Sign-up

ID

VAR-200607-0446


CVE

CVE-2006-3561


TITLE

BT Voyager 2091 Wireless Vulnerabilities that bypass the authentication process in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2006-004062

DESCRIPTION

BT Voyager 2091 Wireless firmware 2.21.05.08m_A2pB018c1.d16d and earlier, and 3.01m and earlier, allow remote attackers to bypass the authentication process and gain sensitive information, such as configuration information via (1) /btvoyager_getconfig.sh, PPP credentials via (2) btvoyager_getpppcreds.sh, and decode configuration credentials via (3) btvoyager_decoder.c. BT Voyager is prone to authentication-bypass vulnerabilities. These issues are due to a flaw in the authentication process of the affected application. Exploiting these issues may allow attackers to gain unauthorized, remote access to the application's administrative functions. BT Voyager 2091 Wireless ADSL, Firmware 2.21.05.08m_A2pB018c1.d16d, and Firmware 3.01m are reported vulnerable; other versions may also be affected. NOTE: Other precise reports have related to the \"psiBackupInfo\" and \"connect.html\" files, but these vectors were not clear in the original disclosure. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Reversing must be a passion as your skills will be challenged on a daily basis and you will be working several hours everyday in IDA, Ollydbg, and with BinDiff. Often, it is also required that you write a PoC or even a working exploit to prove that an issue is exploitable. The problem is caused due to missing authentication checks when accessing the "psiBackupInfo" and "connect.html" files. Other versions may also be affected. SOLUTION: Filter traffic to affected devices. PROVIDED AND/OR DISCOVERED BY: pagvac ORIGINAL ADVISORY: http://ikwt.dyndns.org/projects/btvoyager-getconfig.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.34

sources: NVD: CVE-2006-3561 // JVNDB: JVNDB-2006-004062 // BID: 19057 // BID: 82222 // VULHUB: VHN-19669 // PACKETSTORM: 48132

AFFECTED PRODUCTS

vendor:btmodel:voyager 2091 wireless adsl routerscope:lteversion:2.21.05.08m_a2pb018c1.d16d

Trust: 1.8

vendor:btmodel:voyager 2091 wireless adsl routerscope:lteversion:3.01m

Trust: 1.8

vendor:btmodel:voyager 2091 wireless adsl routerscope:eqversion:3.01m

Trust: 0.6

vendor:btmodel:voyager 2091 wireless adsl routerscope:eqversion:2.21.05.08m_a2pb018c1.d16d

Trust: 0.6

vendor:btmodel:voyager wireless adsl routerscope:eqversion:20910

Trust: 0.3

vendor:btmodel:3.01mscope: - version: -

Trust: 0.3

vendor:btmodel:2.21.05.08m a2pb018cscope: - version: -

Trust: 0.3

vendor:btmodel:voyager wireless adsl router 3.01mscope:eqversion:2091

Trust: 0.3

vendor:btmodel:voyager wireless adsl router 2.21.05.08m a2pb018cscope:eqversion:2091

Trust: 0.3

sources: BID: 19057 // BID: 82222 // JVNDB: JVNDB-2006-004062 // CNNVD: CNNVD-200607-199 // NVD: CVE-2006-3561

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2006-3561
value: MEDIUM

Trust: 1.0

NVD: CVE-2006-3561
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200607-199
value: MEDIUM

Trust: 0.6

VULHUB: VHN-19669
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2006-3561
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-19669
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-19669 // JVNDB: JVNDB-2006-004062 // CNNVD: CNNVD-200607-199 // NVD: CVE-2006-3561

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-19669 // JVNDB: JVNDB-2006-004062 // NVD: CVE-2006-3561

