Bienvenido(a), Visitante. Por favor, ingresa o regístrate.
27-04-2017, 20:47 (Jueves)
Inicio Ayuda Reglas Buscar Ingresar Registrarse
Liberada wifislax64-1.0 version final para descargar

+  Seguridad Wireless - Wifi
|-+  Desarrollo de scripts y aplicaciones
| |-+  Desarrollo, Comunicados y noticias
| | |-+  ADB Pirelli P.DG A4000N deployed by MEO Portugal
0 Usuarios y 1 Visitante están viendo este tema. « anterior próximo »
Páginas: [1] Ir Abajo Imprimir
Autor Tema: ADB Pirelli P.DG A4000N deployed by MEO Portugal  (Leído 3637 veces)
Desconectado Desconectado

Mensajes: 540

Ver Perfil
« : 08-05-2015, 09:53 (Viernes) »

Hacking again Pirelli routers: ADB Pirelli P.DG A4000N deployed by MEO Portugal

Few months after CVE-2015-0558 full disclosure I was contacted by our reader Kara Davis who identified the same WPA key generation algorithm in the model P.DG A4000N, distributed by Portuguese ISP, MEO. Such routers can be recognized for their ESSID and MAC addresses. The ESSIDs are normally following this pattern: ADSLPT-ABXXXXX and the mac addresses are corresponding to the Pirelli brand.  When I verified the information, I gave a chance to dump the firmware and see whether the old vulnerabilities (CVE-2015-0554, CVE-2015-0558) were also in there. From testing and evidence we concluded the existing PoC could also generate the default WPA password for this model. Simple changes such as generating from a different mac address interface and reducing length from 10 to 8 chars had to be implemented. However, the algorithm used was evidently the same as in P.DG A4001N distributed by Arnet in Argentina. Kara Davis and I agreed into a responsible disclosure and decided to investigate further.

First of all, we  dumped out the firmware image from the router via an OS command injection in the telnet service. After, we managed to do so, same algorithm was eventually found in there. On top of that, the same unauthorized access was discovered as well. Likely this router has plenty of vulnerabilities as well, simply we decided to stop with this model.

Summarizing, the router P.DG A4000N deployed by MEO Portugal presents the following flaws:

Weaknesses on the default WPA key generation algorithm
OS command injection through the telnet service concluding with root in the box
Unauthorized access to almost all the HTML code

Problems and models affected

I wanted to do a responsible disclosure, therefore I contacted the Portuguese ISP MEO and was surprised by a quick reply via Twitter, indicating to forward details to a specific person which I immediately did. Unfortunately from this day, I am still waiting for a reply. ADB/Pirelli and Arnet are aware of the vulnerability since 2014. Eventually, I decided to do full disclosure in the new model identified to speed up fixing the problem and/or replacing the affected routers for avoiding intrusions. Once again, neither the ISPs nor the manufacturer have shown interest in discussing the problem after several contacts.

The vulnerability is considered quite serious, a malicious attacker within the WiFi range can calculate the default password and gain access to the network, compromise and use it for malicious purposes.

I strongly recommend everyone using affected units to immediately change their default WPA password.
The models identified as vulnerable are:

P.DG A4001N – SSID: Wifi-Arnet-XXXX – Arnet Argentina
More countries will be disclosed soon. Pirelli has made the same mistake around the world.

Próximamente se publicará la nueva versión de la app WPAmagickey, por ahora están jugando los betatesters.  Grin

Un saludo.

PD: Como siempre, en algo, habre metido la pata.
« Última modificación: 08-05-2015, 10:03 (Viernes) por buckynet » En línea
Páginas: [1] Ir Arriba Imprimir 
« anterior próximo »
Ir a:  

Ingresar con nombre de usuario, contraseña y duración de la sesión

Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines
SMFAds for Free Forums