<<< Date Index >>>     <<< Thread Index >>>

Unauthenticated access to BT Voyager config file and PPP credentials embedded in HTML form



The following is the updated version of a post sent to FD
[http://seclists.org/lists/fulldisclosure/2006/Jul/0137.html] ...



Title: Unauthenticated access to BT Voyager config file and PPP
credentials embedded in HTML form



Successfully tested against:

- BT Voyager 2091 Wireless ADSL
- Firmware 2.21.05.08m_A2pB018c1.d16d
- Firmware 3.01m (last version available as in 4 July, 2006)

Note: vendor was contacted to voyager2[ a t ]bt.com but did NOT respond



Description:

A POST request to "/psiBackupInfo" with a "Content-length" equals to
zero (no variables submitted) returns the router's config file WITHOUT
providing authentication credentials.

POST /psiBackupInfo HTTP/1.1
Host: 192.168.1.1
Connection: close
Content-Length: 0
<CRLF>
<CRLF>

Also, making a regular GET request to "/connect.html" returns the PPP
username and password. Note that if tested in a web browser the user
will be redirected to another page immediately after receiving the
credentials. So I recommend testing this with telnet, netcat, some
MITM proxy like Paros, or the script provided
("btvoyager_getconfig.sh"). Additionally you can test it a web browser
with JavaScript disabled (in order to block the JavaScript redirect
code).

GET /connect.html HTTP/1.1
Host: 192.168.1.1
Connection: close
<CRLF>
<CRLF>



Screenshots:

- http://ikwt.com/projects/config_file_crack.jpg
- http://ikwt.com/projects/leaked_ppp_creds.jpg



PoC Scripts:

- http://ikwt.com/projects/btvoyager_getconfig.sh - gets config file
without authentication (the config file includes sensitive info such
as router's admin username and password, WEP key and PPP username and
password)
- http://ikwt.com/projects/btvoyager_getpppcreds.sh - gets PPP
credentials without authentication
- http://ikwt.com/projects/btvoyager_decoder.c - decodes credentials
found in config file (strings made of hex values)



Attack Scenarios:

BT Voyager's web interface is only enabled for internal use by
default. Also, the 2091 and other BT Voyager models come with an
encryption key set by default from factory. That means that whoever
exploits this vulnerability would more likely be an internal attacker.
Typically someone who already had legitimate access to the LAN, or an
external attacker that cracks the encryption key and then becomes an
internal user.

It is possible to enable the web interface for Internet use in BT
Voyager routers, but this is NOT the default setup. So, although there
might be some BT Voyagers' web interfaces out there on the Internet at
this moment, I'm sure it's not that many.

BT Voyagers are usually found in homes and SOHOs. So home users and
small offices using a vulnerable model will be affected by this bug.


References:

http://www.bt.com/voyager
http://www.voyager.bt.com/gpl.htm
http://www.faster.bt.com/faqs.asp




--
pagvac
[http://ikwt.com/]