|
Full Disclosure
mailing list archives
Re: Alice Telecom Italia AGPF ADSL router CSRF reconfiguration
From: Emilio Pinna <emilio.pinn () gmail com>
Date: Sun, 2 Sep 2012 18:50:13 +0200
As article said, the router is exploitable via a simple HTTP POST,
eventually triggerable by CSRF attack.
How do you means with "revert the conf"? With this method you can
change (and so restore) every single configuration aspect of the
router.
On Sun, Sep 2, 2012 at 6:47 PM, David3 <netevil () hackers it> wrote:
Ciao Emilio,
Is this vulnerability exploitable locally then? My Alice router is not here and I would like to test it...are there
any chances to revert the conf from remote with your poc?
Thanks!
davide
Sent from my mobile
Il giorno 02/set/2012, alle ore 14:03, Emilio Pinna <emilio.pinn () gmail com> ha scritto:
################# Alice Telecom Italia AGPF ADSL router CSRF
reconfiguration #################
## ABSTRACT
An huge number of ADSL broadband Italian users are vulnerable to
connection wiretapping and phishing. The most widely distribuited
italian ADSL router Alice Gate 2 Plus Voip Wi-Fi (AGPF), produced by
Pirelli, suffers a CSRF attack that allows an attacker to modify
internal router configuration like DNS servers, traffic routing, VoIP
configurations, DHCP parameters, and and other configurations that may
lead to a complete takeover of the user's ADSL connection. The
technique is also useful to enable hidden feature and
telnet/ftp/tftp/web extended admin interface.
## VENDOR: Alice Telecom Italia Modem/Routers manufactered by Pirelli
## MODEL: AGPF[Alice Gate VoIP 2 Plus Wi-Fi] version < 2.6.0
## PLATFORM: Customized Linux with openrg middleware on Broadcom
BCM96348 chipset.
## VULNERABILITY: CSRF and configuration injection via HTTP POST parameter
## EMAIL: emilio.pinn gmail
## AUTHOR: Emilio Pinna
## RISK: high
More details are published in Dissecting blog:
Introduction: http://disse.cting.org/2012/09/02/alice-gate-agpf-csrf-reconf-vulnerability/
Technical details:
http://disse.cting.org/2012/09/02/alice-gate-agpf-csrf-reconf-vulnerability-details/
POC: http://disse.cting.org/codes/alice.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
|
