##
## VULNERABILITY:
##
## Belkin Wireless G Plus MIMO Router F5D9230-4
## Authentication Bypass Vulnerability
##
##
## AUTHOR:
##
## DarkFig < gmdarkfig (at) gmail (dot) com >
## http://acid-root.new.fr/?0:17
## #acidroot (at) irc.wordlnet (dot) com [email concealed]
##
##
## INTRODUCTION:
##
## I recently bought this router for my local
## network (without modem integrated), now I can tell
## that it was a bad choice. When my ISP disconnects
## me from internet, in the most case I have to reboot
## my Modem and the Router in order to reconnect.
## So I coded a program (which send http packets) to reboot
## my router, it asks me the router password, and reboots it.
## One day I wrote a bad password, but it worked. So I
## decided to make some tests in order to see if there was
## a vulnerability.
##
##
## DESCRIPTION:
##
## Apparently when we the router starts, it create a file
## (without content) named user.conf, then when we go to
## SaveCfgFile.cgi, the configuration is save to the file
## user.conf. But the problem is that we can access
## (and also change) to the file SaveCfgFile.cgi without
## login.
##
##
## PROOF OF CONCEPT:
##
## For example we can get the configuration file here:
## http://<ROUTER_IP>/SaveCfgFile.cgi
##
## pppoe_username=...
## pppoe_password=...
## wl0_pskkey=...
## wl0_key1=...
## mradius_password=...
## mradius_secret=...
## httpd_password=...
## http_passwd=...
## pppoe_passwd=...
##
##
## Tested on the latest firmware for this product
## (version 3.01.53).
##
##
## PATCH
##
## Actually there is no firmware update, but I contacted the
## author, if they'll release a patch, it will be available here:
## http://web.belkin.com/support/download/download.asp
## ?download=F5D9230-4&lang=1&mode=
##