"The Siemens Santis 50 Wireless router is a wi-fi (802.11b) ADSL router. It's a complete system for home and small business networks in a single device."
A special reset request for the Siemens SANTIS 50 router allows attackers to retrieve information from the router.
Vulnerable Systems:
* Siemens SANTIS 50 with firmware 4.2.8.0
* Ericsson HN294dp with firmware 4.2.8.0 (OEM version)
* Dynalink RTA300W with firmware 4.2.8.0 (OEM version)
The mentioned routers provides a web management interface and the classic telnet CLI for administration purposes. By default these services are available only from the local network, but can be optionally activated also on the WAN interface.
Sending a trigger packet to the management port (280/http-mgmt) can be used to "freezes" the web interface, which in turn allows unauthenticated connection with the telnet CLI.
This behavior appears to be some sort of "disaster recovery mode". The set of available commands is limited to a few, but they are enough to allow attackers to discover information about the configuration of the device and its connections (events, traffic, Ethernet addresses configuration, etc). In addition, a command that allows to "irreversibly erase FLASH contents" is made available.
Proof of Concept:
A simple exploit is to use the application scanner AMAP to scan the remote host's web port causing it to freeze.
