Comments on: BT Home Flub: Pwnin the BT Home Hub

By: lahtib

lahtib — Sun, 17 Feb 2008 00:51:10 +0000

The song is “Girl From Ipanema” by Stan Getz…it’s American, not portuguese or brazilian. Great post!

By: Operation n » Home router attacks - the snowball effect…

Operation n » Home router attacks - the snowball effect… — Fri, 25 Jan 2008 06:56:49 +0000

[...] It looks like everyone is jumping on the home router attacks bandwagon. Zulfikar Ramzan restates his definition of drive-by pharming where it “It allows attackers to create a Web page that, simply when viewed, results in substantive configuration changes to your home broadband router or wireless access point.” There are some examples in there including attacks against the standard router used in Mexico. A combination of flaws in the router allow the reconfiguration of the router to point to a rogue DNS server, which can point to a popular/trusted website to an ip address of host of an attacker. All this comes with the recent findings that the BT home hubs had an authentication bypass vulnerability (requiring an user to click a malicious link) found by gnucitizen. [...]

By: pdp

pdp — Fri, 11 Jan 2008 10:40:08 +0000

the only way to prevent UPnP based attacks is to disable UPnP on your router. On some router models this is not trivial at all and sometimes even impossible.

By: cephalopod

cephalopod — Fri, 11 Jan 2008 10:36:10 +0000

looking at the majority of the XSS vulnerabilities, they make use of 192.168.1.254 in the javascript - so surely it’ll prevent script kiddies exercising that?

how about combining that with deleting the tech user aswell… would that prevent all bar the UPnP vulnerability?

By: pdp

pdp — Fri, 11 Jan 2008 10:26:50 +0000

nope, it will make it slightly more complicated but in general it wont prevent anything.

By: cephalopod

cephalopod — Fri, 11 Jan 2008 10:20:04 +0000

er… wouldn’t a simple change of the homehub LAN IP prevent these hacks?!

By: \-=[WHK]=-// » Archive » Hackeando un HUB “BT Home Hub”

\-=[WHK]=-// » Archive » Hackeando un HUB “BT Home Hub” — Thu, 15 Nov 2007 19:29:42 +0000

[...] Fuente: http://www.gnucitizen.org/blog.....t-home-hub [...]

By: Adrian Pastor

Adrian Pastor — Sun, 11 Nov 2007 13:10:34 +0000

1337:

The CSRF, XSS and double-slash auth bypass are still there on version 6.2.6.B.

For instance, although version 6.2.6.B has now password-protected the page that shows the WEP/WPA, it’s still possible to access it *without* authenticating by ending the URL with 2 slashes:
http://192.168.1.254/cgi/b/_wli_/seccfg//

Try it on your Home Hub. It should work. This means that people can still steal your WEP/WPA key by scraping the previous URL through one of the many XSS vulns still present on version 6.2.6.B.

However, version 6.2.6.B has added lots of restrictions such as disabling telnet, remote assistance and worst of all: the config file is now encrypted/obfuscated!: http://192.168.1.254/cgi/b/backup/user.ini//

However, I have not checked if uploading a clear-text version of the config file still works. If so, you could still mod your own Home Hub without restrictions by simply editing user.ini.

Check out our other ‘Pwnin the BT Home Hub’ posts for more info:

http://www.gnucitizen.org/blog.....home-hub-2

http://www.gnucitizen.org/blog.....home-hub-3

http://www.gnucitizen.org/blog.....home-hub-4

By: 1337

1337 — Sun, 11 Nov 2007 02:22:13 +0000

Any exploits for Software version: 6.2.6.B ? These Homehubs really are weak. A padlock from poundland is more secure!

By: BT Home Flub: Pwnin the BT Home Hub (4) | GNUCITIZEN

BT Home Flub: Pwnin the BT Home Hub (4) | GNUCITIZEN — Thu, 08 Nov 2007 11:33:19 +0000

[...] is the exploit shown in our first demo video on which we forge the enable remote assistance request using an [...]

By: BT Home Flub: Pwnin the BT Home Hub (3) | GNUCITIZEN

BT Home Flub: Pwnin the BT Home Hub (3) | GNUCITIZEN — Tue, 23 Oct 2007 10:39:41 +0000

[...] BT is restricting/crippling the remote assistance feature as a result of the vulnerabilities we reported. I personally found the following statement interesting: A BT spokesman said service will be [...]

By: John

John — Sun, 21 Oct 2007 14:55:40 +0000

I’ve been looking into the BT homehub recently, I’m interested to see how secure the remote desktop facility is.

By: Adrian Pastor

Adrian Pastor — Fri, 19 Oct 2007 19:25:55 +0000

DavidB,

That would be very unfeasible. Probably the closest thing you can do to that is using a black-list database from some popular web content filtering proxy software.

I mean, the malicious JS that exploits your router could be anywhere such as in a free .googlepages.com webpage.

By: DavidB

DavidB — Fri, 19 Oct 2007 07:49:00 +0000

I know there are supposed to be some malicious sites that have cross-scripting to perform attacks on machines/routers. Does anyone have a list of these as I’d like to put some additional rules into my firewalls to prevent access to these sites?

By: BT Home Flub: Pwnin the BT Home Hub (2) | GNUCITIZEN

BT Home Flub: Pwnin the BT Home Hub (2) | GNUCITIZEN — Tue, 16 Oct 2007 22:02:15 +0000

[...] anytime and from anywhere after it’s been been broken into. You are recommended to read the first part of this post if you haven’t done so [...]

By: BT Homehub Easily Hacked by Roundtrip Solutions Blog

BT Homehub Easily Hacked by Roundtrip Solutions Blog — Tue, 16 Oct 2007 07:49:10 +0000

[...] news, tips and tricks. Thanks for visiting!BT Homehub users should take great care as a new vulnerability allows hackers to “own” their router without knowing the administrator password. More [...]

By: antivirustaneja

antivirustaneja — Wed, 10 Oct 2007 04:26:26 +0000

Nice work…bt if you release the code as well only then they’ll do as quickly as they can ….moreover hereafter they can’t ignore your research…….

By: Taffy

Taffy — Tue, 09 Oct 2007 22:47:24 +0000

I dout BT will do anything .. as they already have a bad reputation with this kind of stuff

By: BT Home hub/Speedtouch 7G vulnerability « The Gold Bug Security Blog

BT Home hub/Speedtouch 7G vulnerability « The Gold Bug Security Blog — Tue, 09 Oct 2007 22:12:43 +0000

[...] More details about the vulnerability here. [...]

By: Adrian Pastor

Adrian Pastor — Tue, 09 Oct 2007 20:54:51 +0000

btw, I forgot to give thanks to Jan Fry for testing the vulnerabilities on the Thomson/Alcatel’s Speedtouch 780 (provided by BeThere in the UK).

zip,

the song is Brazilian I believe (sung in Portuguese).

blah,

I don’t think there is anything wrong with publishing vulnerability research, especially when it’s independent and unpaid.

The good news is we have been in touch with some technical people from BT who are in the process of verifying the vulnerabilities we found.