Sign-up

ID

VAR-200710-0018


CVE

CVE-2007-5383


TITLE

BT Home Hub Used in Thomson/Alcatel SpeedTouch 7G Vulnerability to gain administrator access on router

Trust: 0.8

sources: JVNDB: JVNDB-2007-002762

DESCRIPTION

The Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub 6.2.6.B and earlier, allows remote attackers on an intranet to bypass authentication and gain administrative access via vectors including a '/' (slash) character at the end of the PATH_INFO to cgi/b, aka "double-slash auth bypass." NOTE: remote attackers outside the intranet can exploit this by leveraging a separate CSRF vulnerability. NOTE: SpeedTouch 780 might also be affected by some of these issues. BT Home Hub and Speedtouch 7G are both home wireless Internet routers.  Multiple security vulnerabilities exist in BT Home Hub and SpeedTouch 7G routers, allowing malicious users to perform cross-site footsteps, cross-site request spoofing, script injection attacks, or bypass certain security restrictions.  1) Input validation errors when processing URLs may allow attackers to access and change password-protected resources, such as configuration and settings pages, through specially crafted URLs containing two slashes.  2) Failure to perform proper filtering before recording the login user name may allow the injection of arbitrary HTML and script code. If the user browses the log, it will be executed in the user's browser session.  3) As the input to the name parameter is not properly filtered, arbitrary HTML and script code may be executed in the user's browser session.  4) Failure to properly filter the input of url parameters in the cgi / b / ic / connect / file may result in the execution of arbitrary HTML and script code in the user's browser session.  5) The device does not perform validity checks on user requests, allowing users to perform certain operations through HTTP requests. If the logged-in administrator visits a malicious site, this may cause the administrator password to be changed.  6) Users can directly access certain pages, such as the Wireless Security page, through the URL without authentication.  7) The administrative user can save the backup or load the configuration file through the URL, and these files should only be accessed by the tech account. Successful exploits of many of these issues will allow an attacker to completely compromise the affected device. NOTE: '/' (slash) vectors are covered by CVE-2007-5383

Trust: 2.52

sources: NVD: CVE-2007-5383 // JVNDB: JVNDB-2007-002762 // CNVD: CNVD-2007-5927 // BID: 25972 // VULHUB: VHN-28745

AFFECTED PRODUCTS

vendor:btmodel:home hubscope:lteversion:6.2.6.b

Trust: 1.8

vendor:alcatelmodel:speedtouch 7g routerscope:eqversion:*

Trust: 1.0

vendor:alcatel lucentmodel:speedtouch 7g routerscope: - version: -

Trust: 0.8

vendor:nonemodel: - scope: - version: -

Trust: 0.6

vendor:alcatelmodel:speedtouch 7g routerscope: - version: -

Trust: 0.6

vendor:thomsonmodel:tg585 routerscope:eqversion:0

Trust: 0.3

vendor:btmodel:home hub .bscope:eqversion:6.2.6

Trust: 0.3

vendor:btmodel:home hubscope:eqversion:6.2.2.6

Trust: 0.3

vendor:btmodel:home hubscope:eqversion:0

Trust: 0.3

vendor:alcatelmodel:speedtouch 7gscope: - version: -

Trust: 0.3

sources: CNVD: CNVD-2007-5927 // BID: 25972 // JVNDB: JVNDB-2007-002762 // NVD: CVE-2007-5383 // CNNVD: CNNVD-200710-197

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2007-5383
value: HIGH

Trust: 1.8

CNNVD: CNNVD-200710-197
value: CRITICAL

Trust: 0.6

VULHUB: VHN-28745
value: HIGH

Trust: 0.1

NVD:
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: FALSE
obtainAllPrivilege: TRUE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: CVE-2007-5383
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-28745
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-28745 // JVNDB: JVNDB-2007-002762 // NVD: CVE-2007-5383 // CNNVD: CNNVD-200710-197

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-28745 // JVNDB: JVNDB-2007-002762 // NVD: CVE-2007-5383

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200710-197

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-200710-197

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2007-5383

PATCH
title:Top Pageurl:http://www.alcatel-lucent.com/alcatel/
Trust: 0.8
title:Top Pageurl:http://www.bt.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-002762

