Sunday, May 13, 2012

CD-R King IP04166 Wireless-N Router Not Secured Even Though Web Page AP Has a Password

5/13/2012 07:09:00 PM | Posted by Unknown | | Edit Post

 CD-R King IP04166 Wireless-N Router for his Wimax and I was the one who setup the security settings of the wireless router like the wireless encryption, firewall management, making sure that WPS is disabled and setting up the username and password for logging in the web page of the Access Point(AP) .
cdrkingwlansetup
Alright, setup is done. So if a user enters the default gateway of the access point in his/her browser he should be able to see this:


default_gateway
Thus, preventing other users who are connected to the network from modifying or editing your wireless router.
unauthorized access
Hey, it’s using mini_httpd 1.19, a small http server! :)

Security Risk No. 1

One day, I decided to check the open ports of the router by using nmap and added -A for enablling OS detection, version detection, script scanning, and traceroute :
nmap -A 192.168.10.1
advanced nmap options
Okay, so port 23 is open thus I can telnet the default gateway:
busybox
Okay I was able to telnet the router but what the… OMG it didn’t ask me for any login information to the box. It’s running on Busybox v1.1.3. So if the user can’t access the wep page of the AP then he / she can take advantage of this privilege to search for the password of the webpage.
As what you can see from the image above, I typed ‘ls -la’ which list all the directories of the root directory. Take for example bin wherein you can see all the common programs, shared by the system, the system administrator and the users.

Security Risk No. 2

The /var directory contains storage for all variable files and temporary files created by users, such as log files, the mail queue, the print spooler area, space for temporary storage of files downloaded from the Internet, or to keep an image of a CD before burning it.[1]
Thus, looking into the /var directory would be a cool place to find some good stuffs. So I decided to check on the directory and list all the files:
cd /var
ls -la
var directory
If you look closely on the image, you should be able to see a file ‘.htpasswd’, let’s try to check out this file:
password disclosure
The Final Blow: .htpasswd contains the account password of the web page of the Access Point. Now let’s try to login the web page of the AP by using this information:
#nimda:sudo910aPt
hacking routers
CD-R King why are you selling insecure wireless routers?? :(
I haven’t tried upgrading it’s new firmware version yet or changing a new firmware because my dad is using it but will try to play with it next time.

0 comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)

My Website Translator!

RONIE TEMPLA 2011. Powered by Blogger.

Followers

Blogger Template created with Artisteer.