Attempts to exploit Firewall/Router - Suse

This is a discussion on Attempts to exploit Firewall/Router - Suse ; These errors have started to show in Apache error log: [Sun Feb 17 08:07:39 2008] [error] [client 85.17.141.27] script not found or unable to stat: /srv/www/cgi-bin/firmwarecfg I have seen only a few addresses so far trying this. According to Google ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Attempts to exploit Firewall/Router

  1. Attempts to exploit Firewall/Router

    These errors have started to show in Apache error log:
    [Sun Feb 17 08:07:39 2008] [error] [client 85.17.141.27]
    script not found or unable to stat: /srv/www/cgi-bin/firmwarecfg

    I have seen only a few addresses so far trying this.

    According to Google it is an attempt to find a hidden feature in D-Link
    boxes called firmwareconfig.

    Does anybody know if it only affects D-Links or are there other boxes
    that could be cracked using this?

    Vahis
    Remodeling my site to train new things:
    http://waxborg.servepics.com
    --
    "The only thing more expensive than training is the lack of it"
    Henry Ford

  2. Re: Attempts to exploit Firewall/Router

    Vahis wrote:
    > These errors have started to show in Apache error log:
    > [Sun Feb 17 08:07:39 2008] [error] [client 85.17.141.27]
    > script not found or unable to stat: /srv/www/cgi-bin/firmwarecfg
    >
    > I have seen only a few addresses so far trying this.
    >
    > According to Google it is an attempt to find a hidden feature in D-Link
    > boxes called firmwareconfig.
    >
    > Does anybody know if it only affects D-Links or are there other boxes
    > that could be cracked using this?


    All routers that have a file /srv/www/cgi-bin/firmwarecfg and that
    includes your Linux box. However what they do is make a connection to
    the router. Your router should NOT be accesible from the outside world.
    Your router should route traffic to your PC, that has a firewall. Then
    from the inside you can launch a browser and connect to your router.

    So connection with your router with 10.x.y.z OK, connection to
    88.112.28.235 NOT OK. This all to a connection to your router and over
    telnet, http or whatever.

    houghi
    --
    If God doesn't destroy Hollywood Boulevard, he owes Sodom and
    Gomorrah an apology.

  3. Re: Attempts to exploit Firewall/Router

    On 2008-02-17, houghi wrote:
    > Vahis wrote:
    >> These errors have started to show in Apache error log:
    >> [Sun Feb 17 08:07:39 2008] [error] [client 85.17.141.27]
    >> script not found or unable to stat: /srv/www/cgi-bin/firmwarecfg
    >>
    >> I have seen only a few addresses so far trying this.
    >>
    >> According to Google it is an attempt to find a hidden feature in D-Link
    >> boxes called firmwareconfig.
    >>
    >> Does anybody know if it only affects D-Links or are there other boxes
    >> that could be cracked using this?

    >
    > All routers that have a file /srv/www/cgi-bin/firmwarecfg and that
    > includes your Linux box.


    That's obvious

    > However what they do is make a connection to
    > the router. Your router should NOT be accesible from the outside world.


    It's not.

    > Your router should route traffic to your PC, that has a firewall. Then
    > from the inside you can launch a browser and connect to your router.


    I think firmwarecfg is used for configuring from inside.
    That's what they are looking for.
    >
    > So connection with your router with 10.x.y.z OK, connection to
    > 88.112.28.235 NOT OK. This all to a connection to your router and over
    > telnet, http or whatever.


    My firewall/router box is not D-Link which is said to have this
    vulnerability (in some models maybe).

    Actually this particular thing does nothing to me since I don't have what
    they want

    I just thought I'll bring this to others' attention.

    They also look for other vulnerabilities:
    adminfoot.php
    oneadmin


    Vahis
    Remodeling my site to train new things:
    http://waxborg.servepics.com
    --
    "The only thing more expensive than training is the lack of it"
    Henry Ford

  4. Re: Attempts to exploit Firewall/Router

    Vahis wrote:
    > [...]
    > They also look for other vulnerabilities:
    > adminfoot.php
    > oneadmin
    >
    >
    > Vahis
    > Remodeling my site to train new things:
    > http://waxborg.servepics.com


    My logs are full with "hacking" attempts, including /../../../etc/passwd
    lol. I just ignore them. Nothing that can be done about it.