THREAT TYPE

network

Trust: 0.6

sources: BID: 19057 // BID: 82222

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-200607-199

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2006-004062

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-19669

EXTERNAL IDS
db:NVDid:CVE-2006-3561
Trust: 2.8
db:BIDid:19057
Trust: 2.0
db:SECUNIAid:20982
Trust: 1.8
db:VUPENid:ADV-2006-2734
Trust: 1.7
db:JVNDBid:JVNDB-2006-004062
Trust: 0.8
db:CNNVDid:CNNVD-200607-199
Trust: 0.7
db:BUGTRAQid:20080301 THE ROUTER HACKING CHALLENGE IS OVER!
Trust: 0.6
db:BUGTRAQid:20060716 UNAUTHENTICATED ACCESS TO BT VOYAGER CONFIG FILE AND PPP CREDENTIALS EMBEDDED IN HTML FORM
Trust: 0.6
db:FULLDISCid:20060708 UNAUTHENTICATED ACCESS TO BT VOYAGER CONFIG FILE
Trust: 0.6
db:XFid:27652
Trust: 0.6
db:BIDid:82222
Trust: 0.4
db:EXPLOIT-DBid:2034
Trust: 0.1
db:VULHUBid:VHN-19669
Trust: 0.1
db:PACKETSTORMid:48132
Trust: 0.1
sources:
            
            
            VULHUB: VHN-19669 // 
            
            
            
            BID: 19057 // 
            
            
            
            BID: 82222 // 
            
            
            
            JVNDB: JVNDB-2006-004062 // 
            
            
            
            PACKETSTORM: 48132 // 
            
            
            
            CNNVD: CNNVD-200607-199 // 
            
            
            
            NVD: CVE-2006-3561

REFERENCES
url:http://lists.grok.org.uk/pipermail/full-disclosure/2006-july/047733.html
Trust: 2.0
url:http://ikwt.dyndns.org/projects/btvoyager-getconfig.txt
Trust: 1.8
url:http://www.securityfocus.com/bid/19057
Trust: 1.7
url:http://www.gnucitizen.org/blog/holes-in-embedded-devices-authentication-bypass-pt-3/
Trust: 1.7
url:http://www.gnucitizen.org/projects/router-hacking-challenge/
Trust: 1.7
url:http://secunia.com/advisories/20982
Trust: 1.7
url:http://www.securityfocus.com/archive/1/440405/100/0/threaded
Trust: 1.1
url:http://www.securityfocus.com/archive/1/489009/100/0/threaded
Trust: 1.1
url:http://www.vupen.com/english/advisories/2006/2734
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/27652
Trust: 1.1
url:http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded
Trust: 0.9
url:http://www.securityfocus.com/archive/1/archive/1/440405/100/0/threaded
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-3561
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-3561
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/27652
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2006/2734
Trust: 0.6
url:http://www.voyager.bt.com/
Trust: 0.3
url:/archive/1/440405
Trust: 0.3
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/hardcore_disassembler_and_reverse_engineer/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/product/10969/
Trust: 0.1
url:http://secunia.com/advisories/20982/
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-19669 // 
            
            
            
            BID: 19057 // 
            
            
            
            BID: 82222 // 
            
            
            
            JVNDB: JVNDB-2006-004062 // 
            
            
            
            PACKETSTORM: 48132 // 
            
            
            
            CNNVD: CNNVD-200607-199 // 
            
            
            
            NVD: CVE-2006-3561

CREDITS
pagvacito <unknown.pentester@gmail.com> reported these vulnerabilities.
Trust: 0.3
sources:
            
            
            BID: 19057

SOURCES
db:VULHUBid:VHN-19669
db:BIDid:19057
db:BIDid:82222
db:JVNDBid:JVNDB-2006-004062
db:PACKETSTORMid:48132
db:CNNVDid:CNNVD-200607-199
db:NVDid:CVE-2006-3561

LAST UPDATE DATE
2024-08-14T12:37:14.182000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-19669date:2018-10-18T00:00:00
db:BIDid:19057date:2006-07-19T22:27:00
db:BIDid:82222date:2006-07-12T00:00:00
db:JVNDBid:JVNDB-2006-004062date:2014-03-11T00:00:00
db:CNNVDid:CNNVD-200607-199date:2006-07-19T00:00:00
db:NVDid:CVE-2006-3561date:2018-10-18T16:47:59.863

SOURCES RELEASE DATE
db:VULHUBid:VHN-19669date:2006-07-13T00:00:00
db:BIDid:19057date:2006-07-18T00:00:00
db:BIDid:82222date:2006-07-12T00:00:00
db:JVNDBid:JVNDB-2006-004062date:2014-03-11T00:00:00
db:PACKETSTORMid:48132date:2006-07-12T07:20:23
db:CNNVDid:CNNVD-200607-199date:2006-07-12T00:00:00
db:NVDid:CVE-2006-3561date:2006-07-13T01:05:00