Hi, I'd like to inform you about a vulnerability in the Deutsche Telekom Speedport w700v DSL router. Currently it's the standard device that is shipped with new DSL contracts. I - TITLE Security advisory: Weaknesses in the login process of the web interface of the Speedport w700v DSL Router and Wireless LAN Access Point II - SUMMARY Description: A design flaw exists in the login process of the web interface of the Speedport w700v DLS Router and Wireless LAN Access Point of Deutsche Telekom that might lead to unauthorized access. Author: Michael Domberg (mdomberg at gmx dot li) Date: May 11th 2007 Severity: Medium References: http://www.devtarget.org/speedport700-advisory-05-2007.txt III - OVERVIEW The Speedport w700v is an ADSL/ADSL+ broadband router, Wireless LAN Access Point, 4-Port-Switch and telephone system with integrated firewall and advanced security features. More information about the product can be found online at http://www.t-com.de IV - DETAILS The Speedport firmware consists of some CGI-Scripts that interact with the hardware and some static html-pages as front-end. The login to the web interface is designed the same way. Upon submitting the system password (no username required...) the password is sent to a cgi-script that verifies the password with internal sources. If the verification is successful, the welcome screen of the interface is returned. If the verification failed the login screen is returned. To avoid brute force attacks, the login page contains some JavaScript that disables the input field for a certain amount of seconds. The first attempt is one second delayed, the second is two second delayed and any further attempt is delayed for the doubled amount of time of the previous one. So the 8th attempt requires the attacker to wait for about 4 minutes. By submitting the request directly to the underlying cgi-script and verifying the result page an attacker can circumvent this mechanism and perform multi-threaded brute-force attacks. V - ANALYSIS The severity of this vulnerability is to be considered "medium". The default password of the web interface is "0000". So users often choose a four-digit numeric password, too. The Speedport 700 series is one of the most-sold DSL modems, because it is the standard hardware for german DSL users of Deutsche Telekom. Users can prevent their modems from being exploited this way by disabling remote administration access (which is the default). VI - EXPLOIT CODE An PoC is available, but not published. VII - WORKAROUND/FIX Users have to disable remote administration access to prevent their routers from being exploited. The vendor doesn't seem to address this vulnerability. VIII - DISCLOSURE TIMELINE 22. February 2007 - Notified vendor of affected software 28. February 2007 - Vulnerability confirmed 11. May 2007 - Public disclosure Regards, Michael Domberg, www.devtarget.org