Comments on: BT Home Flub: Pwnin the BT Home Hub (4)

By: Richard Burns

Richard Burns — Wed, 29 Apr 2009 07:00:55 +0000

This all seems pointless, tell me i’m wrong. How can you run any of this unless your on the network? I am surrounded by at least 10 hubs and need to access one of them??

By: Jonnycorer77

Jonnycorer77 — Sat, 17 Jan 2009 20:05:21 +0000

Noggin, take a look at the post concerning bypassing the admin password, all you need is there

By: Noggin

Noggin — Thu, 15 Jan 2009 09:58:48 +0000

I am connected to a BT Home Hub with the WPA2 key (it’s a long story how I got that!) and when I browse 192.168.1.254 I get the “Change your admin password for the first time” screen, showing version 8.1.A

I’ve tried entering the serial number (from the BT Home Hub Admin app plus “CP” in front) but it tells me it is invalid. I have another BT Home Hub and once I’ve changed the admin password this screen no longer shows.

Any ideas how I can gain access to the admin pages?

By: Pwning Ubuntu via CUPS | GNUCITIZEN

Pwning Ubuntu via CUPS | GNUCITIZEN — Tue, 18 Nov 2008 13:43:30 +0000

[...] similar to our previously-published BT Home Hub vulnerabilities, it’s possible to use the victim’s browser as a bridge to talk to a service/daemon [...]

By: Arie’s Blog » Blog Archive » Hacking Online’s new modem

Arie’s Blog » Blog Archive » Hacking Online’s new modem — Thu, 28 Aug 2008 13:45:50 +0000

[...] some googling I came across a vulnerability in the Speedtouch 780, that allows you to access any page of the webinterface, even the ones you shouldn’t have [...]

By: Pwnie Award Nominee | GNUCITIZEN

Pwnie Award Nominee | GNUCITIZEN — Thu, 24 Jul 2008 14:53:48 +0000

[...] a friend of mind let me know that some of my BT Home Hub security research (details here and here) got nominated for the Pwnie [...]

By: Holes in Embedded Devices: Authentication bypass (pt 1) | GNUCITIZEN

Holes in Embedded Devices: Authentication bypass (pt 1) | GNUCITIZEN — Thu, 14 Feb 2008 12:13:38 +0000

[...] instance, the BT Home Hub, which is the most popular DSL router in the UK is vulnerable to an authentication bypass bug due to the device accepting multiple representations of the same [...]

By: Voice of VOIPSA » Blog Archive » Amusing Vulnerability in the BT Home Hub

Wed, 23 Jan 2008 17:51:23 +0000

[...] upon a previously reported (and still un-patched!) vulnerability in the BT Home Hub which allows HTTP authentication to be bypassed, the folks over at GNUCitizen [...]

By: norm

norm — Mon, 21 Jan 2008 22:09:20 +0000

The new Home Hub firmware (6.2.6E) removes these exploits.

However if you gain wireless access to the device (which isn’t difficult if it’s on WEP) you will find the default password has been changed to the serial number of the device (unless the owner changed it since).

Now you might think getting the serial number would be impossible without physical access, but using the firmware recovery tool provided by BT it will tell you the serial number on finding it. Then all you do is add the two characters ‘CP’ infront of it to make it valid e.g. CP01234ABCD.

From there I guess the possibility lies with downgrading the firmware to a more vulnerable version.

By: Call Jacking: Phreaking the BT Home Hub | GNUCITIZEN

Call Jacking: Phreaking the BT Home Hub | GNUCITIZEN — Mon, 21 Jan 2008 02:47:00 +0000

[...] Reason for this is that the exploit relies on an authentication bypass vulnerability that we have reported a while ago and hasn’t still been fixed by BT! In our original report, we mentioned that the [...]

By: BT Home Flub: Pwnin the BT Home Hub (5) - exploiting IGDs remotely via UPnP | GNUCITIZEN

Thu, 10 Jan 2008 11:46:25 +0000

[...] if you find a pre-auth XSS vulnerability on the target device you can bypass such restriction. For instance, many devices such as the BT [...]

By: t3h 1337

t3h 1337 — Sat, 22 Dec 2007 07:16:40 +0000

Any 0day for 626c?

By: Rob

Rob — Sat, 24 Nov 2007 17:08:40 +0000

I don’t suppose there is an exploit in 6.2.6.B that allows telnet access?

By: \-=[WHK]=-// » Archive » Hackeando un HUB “BT Home Hub”

\-=[WHK]=-// » Archive » Hackeando un HUB “BT Home Hub” — Thu, 15 Nov 2007 19:38:48 +0000

[...] Fuentes: http://www.gnucitizen.org/blog.....t-home-hub http://www.gnucitizen.org/blog.....home-hub-2 http://www.gnucitizen.org/blog.....home-hub-3 http://www.gnucitizen.org/blog.....home-hub-4 [...]

By: - TERIS - » Blog Archive » Acceso a routers vulnerables de uso doméstico

Thu, 15 Nov 2007 05:00:55 +0000

[...] Exploits: http://www.gnucitizen.org/blog.....home-hub-4 [...]

By: Acceso a routers vulnerables de uso doméstico « blog NeTTinG

Acceso a routers vulnerables de uso doméstico « blog NeTTinG — Tue, 13 Nov 2007 22:52:37 +0000

[...] Exploits: http://www.gnucitizen.org/blog.....home-hub-4 [...]

By: CBM Security Blog » Blog Archive » BT Home Hub still vulnerable

CBM Security Blog » Blog Archive » BT Home Hub still vulnerable — Mon, 12 Nov 2007 14:16:27 +0000

[...] The details about the ongoing and very real problems about the BT Home Hub can be found here. http://www.gnucitizen.org/blog.....home-hub-4 [...]

By: Adrian Pastor

Adrian Pastor — Sun, 11 Nov 2007 12:03:19 +0000

Here is the demo video for Exploit #3 : http://www.youtube.com/watch?v=QiFQPKcAtNI

By: Adrian Pastor

Adrian Pastor — Fri, 09 Nov 2007 09:45:44 +0000

@G-Brain – fair enough! I see what you mean, I guess I wasted a few CPU cycles in the script.

You’re right though, if you want to be perfectionist, the definitions on ’steal.php’ should be under the IF statement.

By: G-Brain

G-Brain — Thu, 08 Nov 2007 23:00:50 +0000

I see, thanks for the explanation. I don’t see why those definitions of RCPT_EMAIL and EMAIL_SUBJECT are made even when there is no $_REQUEST['data'] though… ;)