Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

DSL-504T (and maybe many other) remote access without password bug

from [alessandro] Network Security [Permanent Link]
Subject: DSL-504T (and maybe many other) remote access without password bug
Date: Thu, 26 May 2005 20:50:57 +0200 
Device: CUSTOMER=DLinkEU MODEL=DSL-504T
Version: only tested with VERSION=V1.00B01T16.EU.20040217
Bugs: i)  remote firmware upgrade without password
     ii) config retrieval without password
Exploitation: remote
Date: 26/05/2005
Status: vendor not contacted
Workaround: disable remote web management
Author: Alessandro Audero

The Bug

DSL-504T is a D-Link router/ADSL modem with a linux system on it based
on MIPS 4KEc V4.8. This is the uname that i found from the device i
tested:

Linux version 2.4.17_mvl21-malta-mips_fp_le
(tiger@fd7.alphanetworks.com) (gcc version 2.95.3 20010315
(release/MontaVista)) #71 Tue Feb 17 01:16:45 GMT 2004

It supports a remote web management console, that at first sigth asks for
a username and a password. The URL should be something like this:

http:://ipaddress/

and if you click on 'login' you'll get this other URL:

http://ipaddress/cgi-bin/webcm

that obviously tells you that you have typed in a wrong password.
But if you look at the root cgi-bin dir, that is

http//ipaddress/cgi-bin/

you'll get a list of two files: one is webcm, the other is firmwarecfg
If you click on the latter one, you will be placed in a page where you are
allowed to upgrade the router firmware, restart the router, download
current configuration or restore a previously saved conf.

There's another point in downloading router configuration. Infact
management username and password are saved in clear text inside the xml
file:

<security>
 <settings>
   <username>XXXXXXXXX</username>
   <password>XXXXXXXXX</password>
   ...
 </setting>
</security>

With this auth info you can log inside the system using telnet and have
a complete shell on that router.

Another issue can be found looking at another username/password section
regarding ADSL connection settings:

<username>XXXXXXXXXX</username>
<password>XXXXXXXXXX</password>

This can lead to email/webaccount security problems if the user uses
these infos also for his accounts (email for example), that can be really
possible in case the internet provider provides also email or web space.

That's all, folks.

Alessandro Audero

Misc:
It is possible that this kind of bug could also be present in other
routers, implementing busybox, and that are configurable via http or
thttp.



[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • DSL-504T (and maybe many other) remote access without password bug, alessandro <=
Previous by Date:  RE: CAID 32896 - Computer Associates Vet Antivirus engine heap overflow vulnerability, Williams, James K
Next by Date:  Citrix security contact, Eyal Udassin
Previous by Thread:  [Full-disclosure] [AppSecInc Advisory BEA05-V0100] BEA WebLogic Administration Console error page cross-site scripting vulnerability, Team SHATTER
Next by Thread:  Citrix security contact, Eyal Udassin
Indexes:  [Date] [Thread] [Top] [All Lists]