what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Telus Actiontec T2200H Serial Number Information Disclosure

Telus Actiontec T2200H Serial Number Information Disclosure
Posted Jun 12, 2019
Authored by Andrew Klaus

Telus Actiontec T2200H with firmware T2200H-31.128L.08 suffers from a serial number information disclosure vulnerability. The wireless extenders use DHCP Option 125 to include device details such as model number, manufacturer, and serial number. By forging a special DHCP packet using Option 125, an attacker can obtain the device serial number. Once he or she has this, the device's admin web UI password can be reset using the web UI "forgot password" page to reset to a known value.

tags | exploit, web, info disclosure
SHA-256 | e00278c615b4c6ca6904174cd960226f3071c1c8dac2689625b8674db654d3c2

Telus Actiontec T2200H Serial Number Information Disclosure

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

### Device Details
Vendor: Actiontec (Telus Branded, but may work on others)
Model: T2200H
Affected Firmware: T2200H-31.128L.08
Device Manual:
http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manu
al.pdf

Reported: Sept 2018
CVE: Not needed since update is pushed by the provider.

The Telus Actiontec T2200H is bonded VDSL2 modem. It
incorporates 2 VDSL2 bonded links with a built-in firewall, bridge mode,
802.11agn wireless, etc.

### Summary of Findings
The wireless extenders use DHCP Option 125 to include device details
such as model number, manufacturer, and serial number. By forging a
special DHCP packet using Option 125, an attacker can obtain the device
serial number.

Once he or she has this, the device’s admin web UI password can be reset
using the web UI “forgot password” page to reset to a known value.

### Mitigation
Do not use the serial number to initiate password resets.

The serial number has other internal uses in the Web UI, which means
there’s a higher chance of it being leaked inadvertently over the
network. By using a different value, this risk can be mitigated since
the reset value is only used for that purpose.



-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9UFYACgkQoyRid8jQ
fpkcfg/+PGb6cqsFln3ON6Z2DDWDr1e6SuYunj6cUvsM6gwjPFavNNSw4nCOa8HI
hmL15anYEIF3Bkrvw3NDgf3n+8hRtMC7E4EewZyW1gpYeqRFZp+HPUhRMptaoy25
fMZOnzjIt4DKV8EueXdbvGK/ouGZa9TkK5ZMqskQR/FkhC9lytSFblz9l6ZMKEHB
kGn0She5eTFx5U+pOQf/2tmJGUDZRka9OGA+RxXYGPRCwlElqS0QHcRnLTXo3zE4
iNACPDiVLAO/0Q61GEI6hgbcMFzWZZddPmvaY6ii3nXCmTxjJ7bWOKMBsBZwKCGe
agXt7n3UvVY5LGFGG1q/FB1/+JvcnOmUh04FM7uhNgA+2vaQGjCQeaWaSMbkAggh
Eoe6mKD2yA52tn7+RDPY1LOpYWBFXsNWCAlErsCOMyD/4CI3XyoNQyxvW0Icw2GZ
PASDnOx9vBeqAprCVYHUsBy68OZvbRZZpzFTqiEe4ksiTCUxQZC2Xx5AI0+2wm0x
Akw7s3mfmPywvEjuUCCxLzZlK1pHcVPnI0ngGNNN2/Tuo7fJaCEF2cELmKM6sDIP
1DVInZhEZBV8bpEJucIl7IN/zFbi+Pkq37MPfoKKeOkKfF+TvYGT3/okFplj4Z0s
kIhsBD+M/YHAz9vYDFgC13ro3ph79HExwd63ctmirGBQgjeEE4Q=
=fNG3
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close