Comtrend HG536+ poligon firmware tftp vuln

Monday, June 15, 2009
##########################################
Comtrend HG536+ poligon firmware tftp vuln
Vendor url: www.comtrend.com
Vendor: www.adslzone.net/firmware-adslzone-poligon.html
Advisore Url:http://lostmon.blogspot.com/2009/06/
comtrend-hg536-poligon-firmware-tftp.html
Vendor notify: NO Exploit: see explanation.
#########################################

##############
History
##############

This is a extended research from those vulns =>

http://lostmon.blogspot.com/2009/04/comtrend-hg536-vulnerabilities.html

And =>

http://www.securityfocus.com/bid/32975

poligon firmware have all the same flaws.

#####################
Description By vendor
Comtrend
#####################

The HG536+ is an 802.11g (54Mbps) wireless and wired
Local Area Network (WLAN) ADSL router. Four 10/100
Base-T Ethernet ports provide wired LAN connectivity
with an integrated 802.11g WiFi WLAN Access Point for
wireless connectivity.

###################
Description poligon
firmware by adslzone
####################

Poligon ADSLzone comes from several firmwares manufacturers
and suppliers that use Internet (Asus, U.S. Robotics, Comm Net
, Broadcom, Deutsche Telekom, Alice Italy, Pirelli (Italy),
Bungury (Russia) and Vodafone (Thailand).

################
Vulnerabilities
################

This firmware have a flaw in tftp
service ,if a user have enable lan access
to tftp server and/or access from Wan ,
this router is prone vulnerable to a DoS
condition.

in the configuration file we can look for
services enabled at this line =>

---------------------------------------------------
srvCtrlList ftp="lan" http="lan" icmp="lan"
snmp="disable" ssh="disable" telnet="lan" tftp="lan"
----------------------------------------------------

in this case we have enabled tftp access from lan

oks create a new html file for example tweaking.html
(this file exists in poligon firmwares but you can use other
that´s have in yopur router in the /webs folder).

let´s try to upload it from my machine to /webs router folder

tftp -i 192.168.1.1 PUT c:\tweaking.html /webs

the file is aparently upload and the tftp server is configured
for reboot the router after upload finished.

Them i make the same test via Wan access and i have
the same result the router is reboot...

This can cause a DoS to a user , because a atacker
can force to reset all time, the victim´s router.

###############
versions
###############

Comtrend HG536+ router with this firmwares:

firmware Comtrend A101-302JAZ-C01_R05

firmware A101-302JAZ-C03_R14.A2pB021g.d15h

firmware Poligon, Release.0810b_1525 ADSLZONE v.1.10.08.11b (tftp issue)

##############
Solution
#############

No solution was available at this time.

by default this router is configured for
denied the access from WAN connections
But this style attack can be done if any
user is inside the LAN or if enable the
access from WAN for tftp service.

Configure to disable tftp and
Grant access to device ,only to trust users.

################# €nd #############

Thnx To Brink for test with me and for
his patience wen i reboot his router :P
Brinkxd@gmail.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Latest OSVDB Vulnerabilities

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...