Hi all,
I was looking into the info provided by Michael Renzmann where he said:

"The same data can be accessed by telnetting to the device and choosing
the menu-path "System Maintenance / User Maintenance / List User" (6/5/4)."

On the AAM6000EV, the "User Maintenance" option is not under System Maintenance and I haven't spotted it anywhere else (though I haven't searched in depth).

What I did notice was that after using the web vulnerability to get the router username and password, an attacker could then go on to get the username and password for the internet account that the router is configured to use, hence potentially giving access to email and other services.

Use the menu path "System Maintenance > View All Configuration" (6,1)

Scan through the output for the following section:

Module 'ppp':

Then look for the following line

1 welogin username password logintype

In the UK this can be very useful. People using BT ADSL will have a username that is username (at) domain (dot) tld [email concealed], for example a Freeserve user would likely be username (at) freeserve.co (dot) uk [email concealed]

So not only does this allow you to get router access, but further poor configuration allows you to get all the details you need to access the hosts internet account.

[ reply ]