elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: (TUTORIAL) Aprende a emular Sentinel Dongle By Yapis


+  Foro de elhacker.net
|-+  Seguridad Informática
| |-+  Hacking
| | |-+  Bugs y Exploits
| | | |-+  Nivel Web (Moderadores: sirdarckcat, WHK)
| | | | |-+  Multiple Vulnerabilities on "Cablemodem Motorola SBG900"
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: Multiple Vulnerabilities on "Cablemodem Motorola SBG900"  (Leído 5,228 veces)
Preth00nker

Desconectado Desconectado

Mensajes: 43


Mov MyHeart, 4C6F7665h!!!


Ver Perfil
Multiple Vulnerabilities on "Cablemodem Motorola SBG900"
« en: 1 Mayo 2010, 22:05 pm »

////////////////////////////////////////////////////////////////////////////////
///////       Multiple Vulnerabilities on "Cablemodem Motorola SBG900"
///////                       preth00nker[at]gmail.com
///////                  By preth00nker .. Using Mexican Skill :]
///////
////////////////////////////////////////////////////////////////////////////////


   [Introduction]

>>Quoted from http://broadband.motorola.com/consumers/products/sbg900/
"The Surfboard(R) SBG wireless cable modem gateway offers a fast and secure
connection, with the convenience and flexibility of wireless networking all in
one, Roam throughout home or office without losing your network connection."


   [Features]

This modem offers an administration web page where the current configuration is
showed/edited. This can be accessed through a conventional Web-browser on port
80 on the url: http://192.168.0.1 (default).


   [The validation]

This portal requires an administrator account. Upon successful authentication a
unique session-ID is issued, it has an expiration time limit but it is not
tracked for the client machine (as a cookie or something).


   [The input validation error]

An attacker can take advantage of a bad input validation vulnerability in the
hostname field. Any person can change the hostname, for example in linux editing
the file /etc/hostname. This would be reflected in the modem administration page
in Gateway/status.


   [Vulnerabilities]

- HTML injection
- XSS
- XSRF
- Not enough Session/Source validation


   [PoCs]

- HTML injection
Editing the /etc/hostname (on my box) and adding some stuff like:
   "<H1>Hellow-world"

- XSS
By inspecting the source code of the Gateway/status page we can see that the
injected string is reflected on 2 parts. They first pass through a javascript
function that prints the string on a table, so the HTML injection is notable in
the table, and the XSS can be invoked from the original function. Try:
   "+window.location.search+" (using quotes)

- XSRF 
If we use the previous string we will take the arguments of the current page, we
can see the session-ID printed on the table, it could be used in some illicit
Get/Post method.

- Not enough Session/Source validation
Once we get the Sessionid, we could just use our session from another machine
like this:
   http://102.168.0.1/left.asp?sessionId=xxxxx


   [Confirmed Affected versions (firmware)]

Model: SURFboard SBG900
Software version: SBG900-2.1.15.0-SCM00-NOSH
Hardware version: 3

Greats: hkm [hakim.ws], nitorus [nitr0us.blogspot.com]
   [EOF]
follow the url https://www.underground.org.mx/index.php?action=dlattach;topic=25186.0;attach=3037 for get the poc
En línea

mov [MyBrain], IA
WHK
Moderador Global
***
Desconectado Desconectado

Mensajes: 6.606


Sin conocimiento no hay espíritu


Ver Perfil WWW
Re: Multiple Vulnerabilities on "Cablemodem Motorola SBG900"
« Respuesta #1 en: 2 Mayo 2010, 04:41 am »

uuuuuh si hicieramos un tuto de cada modem o router vulnerable a ataques web entonces tendriamos que hacer un foro solo para eso xDDD, es dificil encontrar un equipo de estos sin una vulnerabilidad WEB.

Pero igual muchas gracias por la info.
En línea

Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines