mailing list archives
BT Home Flub: Pwnin the BT Home Hub - Vulnerabilities details published
From: "Adrian P" <unknown.pentester () gmail com>
Date: Sun, 11 Nov 2007 15:06:34 +0000
Remote assistance now appears to be disabled. That definitively gets
rid of the worst threat: backdooring the Home Hub router by enabling
remote access permanently (could be done by editing the config file).
Telnet has also been disabled, and the contents of the config file is
now encrypted/obfuscated. However, there are many other
vulnerabilities that we reported, which are still present on version
6.2.6.B of the firmware.
For instance, there are still many (non-persistent and persistent)
XSS, system-wide CSRF and also the double-slash authentication bypass
which works on the latest firmware! That means that, for instance, you
can still steal the router's WEP/WPA key by making the victim click on
a URL that exploits a XSS vulnerability and scrapes the contents of
the WEP/WPA key page: http://192.168.1.254/cgi/b/_wli_/seccfg// . It
also means that any administrative requests (i.e.: disable wireless
access) can be made by tricking the user to visit a malicious website.
Since the auth bypass hasn't still been fixed, this attack would work
even if the user has changed the default password.
One of the reasons for publishing the details it's because we reported
the issues more than a month ago, which should be long enough to fix
the vulnerabilities. Also, BT has made inaccurate / not true
statements on a BBC Radio 4 show  and on their own website 
about how the vulnerabilities are "theoretical" rather than practical.
Publishing the details proves that we're not just talking BS but
rather warning the community about serious (and practical) issues
existent on the BT Home Hub.
Vulnerabilities details here:
And my previous posts on the subject:
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- BT Home Flub: Pwnin the BT Home Hub - Vulnerabilities details published Adrian P (Nov 11)