what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SiemensSANTIS50.txt

SiemensSANTIS50.txt
Posted Jul 28, 2005
Authored by Luca Carettoni

By sending trigger packets to the management port (280/http-mgmt) of a Siemens Santis 50 wireless router, the device freezes the web interface and allows unauthenticated access to the telnet CLI.

tags | exploit, web
SHA-256 | 55fd63fc68a9ff21180c20280c664708b42386f538608ed1c889437dee91b9b0

SiemensSANTIS50.txt

Change Mirror Download
Secure Network - Security Research Advisory

Vuln name: [Siemens SANTIS 50 Authentication Vulnerability]

Systems affected:
Siemens Santis 50 Wireless router (firmware version: 4.2.8.0)

Likely to be affected:
Ericsson HN294dp
Dynalink RTA300W

Severity: medium risk
Local/Remote: Remote (limited to the LAN, with default configuration)
Vendor URL: http://www.dynalink.com.au/modemsadsl_dis.htm?prod=RTA300W#
http://help.virgilio.it/guide/index.jsp? id=5080&id_figlio=5541 (italian Internet provider)

Author(s): Luca Carettoni - luca.carettoni@securenetwork.it

Vendor disclosure: 17th July 2005
Vendor acknowledged: Not acknowledged
Public disclosure: 25th July 2005
Advisory number: SN-2005-01
Advisory URL: http://www.securenetwork.it/advisories/

*** SUMMARY ***

The Siemens Santis 50 Wireless router is a wi-fi (802.11b) ADSL router. It's a complete system for home and small business networks in a single device.

Some features include:
- Integrated WLAN for internet sharing
- ADSL Modem/Router/Firewall/Switch
- 10/100 Mbps 4 port switch built in
- Stateful packet inspection (SPI) firewall
- Wireless Access Point
- VPN passthrough

Telecom Italia Net (one of the largest italian Internet providers) delivers this device to its ADSL customers, so in Italy it's a common device used in SOHO and SMB networks.

The Siemens Santis50, the Ericsson HN294dp and the Dynalink RTA300W devices share the same hardware, so it's very likely that they share this vulnerability. The original project of these products was from Askey. The firmware software is from VirataGlobespan, bought by Conexant.

The tested (vulnerable) version of firmware is the 4.2.8.0

This bug provides access to the management CLI, without authentication, after a DOS attack to a specific service port.

*** VULNERABILITY DETAILS ***

This device provides a web management interface and the classic telnet CLI for administration purposes. By default these services are available only from the local network, but can be optionally activated also on the WAN interface.

Sending trigger packets to the management port (280/http-mgmt), the device "freezes" the web interface, allowing unauthenticated connection to the telnet CLI.

This behavior appears to be some sort of "disaster recovery mode". The set of available commands is limited to a few, but they are enough to discover informations about the configuration of the device and connections (events, traffic, ethernet addresses configuration, etc). Also critical commands like "irreversibly erase FLASH contents" are available.

*** EXPLOIT ***

A simple exploit is to use the application scanner AMAP (kudos to THC, www.thc.org).
Mojito:~ LuCa$ amap x.x.x.x 280

*** FIX INFORMATION ***

A vendor-provided fix is currently unavailable. An upgrade to a more recent version of firmware (v5.2.2 is currently available) could help, but we are unable to test this version.

An obvious workaround (and good practice) is to disable the management interface on the WAN, this obviously blocks this attack from external attackers.

*********************
*** LEGAL NOTICES ***
*********************

Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.

We are committed to open, full disclosure of vulnerabilities, cooperating
with software developers for properly handling disclosure issues.

This advisory is copyright © 2005 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network

The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.

E-mail: securenetwork@securenetwork.it
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 0363 560 402
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close