| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 11 Nov 2007 15:06:34 +0000 From: "Adrian P" <unknown.pentester@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: BT Home Flub: Pwnin the BT Home Hub - Vulnerabilities details published Remote assistance now appears to be disabled. That definitively gets rid of the worst threat: backdooring the Home Hub router by enabling remote access permanently (could be done by editing the config file). Telnet has also been disabled, and the contents of the config file is now encrypted/obfuscated. However, there are many other vulnerabilities that we reported, which are still present on version 6.2.6.B of the firmware. For instance, there are still many (non-persistent and persistent) XSS, system-wide CSRF and also the double-slash authentication bypass which works on the latest firmware! That means that, for instance, you can still steal the router's WEP/WPA key by making the victim click on a URL that exploits a XSS vulnerability and scrapes the contents of the WEP/WPA key page: http://192.168.1.254/cgi/b/_wli_/seccfg// . It also means that any administrative requests (i.e.: disable wireless access) can be made by tricking the user to visit a malicious website. Since the auth bypass hasn't still been fixed, this attack would work even if the user has changed the default password. One of the reasons for publishing the details it's because we reported the issues more than a month ago, which should be long enough to fix the vulnerabilities. Also, BT has made inaccurate / not true statements on a BBC Radio 4 show [1] and on their own website [2] about how the vulnerabilities are "theoretical" rather than practical. Publishing the details proves that we're not just talking BS but rather warning the community about serious (and practical) issues existent on the BT Home Hub. Vulnerabilities details here: http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4 And my previous posts on the subject: http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-3 http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-2 http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub References: [1] http://www.bbc.co.uk/radio4/youandyours/items/01/2007_42_wed.shtml [2] http://www.btplc.com/today/art70350.html Regards, AP. -- pagvac gnucitizen.org, ikwt.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists