| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <0D928EF0-4E24-433F-B2A5-73DBB3E57CAB@tacnetsol.com>
Date: Tue, 8 Jan 2013 11:48:35 -0500
From: Zachary Cutlip <zcutlip@...netsol.com>
To: full-disclosure@...ts.grok.org.uk
Subject: BT HomeHub 3.0b Remote (LAN) vulnerability
Vulnerability Report: BT HomeHub 3.0b
***********************
Report Date: 7 December 2012
Version: 1.01
Prepared by: Zachary Cutlip, zcultip@...netsol.com
Tactical Network Solutions, LLC
***********************
Summary:The BT HomeHub 3.0b has a remote[1] vulnerability that can yield to an attacker fully privileged root access.
***********************
Details:The 'bcmupnp' application that is installed and runs on the BT HomeHub 3.0b has a vulnerability in the way it processes M-SEARCH SSDP[2] requests.
By specifying a "uuid:" as the URI in the Search Target (ST:) header, the attacker can provide an excessively long string in place of a valid UUID. This will crash the application in a way that yields control of execution to the attacker. 'bcmupnp' runs fully privileged on this device, so a successful exploit results in fully privileged arbitrary code execution.
***********************
Affected Products:
BT HomeHub 3.0b Firmware version V100R001C01B031SP09_L_B
BT HomeHub 3.0b Firmware version V100R001C01B031SP12_L_B (Latest tested)
***********************
Mitigation:
End user:
The end user does not appear to be vulnerable to attack from the WAN.
The user should ensure that WPA or WPA2 encryption is enabled. This restricts LAN access to authorized users or those users with physical access to the wired network.
If the user's LAN is a hostile network that cannot be restricted to authorized users, use of the affected product should be discontinued until the vendor can issue a patch.
Vendor:
The 'bcmupnp' program does not appear to be essential to the affected product's core functionality. It could theoretically be disabled in a firmware update until such a time that it can be patched and re-enabled.
***********************
Exploit:
A proof-of-concept exploit for this vulnerability has been released.
Demonstration here:
https://vimeo.com/52954499
Exploit code here:
https://github.com/zcutlip/exploit-poc/tree/master/BT/homehub3b
***********************
Credit:
Credit for this discovery goes to Zachary Cutlip <zcutlip@...netsol.com> and Tactical Network Solutions, LLC
Assistance provided by:
- Craig Heffner <cheffner@...netsol.com>
- "asbokid" for initial firmware extraction.
- William K. and "dmcdonell" for providing hardware for analysis.
- Forum participants on http://www.kitz.co.uk/
------------
[1] Although this vulnerability only affects the local network (LAN) side of the device, not the Internet (WAN) side, it is a remote vulnerability in that it is network based and does not require physical access to the target device.
[2] "UPnP Device Architecture 1.1" http://www.upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf
***********************
Revision History:
12/13/2012 Fixed spelling error.
1/9/2013 Updated Credit section.
Updated Exploit section.
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4887 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists