Search This Blog

Wednesday, December 24, 2008

[NEWS] WiFi Router COMTREND Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

WiFi Router COMTREND Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

The <http://www.comtrend.com> COMTREND CT-536 is an 802.11g (54Mbps)
wireless and wired Local Area Network (WLAN) ADSL router. Four 10/100
Base-T Ethernet and single USB ports provide wired LAN connectivity with
an integrated 802.11g WiFi WLAN Access Point (AP) for wireless
connectivity. The CT-536 ADSL router provides state of the art security
features such as WPA data encryption; Firewall, VPN pass through. Improper
validation of micro_httpd server of the Wifi Router COMTREND permits
multiple attacks though this stateless server. Also, access control is
inefficient and does not control access at all. Credentials are sent in
clear text so "user" could get them easily.

DETAILS

Vulnerable Systems:
* COMTREND CT-536/HG-536+ A101-302JAZ-C01_R05

1. User "user" (least privileged user, read only and limited access
configuration reading) can ask to access resources he is not allowed to
and the server will return the page asked. This includes the password
changing page:
http://192.168.0.1/password.html

2. The router sends the 3 users passwords in clear inside the HTML

3. Some points in the configuration description options are vulnerable to
Cross Site Scripting attacks due improper validation:
http://192.168.0.1/scvrtsrv.cmd?action=add&srvName=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E& srvAddr=192.168.1.1&proto=1,&eStart=1,&eEnd=1,&iStart=1,&iEnd=1

4. Some resources (i.e. NAT table are vulnerable to Buffer overflows
attacks) through the description fields that seems to kill the micro_httpd
server although the router continues routing. Also similar behavior is
seen when asking for URLs that add %13 and %10 chars, without matching
micro_httpd checks "..", "../", "/../"

5. User "user" accesses with "admin" privileges when connecting through
TELNET service

6. User "support" seems to not exist at all

Impact:
DoS of the Web Configuration interface although the router continues
routing. DoS of router, causing a set to reset configuration, meaning the
start up of Wireless interface (activated by default) without any type of
protection and having the possibility to access the router or the network.
Reset of router configuration. Access with "admin" (privileged)
permissions to user "user".


ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@isecauditors.com>
ISecAuditors Security Advisories.

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: