Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

BT Home Flub: Pwnin the BT Home Hub - Vulnerabilities details published
From: "Adrian P" <unknown.pentester () gmail com>
Date: Sun, 11 Nov 2007 15:06:34 +0000

Remote assistance now appears to be disabled. That definitively gets
rid of the worst threat: backdooring the Home Hub router by enabling
remote access permanently (could be done by editing the config file).
Telnet has also been disabled, and the contents of the config file is
now encrypted/obfuscated. However, there are many other
vulnerabilities that we reported, which are still present on version
6.2.6.B of the firmware.

For instance, there are still many (non-persistent and persistent)
XSS, system-wide CSRF and also the double-slash authentication bypass
which works on the latest firmware! That means that, for instance, you
can still steal the router's WEP/WPA key by making the victim click on
a URL that exploits a XSS vulnerability and scrapes the contents of
the WEP/WPA key page: http://192.168.1.254/cgi/b/_wli_/seccfg// . It
also means that any administrative requests (i.e.: disable wireless
access) can be made by tricking the user to visit a malicious website.
Since the auth bypass hasn't still been fixed, this attack would work
even if the user has changed the default password.

One of the reasons for publishing the details it's because we reported
the issues more than a month ago, which should be long enough to fix
the vulnerabilities. Also, BT has made inaccurate / not true
statements on a BBC Radio 4 show [1] and on their own website [2]
about how the vulnerabilities are "theoretical" rather than practical.

Publishing the details proves that we're not just talking BS but
rather warning the community about serious (and practical) issues
existent on the BT Home Hub.

Vulnerabilities details here:

http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4

And my previous posts on the subject:

http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-3
http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-2
http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub

References:

[1] http://www.bbc.co.uk/radio4/youandyours/items/01/2007_42_wed.shtml
[2] http://www.btplc.com/today/art70350.html


Regards,
AP.

-- 
pagvac
gnucitizen.org, ikwt.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • BT Home Flub: Pwnin the BT Home Hub - Vulnerabilities details published Adrian P (Nov 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]