CVE-2006-0947 in SpeedTouchinfo

Summary

by MITRE

Thomson SpeedTouch modem running firmware 5.3.2.6.0 allows remote attackers to create users that cannot be deleted via scripting code in the "31" parameter in a NewUser function, which is not filtered by the modem when creating the account, but cannot be deleted by the administrator, possibly due to cleansing that occurs in the administrator interface.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 01/09/2025

The CVE-2006-0947 vulnerability affects Thomson SpeedTouch modems running firmware version 5.3.2.6.0, presenting a significant security flaw in user account management that enables persistent unauthorized access. This vulnerability resides in the modem's web-based administrative interface where the NewUser function processes user creation requests. The flaw specifically manifests through the "31" parameter in the NewUser function, which serves as a critical input field for account creation. The vulnerability stems from inadequate input validation and sanitization within the modem's firmware, creating a pathway for remote attackers to exploit the system's user management capabilities.

The technical implementation of this vulnerability involves the modem's failure to properly filter or validate the "31" parameter during user account creation. When an attacker submits malicious script code through this parameter, the modem accepts the input without proper sanitization, allowing the creation of user accounts that are subsequently protected from deletion by the system's administrative interface. This creates a persistent backdoor within the network infrastructure, as the administrator interface lacks the capability to remove these specially crafted user accounts. The vulnerability operates at the application layer, affecting the modem's web server implementation and its user authentication mechanisms.

The operational impact of this vulnerability extends beyond simple privilege escalation, creating a persistent threat vector that undermines network security posture. Attackers can leverage this flaw to establish long-term access to the modem's administrative functions, potentially compromising network configuration, monitoring traffic, or using the device as a pivot point for further attacks. The persistence of these accounts means that even if administrators attempt to clean up compromised systems, the malicious accounts remain accessible, creating a continuous security risk. This vulnerability particularly affects enterprise and residential networks where modems serve as primary network access points, potentially exposing entire networks to unauthorized access and control.

This vulnerability aligns with CWE-20, which addresses improper input validation, and demonstrates characteristics similar to CWE-77, which covers command injection vulnerabilities. The flaw also relates to ATT&CK technique T1078.004, which involves valid accounts used for persistence, and T1566, which covers spearphishing with a malicious attachment. Organizations should implement immediate mitigation strategies including firmware updates from Thomson, network segmentation to isolate affected devices, and regular monitoring of user accounts for unauthorized additions. The vulnerability highlights the critical importance of input validation in embedded systems and web applications, particularly in network infrastructure devices where persistent access can have severe consequences for overall network security.

The remediation approach requires comprehensive network inventory assessment to identify all affected Thomson SpeedTouch modems, followed by immediate firmware upgrades to versions that address the input validation flaw. Network administrators should also implement strict access controls and monitoring of user account creation activities to detect potential exploitation attempts. Additionally, organizations should consider disabling unnecessary web management interfaces and implementing network access controls that limit administrative access to trusted networks only. Regular security assessments of network infrastructure devices remain crucial to identify similar vulnerabilities in other embedded systems that may pose comparable risks to network security.

Reservation

03/01/2006

Disclosure

02/28/2006

Moderation

accepted

Entry

VDB-28951

CPE

ready

Exploit

Download

EPSS

0.02623

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!