Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Vulnerabilities in Fibrehome HG110
From: David Fifield <david () bamsoftware com>
Date: Wed, 31 Jul 2013 19:23:32 -0700

On Mon, Jul 08, 2013 at 06:44:24AM -0500, Tom Sellers wrote:
On April 8th, 2011  Zerial ( fernando () zerial org ) published[1]
details of local file inclusion and directory traversal
vulnerabilities in the Fibrehome HG110 wireless gateway.  The
documentation below expands upon his findings and provides a technical
writeup of the impacts and vectors of these vulnerabilities.  The
attached script serves to provide concrete results from the
vulnerabilities
described.

Summary:   Authentication bypass and complete remote compromise via
HTTPS management interface in the default configuration of the
FiberHome residential wireless gateway.

If the attached script is suitable for inclusion I will rename and commit it.

Thanks, Tom, this looks like a good one.

Is this a typo ("Hareware")?
local _, _, hardware_ver = string.find(resp.body,"var G_HarewareVersion[%s]+= \"([^\"]+)\";")

The script should fail faster if one of its first requests doesn't work.
That is, if "/cgi-bin/webproc?getpage=../../../proc/version&var:menu=advanced&var:page=null"
doesn't work, it shouldn't continue on to try all the other tests.

The script should also not output anything if it didn't find any
information. Currently it's outputting some whitespace or something:

PORT     STATE SERVICE
8080/tcp open  http-proxy
|_vuln-fiberhome-hg-router:

        if hash == '$1$TW$yS.Dzi9LPS3wn0qUQMBEA1' then
          hash = hash .. "  ( password is support )"
          creds_service:add(user, 'support', creds.State.VALID )
        elseif hash == '$1$TW$dMolyCCNuy2WxyLJ.zUWv0' then
          hash = hash .. "  ( password is Need4$MVS.cl )"
          creds_service:add(user, 'Need4$MVS.cl', creds.State.VALID )
        elseif hash == '$1$TW$FxpXryiZeHo/n5Ad15bYI.' then
          hash = hash .. "  ( password is M0V15tar$$ )"
          creds_service:add(user, 'M0V15tar$$', creds.State.VALID )
        end

You should refactor this to use a hash→password table so as to reduce
duplication.

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]