Friday, May 6, 2011

Globe Wired DSL Vulnerability

I was fooling around with my modem from Globe DSL when I stumbled upon an annoying security hole in Globe's wired DSL service.
Here's how it works.
Normally, to access the web based config page of your modem you'll have to access it through 192.168.0.1
now, your modem once connected to Globe's network is also assigned an IP address. ex. 180.xxx.xxx.0
take note this is different from your Public IP which usually starts with 120.xxx.xxx.xxx

This got me a bit curious, that if I could access my own config page using the modem's IP address then maybe I could access the same config page of other subscribers.

So I created a multi threaded app that does an http web request to a specific IP range and this is what I got.




















from 1 - 64, 3 subscribers that gave an http response.

let's check subscriber #1















Here's #2















and here's #3



















and here's the app. (removing the ip address of course.) take note, this is a very crude implementation and would do 64 threads by default (would've gone higher but apparently there's an
undocumented limit to how WaitHandle.WaitAll could only handle 64 threads at a time and since this is just a testing app that I didn't bother to find a work around

now, what can you do that you can access other people's modems? change their settings, account info, lock them out of their internet service etc...
and why didn't globe fix this vulnerability to their subscribers? I'm guessing so they could easily access it when they are troubleshooting their modems. however it wouldn't hurt
to at least have a basic username / password challenge first :/


Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)