SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
Search :
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

Belkin Wireless G Plus MIMO Router F5D9230-4 Authentication Bypass Vulnerability


Arrow  SecurityAlert : 3566
Arrow  CVE : CVE-2008-0403
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : Yes
Arrow  Exploit Given : Yes
Arrow  Credit : darkfig
Arrow  Published : 23.01.2008

Arrow  Affected Software : Belkin Wireless G Plus MIMO Router



Arrow  Advisory Text :  

##

## VULNERABILITY:

##

## Belkin Wireless G Plus MIMO Router F5D9230-4

## Authentication Bypass Vulnerability

##

##

## AUTHOR:

##

## DarkFig < gmdarkfig (at) gmail (dot) com >

## http://acid-root.new.fr/?0:17

## #acidroot (at) irc.wordlnet (dot) com [email concealed]

##

##

## INTRODUCTION:

##

## I recently bought this router for my local

## network (without modem integrated), now I can tell

## that it was a bad choice. When my ISP disconnects

## me from internet, in the most case I have to reboot

## my Modem and the Router in order to reconnect.

## So I coded a program (which send http packets) to reboot

## my router, it asks me the router password, and reboots it.

## One day I wrote a bad password, but it worked. So I

## decided to make some tests in order to see if there was

## a vulnerability.

##

##

## DESCRIPTION:

##

## Apparently when we the router starts, it create a file

## (without content) named user.conf, then when we go to

## SaveCfgFile.cgi, the configuration is save to the file

## user.conf. But the problem is that we can access

## (and also change) to the file SaveCfgFile.cgi without

## login.

##

##

## PROOF OF CONCEPT:

##

## For example we can get the configuration file here:

## http://<ROUTER_IP>/SaveCfgFile.cgi

##

## pppoe_username=...

## pppoe_password=...

## wl0_pskkey=...

## wl0_key1=...

## mradius_password=...

## mradius_secret=...

## httpd_password=...

## http_passwd=...

## pppoe_passwd=...

##

##

## Tested on the latest firmware for this product

## (version 3.01.53).

##

##

## PATCH

##

## Actually there is no firmware update, but I contacted the

## author, if they'll release a patch, it will be available here:

## http://web.belkin.com/support/download/download.asp

## ?download=F5D9230-4â&#140;&#169;=1&mode=

##





Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Multiple Vendors libc/gdtoa printf(3) Array Overrun

Security Risk High- 2009-05-30

SecurityReason realised new advisory about vulnerabilities libc/gdtoa...

Apache RSS Apache Alert

» Apache Tomcat
   RequestDispatcher
   directory traversal
   vulnerability

» Apache mod_dav / svn
   Remote Denial of Service
   Exploit

» Apache Tomcat Information
   disclosure

» Apache Tomcat User
   enumeration vulnerability
   with FORM authentication

PHP RSS PHP Alert

» PHP 5.2.9 curl safe_mode
   & open_basedir bypass

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file

Copyright © SecurityReason.com. All Rights Reserved.