EXTERNAL IDS
db:NVDid:CVE-2007-5383
Trust: 3.4
db:BIDid:25972
Trust: 2.0
db:SREASONid:3213
Trust: 1.7
db:JVNDBid:JVNDB-2007-002762
Trust: 0.8
db:CNVDid:CNVD-2007-5927
Trust: 0.6
db:BUGTRAQid:20080301 THE ROUTER HACKING CHALLENGE IS OVER!
Trust: 0.6
db:BUGTRAQid:20071008 BT HOME FLUB: PWNIN THE BT HOME HUB
Trust: 0.6
db:XFid:41271
Trust: 0.6
db:CNNVDid:CNNVD-200710-197
Trust: 0.6
db:VULHUBid:VHN-28745
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2007-5927 // 
            
            
            
            VULHUB: VHN-28745 // 
            
            
            
            BID: 25972 // 
            
            
            
            JVNDB: JVNDB-2007-002762 // 
            
            
            
            NVD: CVE-2007-5383 // 
            
            
            
            CNNVD: CNNVD-200710-197

REFERENCES
url:http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub
Trust: 2.0
url:http://www.theregister.co.uk/2007/10/09/bt_home_hub_vuln/
Trust: 2.0
url:http://www.securityfocus.com/bid/25972
Trust: 1.7
url:http://www.gnucitizen.org/blog/holes-in-embedded-devices-authentication-bypass-pt-1/
Trust: 1.7
url:http://www.gnucitizen.org/projects/router-hacking-challenge/
Trust: 1.7
url:http://securityreason.com/securityalert/3213
Trust: 1.7
url:http://www.securityfocus.com/archive/1/481835/100/0/threaded
Trust: 1.1
url:http://www.securityfocus.com/archive/1/489009/100/0/threaded
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/41271
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-5383
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-5383
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/41271
Trust: 0.6
url:http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded
Trust: 0.6
url:http://www.securityfocus.com/archive/1/archive/1/481835/100/0/threaded
Trust: 0.6
url:http://www.homehub.bt.com/
Trust: 0.3
url:http://www.gnucitizen.org/blog/call-jacking
Trust: 0.3
url:http://www.thomson.net/en/home/minisites/bap/telecom/subcategory.html?category=dsl%20modems
Trust: 0.3
url:/archive/1/481835
Trust: 0.3
url:/archive/1/486081
Trust: 0.3
url:/archive/1/517314
Trust: 0.3
sources:
            
            
            VULHUB: VHN-28745 // 
            
            
            
            BID: 25972 // 
            
            
            
            JVNDB: JVNDB-2007-002762 // 
            
            
            
            NVD: CVE-2007-5383 // 
            
            
            
            CNNVD: CNNVD-200710-197

CREDITS
Adrian Pastor※ m123303@richmond.ac.uk
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200710-197

SOURCES
db:CNVDid:CNVD-2007-5927
db:VULHUBid:VHN-28745
db:BIDid:25972
db:JVNDBid:JVNDB-2007-002762
db:NVDid:CVE-2007-5383
db:CNNVDid:CNNVD-200710-197

LAST UPDATE DATE
2023-12-18T11:39:48.732000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2007-5927date:2007-10-08T00:00:00
db:VULHUBid:VHN-28745date:2018-10-15T00:00:00
db:BIDid:25972date:2011-04-04T20:05:00
db:JVNDBid:JVNDB-2007-002762date:2012-06-26T00:00:00
db:NVDid:CVE-2007-5383date:2018-10-15T21:44:13.623
db:CNNVDid:CNNVD-200710-197date:2007-10-15T00:00:00

SOURCES RELEASE DATE
db:CNVDid:CNVD-2007-5927date:2007-10-08T00:00:00
db:VULHUBid:VHN-28745date:2007-10-12T00:00:00
db:BIDid:25972date:2007-10-08T00:00:00
db:JVNDBid:JVNDB-2007-002762date:2012-06-26T00:00:00
db:NVDid:CVE-2007-5383date:2007-10-12T01:17:00
db:CNNVDid:CNNVD-200710-197date:2007-10-11T00:00:00