exploit the possibilities

Telus Actiontec T2200H Serial Number Information Disclosure

Telus Actiontec T2200H Serial Number Information Disclosure
Posted Jun 12, 2019
Authored by Andrew Klaus

Telus Actiontec T2200H with firmware T2200H-31.128L.08 suffers from a serial number information disclosure vulnerability. The wireless extenders use DHCP Option 125 to include device details such as model number, manufacturer, and serial number. By forging a special DHCP packet using Option 125, an attacker can obtain the device serial number. Once he or she has this, the device's admin web UI password can be reset using the web UI "forgot password" page to reset to a known value.

tags | exploit, web, info disclosure
MD5 | 42324fc451c05609b2fbdea3411024b0

Telus Actiontec T2200H Serial Number Information Disclosure

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

### Device Details
Vendor: Actiontec (Telus Branded, but may work on others)
Model: T2200H
Affected Firmware: T2200H-31.128L.08
Device Manual:
http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manu
al.pdf

Reported: Sept 2018
CVE: Not needed since update is pushed by the provider.

The Telus Actiontec T2200H is bonded VDSL2 modem. It
incorporates 2 VDSL2 bonded links with a built-in firewall, bridge mode,
802.11agn wireless, etc.

### Summary of Findings
The wireless extenders use DHCP Option 125 to include device details
such as model number, manufacturer, and serial number. By forging a
special DHCP packet using Option 125, an attacker can obtain the device
serial number.

Once he or she has this, the device’s admin web UI password can be reset
using the web UI “forgot password” page to reset to a known value.

### Mitigation
Do not use the serial number to initiate password resets.

The serial number has other internal uses in the Web UI, which means
there’s a higher chance of it being leaked inadvertently over the
network. By using a different value, this risk can be mitigated since
the reset value is only used for that purpose.



-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9UFYACgkQoyRid8jQ
fpkcfg/+PGb6cqsFln3ON6Z2DDWDr1e6SuYunj6cUvsM6gwjPFavNNSw4nCOa8HI
hmL15anYEIF3Bkrvw3NDgf3n+8hRtMC7E4EewZyW1gpYeqRFZp+HPUhRMptaoy25
fMZOnzjIt4DKV8EueXdbvGK/ouGZa9TkK5ZMqskQR/FkhC9lytSFblz9l6ZMKEHB
kGn0She5eTFx5U+pOQf/2tmJGUDZRka9OGA+RxXYGPRCwlElqS0QHcRnLTXo3zE4
iNACPDiVLAO/0Q61GEI6hgbcMFzWZZddPmvaY6ii3nXCmTxjJ7bWOKMBsBZwKCGe
agXt7n3UvVY5LGFGG1q/FB1/+JvcnOmUh04FM7uhNgA+2vaQGjCQeaWaSMbkAggh
Eoe6mKD2yA52tn7+RDPY1LOpYWBFXsNWCAlErsCOMyD/4CI3XyoNQyxvW0Icw2GZ
PASDnOx9vBeqAprCVYHUsBy68OZvbRZZpzFTqiEe4ksiTCUxQZC2Xx5AI0+2wm0x
Akw7s3mfmPywvEjuUCCxLzZlK1pHcVPnI0ngGNNN2/Tuo7fJaCEF2cELmKM6sDIP
1DVInZhEZBV8bpEJucIl7IN/zFbi+Pkq37MPfoKKeOkKfF+TvYGT3/okFplj4Z0s
kIhsBD+M/YHAz9vYDFgC13ro3ph79HExwd63ctmirGBQgjeEE4Q=
=fNG3
-----END PGP SIGNATURE-----


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    1 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close