[39889] in bugtraq
ECI router login bypass
daemon@ATHENA.MIT.EDU (D .)
Mon Jul 25 11:51:21 2005
Message-ID: <f6d918bf05072403003f42a7f9@mail.gmail.com>
Date: Sun, 24 Jul 2005 12:00:34 +0200
From: "D ." <d.is.evil@gmail.com>
Reply-To: "D ." <d.is.evil@gmail.com>
To: BugTraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Title: ECI router verification bypass and DoS
Date: 24/07/2005
Impact: Log in verification bypass
Vendors Status: Not contacted (they were mean to me)
Overview:
The B-FOCuS Router 312+ provides users with a reliable and secured
ADSL2+ connection to the Internet. The 312+ has a single Ethernet port
10/100 and can support either a single computer or multiple computers
sharing a single ADSL2+ line when connecting to a switch. The router's
internal stateful inspection firewall protects the user's PC from
hackers and unwelcome intrusions.
(Tested on B-FOCuS Router 312+ presumably works on all eci routers\products)
Vulnerability:
By default the eci router has a management interface available via http
The interface is protected by a log in screen
This screen can be easily bypassed by accessing the firmwarecfg page
in the unprotected cgi-bin directory
the page provides a way of downloading the routers current settings
including connection passwords and management passowrds
in plaintext
also this page provides a means to reset the modem thus executing a
denial a service attack by making the modem reset constantly
furthermore the page provides facilities to upload new firmware
Affected Version:
All ECI routers
Tested on ECI B-FOCuS Router 312+
PoC:
http://10.0.0.138/cgi-bin/firmwarecfg
Credits:
Credits for this vulnerability goes to D
D.is.evil[-A-t-]gmail.com
Comments:
Seeking work (in Israel)
