'[Full-disclosure] Vulnerabilities in ADSL modem Callisto 821+'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Vulnerabilities in ADSL modem Callisto 821+
From:       "MustLive" <mustlive () websecurity ! com ! ua>
Date:       2011-05-30 15:18:56
Message-ID: 002501cc1edd$20b8f620$9b7a6fd5 () ml
[Download RAW message or body]

Hello list!

I want to warn you about security vulnerabilities in ADSL modem Callisto
821+ (SI2000 Callisto821+ Router). These are Predictable Resource Location
and Brute Force vulnerabilities.

SecurityVulns ID: 11700.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: SI2000 Callisto821+ Router: X7821 Annex A
v1.0.0.0 / Argon 4x1 CSP v1.0 (ISOS 9.0) [4.3.4-5.1]. This model with other
firmware and also other models of Callisto also must be vulnerable.

----------
Details:
----------

Predictable Resource Location (WASC-34):

http://192.168.1.1 (web server on 80 and 8008 ports).

The control panel of modem is placed at default path with default login and
password (information about which is available in Internet). Which allows
for local users (which have access to PC or via LAN) and also for remote
users via Internet (via CSRF vulnerabilities) to get access to control panel
and change modem's settings. This also will be in handy for conducting of
remote login attack.

Default above-mentioned settings - it's standard practice of developers of
ADSL routers, but ISPs should make changes. But particularly Ukrtelecom
doesn't do it (and there can be other such ISPs) and so millions of users of
Internet services of this ISP, which are using modems Callisto or others,
are vulnerable to these attacks. And during my conversation with
Ukrtelecom's representative in April, he stated that company doesn't see any
risks concerning multiple vulnerabilities in router's control panel (so they
don't change settings and don't warn clients).

Brute Force (WASC-11):

In login form http://192.168.1.1 there is no protection against Brute Force
attacks. Which allows to pick up password (if it was changed from default),
particularly at local attack. E.g. via LAN malicious users or virus at some
computer can conduct attack for picking up the password, if it was changed.

Lack of protection against Brute Force (such as captcha) also leads to
possibility of conducting of CSRF attacks, which I wrote about in the
article Attacks on unprotected login forms
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html).
It allows to conduct remote login. Which will be in handy at conducting of
attacks on different CSRF and XSS vulnerabilities in control panel.

------------
Timeline:
------------

2011.04.14 - informed Ukrtelecom about multiple vulnerabilities in modems,
which they give (sell) to their clients.
2011.05.24 - disclosed at my site.
2011.05.26 - informed developers (Iskratel).

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5161/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic