lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 2 Sep 2012 18:50:13 +0200
From: Emilio Pinna <emilio.pinn@...il.com>
To: David3 <netevil@...kers.it>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Alice Telecom Italia AGPF ADSL router CSRF
	reconfiguration

As article said, the router is exploitable via a simple HTTP POST,
eventually triggerable by CSRF attack.

How do you means with "revert the conf"? With this method you can
change (and so restore) every single configuration aspect of the
router.

On Sun, Sep 2, 2012 at 6:47 PM, David3 <netevil@...kers.it> wrote:
> Ciao Emilio,
> Is this vulnerability exploitable locally then? My Alice router is not here and I would like to test it...are there any chances to revert the conf from remote with your poc?
>
> Thanks!
> davide
>
> Sent from my mobile
>
> Il giorno 02/set/2012, alle ore 14:03, Emilio Pinna <emilio.pinn@...il.com> ha scritto:
>
>> ################# Alice Telecom Italia AGPF ADSL router CSRF
>> reconfiguration #################
>>
>> ## ABSTRACT
>>
>> An huge number of ADSL broadband Italian users are vulnerable to
>> connection wiretapping and phishing. The most widely distribuited
>> italian ADSL router Alice Gate 2 Plus Voip Wi-Fi (AGPF), produced by
>> Pirelli, suffers a CSRF attack that allows an attacker to modify
>> internal router configuration like DNS servers, traffic routing, VoIP
>> configurations, DHCP parameters, and and other configurations that may
>> lead to a complete takeover of the user's ADSL connection. The
>> technique is also useful to enable hidden feature and
>> telnet/ftp/tftp/web extended admin interface.
>>
>> ## VENDOR: Alice Telecom Italia Modem/Routers manufactered by Pirelli
>> ## MODEL: AGPF[Alice Gate VoIP 2 Plus Wi-Fi] version < 2.6.0
>> ## PLATFORM: Customized Linux with openrg middleware on Broadcom
>> BCM96348 chipset.
>> ## VULNERABILITY: CSRF and configuration injection via HTTP POST parameter
>> ## EMAIL: emilio.pinn gmail
>> ## AUTHOR: Emilio Pinna
>> ## RISK: high
>>
>> More details are published in Dissecting blog:
>>
>> Introduction: http://disse.cting.org/2012/09/02/alice-gate-agpf-csrf-reconf-vulnerability/
>> Technical details:
>> http://disse.cting.org/2012/09/02/alice-gate-agpf-csrf-reconf-vulnerability-details/
>> POC: http://disse.cting.org/codes/alice.html
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