Bugtraq mailing list archives
[waraxe-2012-SA#090] - Insecure SSL Connection in Thomson SpeedTouch ST780
From: come2waraxe () yahoo com
Date: Tue, 25 Sep 2012 13:00:21 GMT
[waraxe-2012-SA#090] - Insecure SSL Connection in Thomson SpeedTouch ST780 =============================================================================== Author: Janek Vind "waraxe" Date: 25. September 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-90.html Description of vulnerable target: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hardware: Thomson SpeedTouch ST780 Software Release: 7.4.4.7 ############################################################################### Insecure SSL Connection vulnerability in Thomson SpeedTouch ST780 ############################################################################### Let's assume, that we use Thomson SpeedTouch ST780 administration interface over HTTPS connection. Whole traffic is encrypted and hard to eavesdrop or modify by third party. Now let's click "Help" link in upper right corner. New window pops up, containing contextual help: https://192.168.1.254/helpfiles/b_index.htm?anchor=b_ST I'm using Firefox 15.0.1 and it will complain about security: "Your connection to this site is only partially encrypted, and does not prevent eavesdropping." So what's the matter? Let's have a look at the source code: ------------------------[ source code start ]---------------------------------- <html> <head> <title>THOMSON ST Help</title> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="expires" content="-1"> <script type="text/javascript" src="anchors.js"></script> <script type="text/javascript"> build='7.4.4.7'; fehLocation=build.split("."); fehLocation.pop(); document.write('<script type="text/javascript" src=" http://downloads.thomson.net/telecom/documentation/common/STFEH/R' +fehLocation.join("")+'/RES/en/anchors.js"><\/script>'); prodName='SpeedTouch'; prodNumber='780'; buildVariant='--'; boardName='BANT-R'; companyName='THOMSON'; </script> <script type="text/javascript" src="main.js"></script> </head> <noscript> Your browser is not Javascript-enabled. Some of the functions on this page will not work! </noscript> </html> ------------------------[ source code end ]------------------------------------ Actual HTTP request as seen by "Live HTTP Headers" Add-on: ---------------------------------------------------------- http://downloads.thomson.net/telecom/documentation/common/STFEH/R744/RES/en/anchors.js GET /telecom/documentation/common/STFEH/R744/RES/en/anchors.js HTTP/1.1 Host: downloads.thomson.net User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive ---------------------------------------------------------- We can see, that javascript file is fetched over insecure HTTP communication channel and then executed within HTTPS-enabled webpage. If there is attacker, who can eavesdrop and modify communications between client and router, then it's possible to use forged DNS reply and subsequently deliver to the client arbitrary javascript. Such malicious javascript payload is able to change router's configuration or steal sensitive information like WPA keys. Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe () yahoo com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------
Current thread:
- [waraxe-2012-SA#090] - Insecure SSL Connection in Thomson SpeedTouch ST780 come2waraxe (Sep 25)