnerable target: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hardware: Thomson SpeedTouch ST780 Software Release: 7.4.4.7 ############################################################################### Insecure SSL Connection vulnerability in Thomson SpeedTouch ST780 ############################################################################### Let's assume, that we use Thomson SpeedTouch ST780 administration interface over HTTPS connection. Whole traffic is encrypted and hard to eavesdrop or modify by third party. Now let's click "Help" link in upper right corner. New window pops up, containing contextual help: https://192.168.1.254/helpfiles/b_index.htm?anchor=b_ST I'm using Firefox 15.0.1 and it will complain about security: "Your connection to this site is only partially encrypted, and does not prevent eavesdropping." So what's the matter? Let's have a look at the source code: ------------------------[ source code start ]---------------------------------- <html> <head> <title>THOMSON ST Help</title> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="expires" content="-1"> <script type="text/javascript" src="anchors.js"></script> <script type="text/javascript"> build='7.4.4.7'; fehLocation=build.split("."); fehLocation.pop(); document.write('<script type="text/javascript" src=" http://downloads.thomson.net/telecom/documentation/common/STFEH/R' +fehLocation.join("")+'/RES/en/anchors.js"><\/script>'); prodName='SpeedTouch'; prodNumber='780'; buildVariant='--'; boardName='BANT-R'; companyName='THOMSON'; </script> <script type="text/javascript" src="main.js"></script> </head> <noscript> Your browser is not Javascript-enabled. Some of the functions on this page will not work! </noscript> </html> ------------------------[ source code end ]------------------------------------ Actual HTTP request as seen by "Live HTTP Headers" Add-on: ---------------------------------------------------------- http://downloads.thomson.net/telecom/documentation/common/STFEH/R744/RES/en/anchors.js GET /telecom/documentation/common/STFEH/R744/RES/en/anchors.js HTTP/1.1 Host: downloads.thomson.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive ---------------------------------------------------------- We can see, that javascript file is fetched over insecure HTTP communication channel and then executed within HTTPS-enabled webpage. If there is attacker, who can eavesdrop and modify communications between client and router, then it's possible to use forged DNS reply and subsequently deliver to the client arbitrary javascript. Such malicious javascript payload is able to change router's configuration or steal sensitive information like WPA keys. Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@...oo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------
Powered by blists - more mailing lists