Comtrend HG536+ Privilege Escalation

`##########################################  
Comtrend HG536+ vulnerabilities  
Vendor url:www.comtrend.com  
Advisore Url:http://lostmon.blogspot.com/2009/04/  
comtrend-hg536-vulnerabilities.html  
Vendor notify: NO  
#########################################  
  
#####################  
Description By vendor  
#####################  
  
The HG536+ is an 802.11g (54Mbps) wireless and wired  
Local Area Network (WLAN) ADSL router. Four 10/100  
Base-T Ethernet ports provide wired LAN connectivity  
with an integrated 802.11g WiFi WLAN Access Point for  
wireless connectivity.  
  
################  
Vulnerabilities  
################  
  
this device is by default with this settings:  
  
==========================================  
l LAN port IP address: 192.168.1.1  
l Local administrator account name: admin  
l Local administrator account password: admin  
l Local non- administrator account name: user  
l Local non- administrator account password: user  
l Remote WAN access: disabled  
l Remote WAN access account name: support  
l Remote WAN access account password: support  
l NAT: enable and firewall: disable  
l DHCP server on LAN interface: enable  
l WAN IP address: none  
============================================  
  
All Of this flaws are because the access control  
is based in a ineffective javascript control in  
'menuBcm.js' file that enables or disables view  
items in the menu.html file, according of user  
was logged in.  
  
For this reason a minimal user , can call directly  
all pages,that are parts of the web interface  
bypassing the "pseudo restrictions" access role.  
  
for exploit all flaws , a minimal account credentials  
are required.  
  
Vuln 1 => access Control error  
  
if a user has access to non administrator user  
by entering username "user" and password "user"  
with this user only can update the firmware , manage  
SNMP ,and view some status in the router ,and do  
diagnostics , about adsl connectivity.This user  
aparently is "restricted" to take some actions.  
  
This router in this firmware version , has a  
access control error and a user without privileges  
( user-user) can access to all functions if he  
make a direct request to the interested file or  
functions.  
  
example :  
  
this user has no access to manage the setup of router  
but by entering http://192.168.1.1/wancfg.cmd  
he can configure the WAN settings.  
  
download the config =>  
http://192.168.1.1/backupsettings.html  
  
view wireless key =>  
http://192.168.1.1/wlsecurity.html  
  
  
  
Vuln 2 => clear text admin passwords disclosure.  
  
login in the router with user -user account  
and open http://192.168.1.1/password.html  
try to view the source code...  
  
in the source we found :  
  
=======================  
pwdAdmin = 'admin';  
pwdSupport = 'support;  
pwdUser = 'user';  
=======================  
  
  
###############  
versions  
###############  
  
Comtrend HG536+  
firmware A101-302JAZ-C03_R14.A2pB021g.d15h  
  
##############  
Solution  
#############  
  
No solution was available at this time.  
  
by default this router is configured for  
denied the access from WAN connections  
But this style attack can be done if any  
user is inside the LAN or if enable the  
access from WAN.  
  
configure to deny Wan connections and  
Grant access to device ,only to trust users.  
  
################# €nd #############  
--   
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
`