In my previous post, I mentioned, as an aside, a remotely exploitable WAN-side CWMP/TR-069 vulnerability in Technicolor ASDL residential gateways, a vulnerability affecting the customers of many foreign ISPs. This has generated some interest from folks who wish to use the vulnerability to ‘unlock’ their ISP-provided gateways for custom configuration and whatnot, but it’s overkill for doing that. I’ll tell you precisely how to ‘unlock’ the gateway by using a LAN-side vulnerability in the latest firmware (if for nothing else than to disable the CWMP/TR-069 daemon), and then I’ll give you some hints on the CWMP/TR-069 vulnerability.

Continue reading →