Menu

Search for hundreds of thousands of exploits

"Western Digital My Net Wireless Routers - Password Disclosure"

Author

Exploit author

"Kyle Lovett"

Platform

Exploit platform

hardware

Release date

Exploit published date

2013-08-02

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Vulnerable Systems:
Western Digital My Net Series Wireless Routers:
N600  Firmware 1.03.12
N600  Firmware 1.04.16

N750  Firmware 1.03.12
N750  Firmware 1.04.16

N900  Firmware 1.05.12
N900  Firmware 1.06.18
N900  Firmware 1.06.28

N900C Firmware 1.05.12
N900C Firmware 1.06.18
N900C Firmware 1.06.28

CVE 2013-5006
CWE-256 Plaintext Storage of a Password
CVSS Base Score    4.3
CVSS Impact Subscore     2.9
Cvss Expoit Score   8.6
(AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:UR/CDP:H/TD:H/CR:H/IR:H/AR:H)

Proof of concept:
curl -s http://<IP>:8080/main_internet.php? | egrep -i 'var pass'

which will give an output similar to this ex:
var pass="";

Details:
By sending a specially crafted command to the affected routers, the clear text password for the admin account can be extracted, with no authentication required to access the page where it is stored.

During the initial setup of these four routers with the affected firmware, the admin password is stored in clear text on the main_internet.php? source code page as the value for 'var pass'. For this bug to exploitable from a remote network attack, UPnP and remote administrative access (port 8080 is set by default) must be enabled.

The vendor has not responded to any inquiries concerning the bug.

External Sources:
OSVDB - http://www.osvdb.org/show/osvdb/95519
CVE-Mitre - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5006
IBM xforce - http://xforce.iss.net/xforce/xfdb/85903
Bugtraq/SecList - http://www.securityfocus.com/archive/1/527433
Security Database - http://www.security-database.com/detail.php?alert=CVE-2013-5006

Vendor's Network Router Product Pages:
http://www.wdc.com/en/products/network/routers/
http://support.wdc.com/download/notes/My_Net_N900C_FW_Release_Notes_1.07.16.pdf?v=9564
http://support.wdc.com/download/notes/My_Net_N900_FW_Release_Notes_1.07.16.pdf?v=7436
http://support.wdc.com/download/notes/My_Net_N750_FW_Release_Notes_1_04_16.pdf?v=6879
http://support.wdc.com/download/notes/My_Net_N600_FW_Release_Notes_1_04_16.pdf?v=4950

Additional Notes/Fixes/Workarounds:

Firmware notes: N900 and N900C with firmware 1.07.16 released on 05/2013 fixes the bug. It is advised that users with the N900 or N900C upgrade to 1.07.16.  Earlier firmware releases of 1.02.02, 1.03.11 and 1.04.08 are unaffected.

N600 and N750 with the earlier firmware 1.01.04 and 1.01.20 are unaffected by this bug. Firmware 1.02.08 was not tested. The 'workaround' for these two model routers, which will only stop network side attacks, is for the end user to disable remote administrative access capabilities.

Discovered - 07-02-2013
Updated - 07-31-2013
Research Contact - K Lovett
Affiliation - SUSnet
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-30 "Intelbras Router RF 301K 1.1.2 - Authentication Bypass" webapps hardware "Kaio Amaral"
2020-11-30 "ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure" webapps hardware "Zagros Bingol"
2020-11-27 "Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution" webapps hardware "Emre SUREN"
2020-11-24 "Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)" webapps hardware maj0rmil4d
2020-11-23 "TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass" webapps hardware malwrforensics
2020-11-19 "Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification" webapps hardware "Ricardo Longatto"
2020-11-19 "Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure" remote hardware "Nitesh Surana"
2020-11-16 "Cisco 7937G - DoS/Privilege Escalation" remote hardware "Cody Martin"
2020-11-13 "ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)" webapps hardware b1ack0wl
2020-11-13 "Citrix ADC NetScaler - Local File Inclusion (Metasploit)" webapps hardware "RAMELLA Sebastien"
Release Date Title Type Platform Author
2018-08-15 "ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection" webapps cgi "Kyle Lovett"
2014-05-26 "D-Link Routers - Multiple Vulnerabilities" webapps hardware "Kyle Lovett"
2013-09-03 "Zoom Telephonics ADSL Modem/Router - Multiple Vulnerabilities" webapps hardware "Kyle Lovett"
2013-08-02 "Western Digital My Net Wireless Routers - Password Disclosure" webapps hardware "Kyle Lovett"
2013-07-10 "Zoom Telephonics X4/X5 ADSL Modem - Multiple Vulnerabilities" webapps hardware "Kyle Lovett"
2013-07-09 "Zoom Telephonics (Multiple Devices) - Multiple Vulnerabilities" remote hardware "Kyle Lovett" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected