[waraxe-2012-SA#090] - Insecure SSL Connection in Thomson SpeedTouch ST780
===============================================================================

Author: Janek Vind "waraxe"
Date: 25. September 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-90.html


Description of vulnerable target:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hardware: Thomson SpeedTouch ST780
Software Release: 7.4.4.7

###############################################################################
Insecure SSL Connection vulnerability in Thomson SpeedTouch ST780
###############################################################################

Let's assume, that we use Thomson SpeedTouch ST780 administration interface
over HTTPS connection. Whole traffic is encrypted and hard to eavesdrop or
modify by third party. Now let's click "Help" link in upper right corner.
New window pops up, containing contextual help:

https://192.168.1.254/helpfiles/b_index.htm?anchor=b_ST

I'm using Firefox 15.0.1 and it will complain about security:

"Your connection to this site is only partially encrypted, and does not prevent
eavesdropping."

So what's the matter? Let's have a look at the source code:
------------------------[ source code start ]----------------------------------
<html>
<head>
	<title>THOMSON ST Help</title>
	<meta http-equiv="pragma" content="no-cache">
	<meta http-equiv="expires" content="-1">
	<script type="text/javascript" src="anchors.js"></script>
	<script type="text/javascript">
		build='7.4.4.7';
		fehLocation=build.split(".");
		fehLocation.pop();
		document.write('<script type="text/javascript" src="
		  http://downloads.thomson.net/telecom/documentation/common/STFEH/R'
		    +fehLocation.join("")+'/RES/en/anchors.js"><\/script>');
		prodName='SpeedTouch';
		prodNumber='780';
		buildVariant='--';
		boardName='BANT-R';
		companyName='THOMSON';
	</script>
	<script type="text/javascript" src="main.js"></script>	
</head>
<noscript>
	Your browser is not Javascript-enabled. Some of the functions on this page
    	will not work! 
</noscript>
</html>
------------------------[ source code end ]------------------------------------


Actual HTTP request as seen by "Live HTTP Headers" Add-on:
----------------------------------------------------------
http://downloads.thomson.net/telecom/documentation/common/STFEH/R744/RES/en/anchors.js

GET /telecom/documentation/common/STFEH/R744/RES/en/anchors.js HTTP/1.1
Host: downloads.thomson.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
----------------------------------------------------------


We can see, that javascript file is fetched over insecure HTTP communication
channel and then executed within HTTPS-enabled webpage. If there is attacker,
who can eavesdrop and modify communications between client and router, then
it's possible to use forged DNS reply and subsequently deliver to the client
arbitrary javascript. Such malicious javascript payload is able to change
router's configuration or steal sensitive information like WPA keys.


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------