Design Flaw in Deutsche Telekom Speedport w700v broadband router

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Design Flaw in Deutsche Telekom Speedport w700v broadband router
From: "Michael Domberg" <mdomberg@xxxxxx>
Date: Fri, 11 May 2007 23:15:09 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hi,
I'd like to inform you about a vulnerability in the Deutsche Telekom Speedport 
w700v DSL router. Currently it's the standard device that is shipped with new 
DSL contracts.

I - TITLE

Security advisory:      Weaknesses in the login process of the web interface
                                of the Speedport w700v DSL Router and Wireless 
LAN
                                Access Point

II - SUMMARY

Description:    A design flaw exists in the login process of the web interface
                        of the Speedport w700v DLS Router and Wireless LAN 
Access Point
                        of Deutsche Telekom that might lead to unauthorized 
access.

Author: Michael Domberg (mdomberg at gmx dot li)

Date: May 11th 2007

Severity: Medium

References: http://www.devtarget.org/speedport700-advisory-05-2007.txt

III - OVERVIEW

The Speedport w700v is an ADSL/ADSL+ broadband router, Wireless LAN Access 
Point,
4-Port-Switch and telephone system with integrated firewall and advanced 
security
features.

More information about the product can be found online at
http://www.t-com.de

IV - DETAILS

The Speedport firmware consists of some CGI-Scripts that interact with the
hardware and some static html-pages as front-end. The login to the web
interface is designed the same way.
Upon submitting the system password (no username required...) the password
is sent to a cgi-script that verifies the password with internal sources. If
the verification is successful, the welcome screen of the interface is returned.
If the verification failed the login screen is returned. To avoid brute force 
attacks, the login page contains some JavaScript that disables the input field
for a certain amount of seconds. The first attempt is one second delayed, the 
second is two second delayed and any further attempt is delayed for the doubled 
amount of time of the previous one. So the 8th attempt requires the attacker to
wait for about 4 minutes.
By submitting the request directly to the underlying cgi-script and verifying 
the
result page an attacker can circumvent this mechanism and perform multi-threaded
brute-force attacks. 

V - ANALYSIS

The severity of this vulnerability is to be considered "medium". The default 
password
of the web interface is "0000". So users often choose a four-digit numeric 
password, too.
The Speedport 700 series is one of the most-sold DSL modems, because it is the 
standard
hardware for german DSL users of Deutsche Telekom.
Users can prevent their modems from being exploited this way by disabling remote
administration access (which is the default).

VI - EXPLOIT CODE

An PoC is available, but not published.

VII - WORKAROUND/FIX

Users have to disable remote administration access to prevent their routers 
from being
exploited.
The vendor doesn't seem to address this vulnerability.

VIII - DISCLOSURE TIMELINE

22. February 2007 - Notified vendor of affected software
28. February 2007 - Vulnerability confirmed
11. May 2007 - Public disclosure

Regards,
Michael Domberg,
www.devtarget.org

Prev by Date: Cross-Site Scripting in Adobe RoboHelp 6, Server 6 and X5
Next by Date: RE: Defeating Citibank Virtual Keyboard protection using screenshot method
Previous by thread: Cross-Site Scripting in Adobe RoboHelp 6, Server 6 and X5
Next by thread: [vuln.sg] yEnc32 Decoder Long Filename Buffer Overflow Vulnerability
Index(es):
- Date
- Thread