0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
D-Link DIR-615 revD, DIR-320, DIR-300 Authentication Bypass
======================================================== D-Link Router Models Authentication Bypass Vulnerability ======================================================== # Exploit Title: Multiple D-Link Router Authentication Bypass Vulnerabilities # Date: 12-01-2011 # Author: Craig Heffner, /dev/ttyS0 # Firmware Link: http://www.dlink.co.uk/ # Firmware Version(s): All # Tested on: DIR-300, DIR-320, DIR-615 revD Multiple D-Link routers that use a PHP based Web interface suffer from the same authentication bypass vulnerability which allows unprivileged users to view and modify administrative router settings. Further, even if remote administration is disabled this vulnerability can be exploited by a remote attacker via a CSRF attack. The vulnerability has been confirmed in the following routers: DIR-615 revD DIR-320 DIR-300 The following example URL will allow access to the router's main administrative Web page without authentication: http://192.168.0.1/bsc_lan.php?NO_NEED_AUTH=1&AUTH_GROUP=0 Vulnerability Description The affected routers use a PHP based Web interface for administrative management of the device. The Web interface takes advantage of the register_globals feature of PHP to pass and process GET and POST arguments [2]. By default, all pages in the Web interface require authentication, however, certain pages – such as the login page – must be accessed prior to authentication. In order for these pages to opt out of the authentication requirement, they set a PHP variable, NO_NEED_AUTH: <? /* vi: set sw=4 ts=4: */ $MY_NAME ="login_fail"; $MY_MSG_FILE=$MY_NAME.".php"; $NO_NEED_AUTH="1"; $NO_SESSION_TIMEOUT="1"; require("/www/model/__html_head.php"); ?> The __html_head.php file requires the __auth_check.php file which enforces authentication to the device: <? /* vi: set sw=4 ts=4: */ if ($NO_NEED_AUTH!="1") { /* for POP up login. */ // require("/www/auth/__authenticate_p.php"); // if ($AUTH_RESULT=="401") {exit;} /* for WEB based login */ require("/www/auth/__authenticate_s.php"); if($AUTH_RESULT=="401") {require("/www/login.php"); exit;} if($AUTH_RESULT=="full") {require("/www/session_full.php"); exit;} if($AUTH_RESULT=="timeout") {require("/www/session_timeout.php"); exit;} $AUTH_GROUP=fread("/var/proc/web/session:".$sid."/user/group"); } require("/www/model/__lang_msg.php"); ?> The __auth_check.php script first checks to see if NO_NEED_AUTH has been set to 1. If so, the authentication checks are bypassed completely. Else, it validates that the requesting browser has been successfully authenticated, and sets AUTH_GROUP to the appropriate privilege level (0 for administrator). However, because the NO_NEED_AUTH and AUTH_GROUP values are not initialized by other administrative pages, they can be set as GET or POST variables thanks to the register_globals PHP feature. By setting NO_NEED_AUTH to 1 and AUTH_GROUP to 0, users can gain administrative access to the router's Web interface. Proof of Concept The following example URL will allow access to the router's main administrative Web page without authentication: http://192.168.0.1/bsc_lan.php?NO_NEED_AUTH=1&AUTH_GROUP=0 Potential For Exploitation This vulnerability allows anyone with access to the Web interface to view and edit administrative router settings. Further, even if remote administration is disabled on the router, a remote attack can still exploit this vulnerability via a cross site request forgery attack. Since both GET and POST requests are accepted by the router, a simple image tag embedded in an HTML page can be used to change the router's settings as soon as a user inside the local network views the Web page. Vulnerability Impact The known affected routers appear to be primarily sold in Europe and Asia, and many can be found via the Shodan search engine [3]. The DIR-615 is perhaps the most notable, as it is the same wireless router distributed to Virgin Media broadband customers, which potentially puts many of their customer networks at risk [4]. It should be noted that other D-Link routers that use PHP based Web interfaces may also be affected. Mitigations There are no know mitigations or fixes at the time of this writing. Disclosure History 17-Jul-2010 Vulnerability discovered 02-Aug-2010 Vendor notified 02-Dec-2010 No response from vendor, vulnerability released For a more detailed description of the vulnerability, see: http://www.devttys0.com/wp-content/uploads/2010/12/dlink_php_vulnerability.pdf. Note that this vulnerability was independently discovered in the DIR-300 and subsequently reported by Karol Celin on 09-Nov-2010 [1]. [1] http://www.securityfocus.com/archive/1/514687/30/120/threaded # 0day.today [2024-12-25] #