  5. Re: Attempts to exploit Firewall/Router

    Vahis wrote:
    >> Your router should route traffic to your PC, that has a firewall. Then
    >> from the inside you can launch a browser and connect to your router.

    >
    > I think firmwarecfg is used for configuring from inside.
    > That's what they are looking for.


    http://xforce.iss.net/xforce/xfdb/20660 and many more links that are
    pretty old now. It looks for the file on the dlink.


    houghi
    --
    If God doesn't destroy Hollywood Boulevard, he owes Sodom and
    Gomorrah an apology.

  6. Re: Attempts to exploit Firewall/Router -- DO NOT ENABLE UPnP


    Also, note that it is *critical* not to turn on the UPnP
    (Universal Plug and Play) capabilities of routers.

    http://blogs.techrepublic.COM/tech-news/?p=1902

    QUOTE

    Severe UPnP/Flash vulnerability discovered

    A researcher has demonstrated an attack vector that uses Adobe Flash to
    exploit a vulnerability in networking devices that support UPnP. An
    attacker only needs to convince a user to open a URL with the malicious
    file. A successful exploit will open the floodgates to the remote control
    and configuration of UPnP-enabled devices.

    UNQUOTE

    Technical details of how the Universal Plug and Play vulnerability
    is exploited can be found at



  7. Re: Attempts to exploit Firewall/Router -- DO NOT ENABLE UPnP

    On 2008-02-17, J G Miller wrote:
    >
    > Also, note that it is *critical* not to turn on the UPnP
    > (Universal Plug and Play) capabilities of routers.
    >
    > http://blogs.techrepublic.COM/tech-news/?p=1902
    >
    > QUOTE
    >
    > Severe UPnP/Flash vulnerability discovered
    >
    > A researcher has demonstrated an attack vector that uses Adobe Flash to
    > exploit a vulnerability in networking devices that support UPnP. An
    > attacker only needs to convince a user to open a URL with the malicious
    > file. A successful exploit will open the floodgates to the remote control
    > and configuration of UPnP-enabled devices.
    >
    > UNQUOTE
    >
    > Technical details of how the Universal Plug and Play vulnerability
    > is exploited can be found at
    >
    >


    I must admit that I don't quite understand the concept of UPnP at this
    moment. I need some reading obviously.

    Anyway, I checked my router and there's an option to enable UPnp as well
    as pass UPnp through firewall.

    Everything about UPnP there is disabled by default and I've never
    changed it (like I said, I don't even know what it is)

    So far so good.

    It seems that there are some people out there prospecting...

    Vahis
    Remodeling my site to train new things:
    http://waxborg.servepics.com
    --
    "The only thing more expensive than training is the lack of it"
    Henry Ford

  8. Re: Attempts to exploit Firewall/Router -- DO NOT ENABLE UPnP

    Vahis wrote:

    > On 2008-02-17, J G Miller wrote:
    >>
    >> Also, note that it is *critical* not to turn on the UPnP
    >> (Universal Plug and Play) capabilities of routers.
    >>
    >> http://blogs.techrepublic.COM/tech-news/?p=1902
    >>
    >> QUOTE
    >>
    >> Severe UPnP/Flash vulnerability discovered
    >>
    >> A researcher has demonstrated an attack vector that uses Adobe Flash
    >> to exploit a vulnerability in networking devices that support UPnP.
    >> An attacker only needs to convince a user to open a URL with the
    >> malicious file. A successful exploit will open the floodgates to the
    >> remote control and configuration of UPnP-enabled devices.
    >>
    >> UNQUOTE
    >>
    >> Technical details of how the Universal Plug and Play vulnerability
    >> is exploited can be found at
    >>
    >>

    >
    > I must admit that I don't quite understand the concept of UPnP at this
    > moment. I need some reading obviously.
    >
    > Anyway, I checked my router and there's an option to enable UPnp as
    > well as pass UPnp through firewall.
    >
    > Everything about UPnP there is disabled by default and I've never
    > changed it (like I said, I don't even know what it is)


    I'm the same. Never had it, never used it, don't miss it !


    > So far so good.
    >
    > It seems that there are some people out there prospecting...


    I agree!

    > Vahis
    > Remodeling my site to train new things:
    > http://waxborg.servepics.com


    --
    Regards:
    Baron.

+ Reply to Thread