Software version of router:
P.DGA4010G_1.23-Telekom_Serbija_TR069_A
They actually managed to
misspell Serbija instead of Serbia. I mean, really?
Either you write Srbija in
Serbian language or Serbia in English.
I was wondering, if they made
that obvious rookie mistake with spelling what then they did with
security?
There are three security holes:
1.
Login as user with standard
username and password (user: telekom pass: telekom)
(I used Google Chrome)
Right click → Inspect Element
→ Sources → menuBcm.js
From there you can acess all
pages. For example if you want to restart router hit ctrl + F and you
find any function insDoc. For example:
insDoc(nodeMngr, gLnk('R',
getMenuTitle(MENU_RESET_ROUTER), 'resetrouter.html'));
In browser type
routerIpAdress/resetrouter.html and you
will be granted access to this (and to any other options in any insDoc
function) option without verifying first for admin privileges.
2.
Or alternatively you can extract
admin password.
In menuBcm.js you will find also
insDoc(nodeAccCntr, gLnk('R',
getMenuTitle(MENU_ACC_CNTR_PASSWORD), 'password.html'));
So we can try to change admin
password. Type routerIpAdress/password.html
but there you will notice that we need to input old password in order
to change it. No problem, right click and select View page source.
And look at line 12. Yes it's real, line 12 is
pwdAdmin
= 'tzlkisonpk';
Now we have admin password
tzlkisonpk.
And now we can relogin with
user: admin and password: tzlkisonpk to confirm this.
3.
Another even more cooler
security hole is this, you login as user, name: telekom, pass telekom
and paste this in browser adress bar
and execute it
routerIpAdress/password.cgi?adminPassword=MyNewAdminPass
Also, new password can not be larger than 16 characters. You can got this by analyzing password.html source.
routerIpAdress/password.cgi?adminPassword=MyNewAdminPass
Also, new password can not be larger than 16 characters. You can got this by analyzing password.html source.
Congratulations you just now
changed admin password to MyNewAdminPass.
