Comments on: BT Home Flub: Pwnin the BT Home Hub (4)

By: Holes in Embedded Devices: Authentication bypass (pt 1) | GNUCITIZEN

Holes in Embedded Devices: Authentication bypass (pt 1) | GNUCITIZEN — Thu, 14 Feb 2008 12:13:38 +0000

[...] instance, the BT Home Hub, which is the most popular DSL router in the UK is vulnerable to an authentication bypass bug due to the device accepting multiple representations of the same [...]

By: Voice of VOIPSA » Blog Archive » Amusing Vulnerability in the BT Home Hub

Wed, 23 Jan 2008 17:51:23 +0000

[...] upon a previously reported (and still un-patched!) vulnerability in the BT Home Hub which allows HTTP authentication to be bypassed, the folks over at GNUCitizen [...]

By: norm

norm — Mon, 21 Jan 2008 22:09:20 +0000

The new Home Hub firmware (6.2.6E) removes these exploits.

However if you gain wireless access to the device (which isn’t difficult if it’s on WEP) you will find the default password has been changed to the serial number of the device (unless the owner changed it since).

Now you might think getting the serial number would be impossible without physical access, but using the firmware recovery tool provided by BT it will tell you the serial number on finding it. Then all you do is add the two characters ‘CP’ infront of it to make it valid e.g. CP01234ABCD.

From there I guess the possibility lies with downgrading the firmware to a more vulnerable version.

By: Call Jacking: Phreaking the BT Home Hub | GNUCITIZEN

Call Jacking: Phreaking the BT Home Hub | GNUCITIZEN — Mon, 21 Jan 2008 02:47:00 +0000

[...] Reason for this is that the exploit relies on an authentication bypass vulnerability that we have reported a while ago and hasn’t still been fixed by BT! In our original report, we mentioned that the [...]

By: BT Home Flub: Pwnin the BT Home Hub (5) - exploiting IGDs remotely via UPnP | GNUCITIZEN

Thu, 10 Jan 2008 11:46:25 +0000

[...] if you find a pre-auth XSS vulnerability on the target device you can bypass such restriction. For instance, many devices such as the BT [...]

By: t3h 1337

t3h 1337 — Sat, 22 Dec 2007 07:16:40 +0000

Any 0day for 626c?

By: Rob

Rob — Sat, 24 Nov 2007 17:08:40 +0000

I don’t suppose there is an exploit in 6.2.6.B that allows telnet access?

By: \-=[WHK]=-// » Archive » Hackeando un HUB “BT Home Hub”

\-=[WHK]=-// » Archive » Hackeando un HUB “BT Home Hub” — Thu, 15 Nov 2007 19:38:48 +0000

[...] Fuentes: http://www.gnucitizen.org/blog.....t-home-hub http://www.gnucitizen.org/blog.....home-hub-2 http://www.gnucitizen.org/blog.....home-hub-3 http://www.gnucitizen.org/blog.....home-hub-4 [...]

By: - TERIS - » Blog Archive » Acceso a routers vulnerables de uso doméstico

Thu, 15 Nov 2007 05:00:55 +0000

[...] Exploits: http://www.gnucitizen.org/blog.....home-hub-4 [...]

By: Acceso a routers vulnerables de uso doméstico « blog NeTTinG

Acceso a routers vulnerables de uso doméstico « blog NeTTinG — Tue, 13 Nov 2007 22:52:37 +0000

[...] Exploits: http://www.gnucitizen.org/blog.....home-hub-4 [...]

By: CBM Security Blog » Blog Archive » BT Home Hub still vulnerable

CBM Security Blog » Blog Archive » BT Home Hub still vulnerable — Mon, 12 Nov 2007 14:16:27 +0000

[...] The details about the ongoing and very real problems about the BT Home Hub can be found here. http://www.gnucitizen.org/blog.....home-hub-4 [...]

By: Adrian Pastor

Adrian Pastor — Sun, 11 Nov 2007 12:03:19 +0000

Here is the demo video for Exploit #3 : http://www.youtube.com/watch?v=QiFQPKcAtNI

By: Adrian Pastor

Adrian Pastor — Fri, 09 Nov 2007 09:45:44 +0000

@G-Brain - fair enough! I see what you mean, I guess I wasted a few CPU cycles in the script.

You’re right though, if you want to be perfectionist, the definitions on ’steal.php’ should be under the IF statement.

By: G-Brain

G-Brain — Thu, 08 Nov 2007 23:00:50 +0000

I see, thanks for the explanation. I don’t see why those definitions of RCPT_EMAIL and EMAIL_SUBJECT are made even when there is no $_REQUEST['data'] though… ;)

By: Adrian Pastor

Adrian Pastor — Thu, 08 Nov 2007 22:20:49 +0000

@NurBo - Glad yo like it!

@G-Brain - ’steal.php’ is derived from a generic data theft script I wrote long time ago. The idea of the original script is that it works for both, GET and POST, hence the use of $_REQUEST .

btw guys, there is video we’re posting soon on this very same page showing a DoS on the BT Home Hub. The exploit takes advantage of the double slash auth bypass + CSRF to disable the wireless connection.

Although I usually don’t like DoS attacks, I must say that this one is kind of a killer. Just visit site, and boom, the Home Hub’s wireless interface is disabled permanently!

By: G-Brain

G-Brain — Thu, 08 Nov 2007 21:26:39 +0000

NurBo reads this stuff? Hehe…

I’d use $_POST['data'] instead of $_REQUEST['data'] in steal.php though. $_REQUEST contains $_GET, $_POST, and $_COOKIE, and all you need here is $_POST. Furthermore, good job! Nice article.

By: NurBo

NurBo — Thu, 08 Nov 2007 16:43:41 +0000

whoa nice stuff