Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26426
HistoryMay 30, 2011 - 12:00 a.m.

Vulnerabilities in ADSL modem Callisto 821+

2011-05-3000:00:00
vulners.com
20

Hello 3APA3A!

I want to warn you about security vulnerabilities in ADSL modem
Callisto 821+ (SI2000 Callisto821+ Router).

These are Predictable Resource Location and Brute Force
vulnerabilities.

Predictable Resource Location (WASC-34):

http://192.168.1.1 (web server on 80 and 8008 ports).

The control panel of modem is placed at default path with default
login and password (information about which is available in
Internet). Which allows for local users (which have access to PC or
via LAN) and also for remote users via Internet (via CSRF
vulnerabilities) to get access to control panel and change modem's
settings. This also will be in handy for conducting of remote login
attack.

Default above-mentioned settings - it's standard practice of
developers of ADSL routers, but ISPs should make changes. But
particularly Ukrtelecom doesn't do it (and there can be other such
ISPs) and so millions of users of Internet services of this ISP,
which are using modems Callisto or others, are vulnerable to these
attacks. And during my conversation with Ukrtelecom's representative
in April, he stated that company doesn't see any risks concerning
multiple vulnerabilities in router's control panel.

Brute Force (WASC-11):

In login form http://192.168.1.1 there is no protection against
Brute Force attacks. Which allows to pick up password (if it was
changed from default), particularly at local attack. E.g. via LAN
malicious users or virus at some computer can conduct attack for
picking up the password, if it was changed.

Lack of protection against Brute Force (such as captcha) also leads
to possibility of conducting of CSRF attacks, which I wrote about in
the article Attacks on unprotected login forms
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html).
It allows to conduct remote login. Which will be in handy at
conducting of attacks on different CSRF and XSS vulnerabilities in
control panel.

Vulnerable is the next model: SI2000 Callisto821+ Router: X7821
Annex A v1.0.0.0 / Argon 4x1 CSP v1.0 (ISOS 9.0) [4.3.4-5.1]. This
model with other firmware and also other models of Callisto also must
be vulnerable.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5161/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua