The following is the updated version of a post sent to FD [http://seclists.org/lists/fulldisclosure/2006/Jul/0137.html] ... Title: Unauthenticated access to BT Voyager config file and PPP credentials embedded in HTML form Successfully tested against: - BT Voyager 2091 Wireless ADSL - Firmware 2.21.05.08m_A2pB018c1.d16d - Firmware 3.01m (last version available as in 4 July, 2006) Note: vendor was contacted to voyager2[ a t ]bt.com but did NOT respond Description: A POST request to "/psiBackupInfo" with a "Content-length" equals to zero (no variables submitted) returns the router's config file WITHOUT providing authentication credentials. POST /psiBackupInfo HTTP/1.1 Host: 192.168.1.1 Connection: close Content-Length: 0 <CRLF> <CRLF> Also, making a regular GET request to "/connect.html" returns the PPP username and password. Note that if tested in a web browser the user will be redirected to another page immediately after receiving the credentials. So I recommend testing this with telnet, netcat, some MITM proxy like Paros, or the script provided ("btvoyager_getconfig.sh"). Additionally you can test it a web browser with JavaScript disabled (in order to block the JavaScript redirect code). GET /connect.html HTTP/1.1 Host: 192.168.1.1 Connection: close <CRLF> <CRLF> Screenshots: - http://ikwt.com/projects/config_file_crack.jpg - http://ikwt.com/projects/leaked_ppp_creds.jpg PoC Scripts: - http://ikwt.com/projects/btvoyager_getconfig.sh - gets config file without authentication (the config file includes sensitive info such as router's admin username and password, WEP key and PPP username and password) - http://ikwt.com/projects/btvoyager_getpppcreds.sh - gets PPP credentials without authentication - http://ikwt.com/projects/btvoyager_decoder.c - decodes credentials found in config file (strings made of hex values) Attack Scenarios: BT Voyager's web interface is only enabled for internal use by default. Also, the 2091 and other BT Voyager models come with an encryption key set by default from factory. That means that whoever exploits this vulnerability would more likely be an internal attacker. Typically someone who already had legitimate access to the LAN, or an external attacker that cracks the encryption key and then becomes an internal user. It is possible to enable the web interface for Internet use in BT Voyager routers, but this is NOT the default setup. So, although there might be some BT Voyagers' web interfaces out there on the Internet at this moment, I'm sure it's not that many. BT Voyagers are usually found in homes and SOHOs. So home users and small offices using a vulnerable model will be affected by this bug. References: http://www.bt.com/voyager http://www.voyager.bt.com/gpl.htm http://www.faster.bt.com/faqs.asp -- pagvac [http://ikwt.com/]
