BT Home Hub and Thomson/Alcatel Speedtouch 7G Multiple Vulnerabilities
BID:25972
Info
BT Home Hub and Thomson/Alcatel Speedtouch 7G Multiple Vulnerabilities
| Bugtraq ID: | 25972 |
| Class: | Design Error |
| CVE: |
CVE-2007-5383 CVE-2007-5384 CVE-2007-5385 CVE-2007-6003 |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 08 2007 12:00AM |
| Updated: | Apr 04 2011 08:05PM |
| Credit: | GNUCITIZEN, Adrian Pastor, and pdp are credited with discovering these issues. |
| Vulnerable: |
Thomson TG585 Router 0 BT Home Hub 6.2.6 .B BT Home Hub 6.2.2.6 BT Home Hub 0 Alcatel Speedtouch 7G |
| Not Vulnerable: | |
Discussion
BT Home Hub and Thomson/Alcatel Speedtouch 7G Multiple Vulnerabilities
BT Home Hub and Thomson/Alcatel Speedtouch 7G routers are prone to multiple web-interface vulnerabilities, including a cross-site request-forgery issue, a cross-site scripting issue, multiple HTML-injection issues, and multiple authentication-bypass issues.
Successful exploits of many of these issues will allow an attacker to completely compromise the affected device.
These issues affect the BT Home Hub and Thomson/Alcatel Speedtouch 7G routers.
BT Home Hub and Thomson/Alcatel Speedtouch 7G routers are prone to multiple web-interface vulnerabilities, including a cross-site request-forgery issue, a cross-site scripting issue, multiple HTML-injection issues, and multiple authentication-bypass issues.
Successful exploits of many of these issues will allow an attacker to completely compromise the affected device.
These issues affect the BT Home Hub and Thomson/Alcatel Speedtouch 7G routers.
Exploit / POC
BT Home Hub and Thomson/Alcatel Speedtouch 7G Multiple Vulnerabilities
The following exploit code is available through GNUCitizen:
http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4
UPDATE (January 10, 2008) - The cross-site scripting issue can be leveraged to perform unauthorized actions via UPnP. Please see the Bugtraq message entitled "BT Home Flub: Pwnin the BT Home Hub (5) - exploiting IGDs remotely via UPnP" in the references section for further information.
UPDATE (January 21, 2008) - The following proof-of-concept URI is available; please see the referenced "Call Jacking: Phreaking the BT Home Hub" webpage for further information:
POST http://www.example.com/cgi/b/_voip_/stats//?ce=1&be=0&l0=-1&l1=-1&name=0=30&1=00390669893461
The following exploit code is available through GNUCitizen:
http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4
UPDATE (January 10, 2008) - The cross-site scripting issue can be leveraged to perform unauthorized actions via UPnP. Please see the Bugtraq message entitled "BT Home Flub: Pwnin the BT Home Hub (5) - exploiting IGDs remotely via UPnP" in the references section for further information.
UPDATE (January 21, 2008) - The following proof-of-concept URI is available; please see the referenced "Call Jacking: Phreaking the BT Home Hub" webpage for further information:
POST http://www.example.com/cgi/b/_voip_/stats//?ce=1&be=0&l0=-1&l1=-1&name=0=30&1=00390669893461
Solution / Fix
BT Home Hub and Thomson/Alcatel Speedtouch 7G Multiple Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
BT Home Hub and Thomson/Alcatel Speedtouch 7G Multiple Vulnerabilities
References:
References:
- BT Home Hub (BT)
- BT home router wide open to hijackers (The Register)
- Call Jacking: Phreaking the BT Home Hub (GNUCITIZEN)
- Thomson Alcatel Speedtouch 7G (Thomson Alcatel)
- BT Home Flub: Pwnin the BT Home Hub (Adrian P)
- BT Home Flub: Pwnin the BT Home Hub (5) - exploiting IGDs remotely via UPnP ("Adrian P"
- THOMSON Router XSS ([email protected])
- BT Home Flub: Pwnin the BT Home Hub (GNUCITIZEN)