Friday, October 17, 2014

Telekom ADSL kako izvući korisničko ime i šifru za adsl konekciju?

Za korisnike koje vole da čačkaju po ADSL modemima i koji imaju HG 531 V1 ADSL modem ( verovatno uspeva i na sličnim modelima ) sam napravio skriptu koja će Vam izvući korisničko ime i lozinku koja se koristi prilikom uspostavljanja adsl veze.

To je korisno imati u slučaju ako vam modem zaglupi a ne pomaže ni fabrički restart, a i korisno je imati ako hoćete da napravite adsl konekciju preko nekog drugog modema.

Arhivu Telekom.zip otpakovati i pokrenuti Script.bat
Posle nekoliko trenutaka ispisaće Vam se korisničko ime i šifra, a kada stisnete ok na prozoru onda će Vam se ti podaci iskopirati u clipboard tako da lako možete sačuvati u fajl.

Arhivu Telekom.zip možete preuzeti ovde

Sunday, September 28, 2014

Telekom Serbia Router Security Holes

Software version of router: P.DGA4010G_1.23-Telekom_Serbija_TR069_A

They actually managed to misspell Serbija instead of Serbia. I mean, really?
Either you write Srbija in Serbian language or Serbia in English.

I was wondering, if they made that obvious rookie mistake with spelling what then they did with security?

There are three security holes:

1.
Login as user with standard username and password (user: telekom pass: telekom)
(I used Google Chrome)
Right click → Inspect Element → Sources → menuBcm.js

From there you can acess all pages. For example if you want to restart router hit ctrl + F and you find any function insDoc. For example:

insDoc(nodeMngr, gLnk('R', getMenuTitle(MENU_RESET_ROUTER), 'resetrouter.html'));

In browser type routerIpAdress/resetrouter.html and you will be granted access to this (and to any other options in any insDoc function) option without verifying first for admin privileges.

2.
Or alternatively you can extract admin password.
In menuBcm.js you will find also
insDoc(nodeAccCntr, gLnk('R', getMenuTitle(MENU_ACC_CNTR_PASSWORD), 'password.html'));

So we can try to change admin password. Type routerIpAdress/password.html but there you will notice that we need to input old password in order to change it. No problem, right click and select View page source. And look at line 12. Yes it's real, line 12 is
pwdAdmin = 'tzlkisonpk';

Now we have admin password tzlkisonpk.
And now we can relogin with user: admin and password: tzlkisonpk to confirm this.

3.
Another even more cooler security hole is this, you login as user, name: telekom, pass telekom and paste this in browser adress bar and execute it
routerIpAdress/password.cgi?adminPassword=MyNewAdminPass
Also, new password can not be larger than 16 characters. You can got this by analyzing password.html source.


Congratulations you just now changed admin password to MyNewAdminPass.