|
- - - --------------------------------------------------------------------
Virginity Security Advisory 2007-001
- - - --------------------------------------------------------------------
DATE : 2007-01-19 15:32 GMT
TYPE : remote
VERSIONS AFFECTED : T-Com Speedport 500V Firmware 1.31
AUTHOR : Virginity
ADVISORY NUMBER : 005
- - - --------------------------------------------------------------------
Description:
The Speedport 500V is a broadband-router which is sold in germany along
with ADSL lines. (just so you know)
The system is stupid and verifies wether you have entered the correct
password by setting a cookie with the content LOGINKEY=TECOM
(this is hardcoded and can not be changed)
If an attacker simply creates this cookie he can bypass password
authentication by simply calling the configuration html sites directly.
The attacker then has nearly full system access (you cannot change the
system password without knowing the old one) and can change system
configuration e.g. disable the firewall. You can also perform a firmware
upgrade, which allows you to reset the password to the default one, which
now gives you full system access.
Vendor has not been notified. I don't think they care^^.
- - - --------------------------------------------------------------------
Example:
Create a cookie like this:
Name: LOGINKEY
Content: TECOM
Host: