exploit the possibilities

Thomson SpeedTouch ST780 Insecure SSL Connection

Thomson SpeedTouch ST780 Insecure SSL Connection
Posted Sep 25, 2012
Authored by Janek Vind aka waraxe | Site waraxe.us

Thomson SpeedTouch ST780, by design, has mixed content in the DOM during an SSL encapsulated session.

tags | advisory
MD5 | fb05f515c38819c36c89573aa5785d84

Thomson SpeedTouch ST780 Insecure SSL Connection

Change Mirror Download
[waraxe-2012-SA#090] - Insecure SSL Connection in Thomson SpeedTouch ST780
===============================================================================

Author: Janek Vind "waraxe"
Date: 25. September 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-90.html


Description of vulnerable target:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hardware: Thomson SpeedTouch ST780
Software Release: 7.4.4.7

###############################################################################
Insecure SSL Connection vulnerability in Thomson SpeedTouch ST780
###############################################################################

Let's assume, that we use Thomson SpeedTouch ST780 administration interface
over HTTPS connection. Whole traffic is encrypted and hard to eavesdrop or
modify by third party. Now let's click "Help" link in upper right corner.
New window pops up, containing contextual help:

https://192.168.1.254/helpfiles/b_index.htm?anchor=b_ST

I'm using Firefox 15.0.1 and it will complain about security:

"Your connection to this site is only partially encrypted, and does not prevent
eavesdropping."

So what's the matter? Let's have a look at the source code:
------------------------[ source code start ]----------------------------------
<html>
<head>
<title>THOMSON ST Help</title>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="-1">
<script type="text/javascript" src="anchors.js"></script>
<script type="text/javascript">
build='7.4.4.7';
fehLocation=build.split(".");
fehLocation.pop();
document.write('<script type="text/javascript" src="
http://downloads.thomson.net/telecom/documentation/common/STFEH/R'
+fehLocation.join("")+'/RES/en/anchors.js"><\/script>');
prodName='SpeedTouch';
prodNumber='780';
buildVariant='--';
boardName='BANT-R';
companyName='THOMSON';
</script>
<script type="text/javascript" src="main.js"></script>
</head>
<noscript>
Your browser is not Javascript-enabled. Some of the functions on this page
will not work!
</noscript>
</html>
------------------------[ source code end ]------------------------------------


Actual HTTP request as seen by "Live HTTP Headers" Add-on:
----------------------------------------------------------
http://downloads.thomson.net/telecom/documentation/common/STFEH/R744/RES/en/anchors.js

GET /telecom/documentation/common/STFEH/R744/RES/en/anchors.js HTTP/1.1
Host: downloads.thomson.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
----------------------------------------------------------


We can see, that javascript file is fetched over insecure HTTP communication
channel and then executed within HTTPS-enabled webpage. If there is attacker,
who can eavesdrop and modify communications between client and router, then
it's possible to use forged DNS reply and subsequently deliver to the client
arbitrary javascript. Such malicious javascript payload is able to change
router's configuration or steal sensitive information like WPA keys.


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close