Sunday, September 28, 2014

Telekom Serbia Router Security Holes

Software version of router: P.DGA4010G_1.23-Telekom_Serbija_TR069_A

They actually managed to misspell Serbija instead of Serbia. I mean, really?
Either you write Srbija in Serbian language or Serbia in English.

I was wondering, if they made that obvious rookie mistake with spelling what then they did with security?

There are three security holes:

1.
Login as user with standard username and password (user: telekom pass: telekom)
(I used Google Chrome)
Right click → Inspect Element → Sources → menuBcm.js

From there you can acess all pages. For example if you want to restart router hit ctrl + F and you find any function insDoc. For example:

insDoc(nodeMngr, gLnk('R', getMenuTitle(MENU_RESET_ROUTER), 'resetrouter.html'));

In browser type routerIpAdress/resetrouter.html and you will be granted access to this (and to any other options in any insDoc function) option without verifying first for admin privileges.

2.
Or alternatively you can extract admin password.
In menuBcm.js you will find also
insDoc(nodeAccCntr, gLnk('R', getMenuTitle(MENU_ACC_CNTR_PASSWORD), 'password.html'));

So we can try to change admin password. Type routerIpAdress/password.html but there you will notice that we need to input old password in order to change it. No problem, right click and select View page source. And look at line 12. Yes it's real, line 12 is
pwdAdmin = 'tzlkisonpk';

Now we have admin password tzlkisonpk.
And now we can relogin with user: admin and password: tzlkisonpk to confirm this.

3.
Another even more cooler security hole is this, you login as user, name: telekom, pass telekom and paste this in browser adress bar and execute it
routerIpAdress/password.cgi?adminPassword=MyNewAdminPass
Also, new password can not be larger than 16 characters. You can got this by analyzing password.html source.


Congratulations you just now changed admin password to MyNewAdminPass.