Comments on: Dumping the admin password of the BT Home Hub (pt 2)

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Sat, 31 May 2008 08:33:19 +0000

We got a winner :) I can confirm this works on the BT Home Hub v1, firmware 6.2.6.E. Good catch Aaron!

Any other ideas on how to obtain the Hub’s S/N and therefore the default admin password? The more techniques the merrier!

btw, the troubleshooting page - which doesn’t require a password to be seen - *used to* include the S/N but BT removed such info in the latest firmware: https://api.home/cgi/b/bttroubleshooting/

By: Stephen

Stephen — Fri, 30 May 2008 16:28:10 +0000

I can verify that the OU of the SSL certificate gives the serial number on 6.2.6.E on my HH v1.5

Just point your browser to https://api.home/ and click examine certificate when prompted ;)

By: Aaron

Aaron — Thu, 29 May 2008 18:41:45 +0000

You can dump the serial number of the HomeHub 6.2.6.E by connecting to the HTTPS port and examining the SSL Certificate… the default OU of the certificate issuer is the serial number of the device…

Hence, the pwndhub I am currently using has just dished out this after I ran a Nessus scan on it…

OU = 0641EHJRR
O = THOMSON
CN = BT Home Hub

Please verify this works for others…

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Wed, 28 May 2008 22:51:58 +0000

The serial number disclosure reported in this post was originally tested on a BT Home Hub running firmware version 6.2.2.6. However, it appears that BT has replaced such information with the Hub’s MAC address in the latest firmware (6.2.6.E at time of writing).

Since only the latest firmware uses the Hub’s serial number as the default admin password, the reported serial number disclosure via UPnP XML description files is NOT exploitable.

Nevertheless, the MDAP attack described in our previous post has been verified on the latest firmware and has been confirmed by several users both, on the BT Home Hub v1, and v1.5.

By: rishi

rishi — Wed, 28 May 2008 13:32:43 +0000

have any flaws been found in the H firmware?

Thanks

By: Stephen

Stephen — Tue, 27 May 2008 16:24:47 +0000

Ok. Reading it in detail the upnp/IGD.xml file contains the following:

Device not enabled: UPNP-IGD

So at least it seems to be off.

However the dslf/IGD.xml looks like it still offers services - does this mean that even turning off UPnP that one could still utilise the dslf stuff to pwn it?

By: pdp

pdp — Tue, 27 May 2008 16:21:13 +0000

even when you switch off UPnP the IGD description may still be present.

By: Stephen

Stephen — Tue, 27 May 2008 16:19:22 +0000

Apologies for three posts in a row but I just checked and UPnP is definitely switched off on my HH (I immediately disabled it on reading your initial HH posts some months ago).

Should these files still be available even when UPnP is off? Because they are…

By: Stephen

Stephen — Tue, 27 May 2008 16:15:19 +0000

Just to add that I’m on 6.2.6.E (forgot to mention that)

By: Stephen

Stephen — Tue, 27 May 2008 16:10:21 +0000

On my HH v15 the serialnumber field has the MAC address in it

By: MJW

MJW — Tue, 27 May 2008 13:48:59 +0000

I’m on 6.2.6.E and I’ve checked the IGD.xml file, the Serial Number field shows my MAC code not the serial number. Is this a change in 6.2.6.E?