[NEWS] ECI B-FOCuS Router Authentication Bypass

From: SecuriTeam (support_at_securiteam.com)
Date: 07/27/05

  • Next message: SecuriTeam: "[NT] PeanutHull Local Privilege Escalation" 
    To: list@securiteam.com
Date: 27 Jul 2005 14:22:38 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      ECI B-FOCuS Router Authentication Bypass
    ------------------------------------------------------------------------

    SUMMARY

    "The B-FOCuS Router 312+ provides users with a reliable and secured ADSL2+
    connection to the Internet. "

    By directly accessing the B-FOCuS ADSL Router's 'firmwarecfg' page remote
    attackers attackers can access the router's sensitive information.

    DETAILS

    Vulnerable Systems:
     * ECI B-FOCuS Router 312+

    The ECI router has in its default settings a management interface
    accessible via HTTP that is protected by a login screen.

    The login screen can be bypassed by accessing the page 'firmwarecfg' that
    located in an unprotected cgi-bin directory. Once this page is access an
    attacker can download information about the router settings, connection
    passwords and management passwords in plain text.

    The page also allows attackers to reset the router and update the router's
    firmware.

    Proof of concept:
    http://[router address]/cgi-bin/firmwarecfg

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:d.is.evil@gmail.com> D.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] PeanutHull Local Privilege Escalation"

    Relevant Pages

    • [NEWS] Telecom Italia Alice Pirelli Routers Backdoor Activates Telnet/FTP/TFTP
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Telecom Italia Alice Pirelli Routers Backdoor Activates Telnet/FTP/TFTP ... admin interface service with Admin privileges, ... special IP packet to router specific ip 192.168.1.1. ...
      (Securiteam)
    • [NEWS] Motorola Wireless Router WR850G Authentication Circumvention
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WR850G Wireless Broadband Router, is built with both an 802.11g wireless ... enables an attacker to log into the routers web interface without knowing ... username and password after logging in. ...
      (Securiteam)
    • [EXPL] 3Com DSL Router Administrative Interface Long Request DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... OfficeConnect is a router widely used in the world. ... rebooted due to a flaw in its web administration interface. ... every LAN user can cause a crash and reboot of the router, ...
      (Securiteam)
    • [NEWS] SMC Routers Passwordless Remote Administration
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SMC broadband routers ship with remote administration enabled by default ... on their port 1900 on the WAN side of the router. ... Click "Advanced Setup" then "Status" and write down the router's WAN IP ...
      (Securiteam)
    • [NEWS] Linksys EtherFast Router Denial of Service Attack
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The <The Linksys Instant Broadband EtherFast Cable/DSL Firewall Router ... An attacker could specify a URL that results in denial of service. ...
      (Securiteam)