Linksys wrt160n validating

I am withholding the full URL for now until I can figure out if there is a patch or if this is a public/known exploit. I hope that password mentioned isn't another case of hard-coded credentials to debug stuff on the router.The port appears to change but is always The binary also includes a couple of images (thanks Peter for pointing that out). The initial HNAP technique is described here: it looks like they snag the credentials in the initial attempt and then post back with those credentials on the second request causing the second stage to be executed. https://edu/forums/diary/Suspected Mass Exploit Against Linksys E1000 E1200 Routers/17621/1#29684 I believe the second stage is using a technique described in a blog post by one of my co-workers back in March of 2013... Short summary: - all useragents match your list - oldest hit was in August 2013 (previous hits in July didn't use the "admin" password) - Linksys models involved in the scanning include not only E1000 and E1200, but also E1500, E2500, E3200 and E4200 (full list with firmware versions Cmd line injection vulnerability seems to go back a long ways.It shows up in the logs as the "\x80w\x01\x03\x01" string in apache web logs. $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HNAP admin brute force login attempt"; flow:established,to_server; content:"GET|20 2f|HNAP1|2f 20|HTTP|2f|1.1|0d 0a|"; fast_pattern:only; content:"Authorization|3a 20|Basic YWRta W46"; http_header;metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http;reference:url, classtype:bad-unknown; sid:10000112; rev:2;)@claudijd Not the same thing; the password is included in the initial HNAP request and it seems to be randomly generated with each request (i.e.

It looks like random passwords are used, but they don't really matter (one reason I withheld the name of the cgi for now)@claudijd Not the same thing; the password is included in the initial HNAP request and it seems to be randomly generated with each request (i.e.

Yeah I realized they were using a mechanism to bypass proper authentication this time around.

epi_ttcp is being called by the usr/sbin/httpd without checking/validating the parameters being passed.

"epi_ttcp -tsufm -l %s -n %s %s &", ttcp_size, ttcp_num, ttcp_ip So its a similar issue as what was disclosed in May 2013, but instead of exploiting a problem with the ping test part of the code its in the ttcp section in Start_epi function inside httpd.

One important update: This affects other Linksys routers as well. The user agent is randomised; we can see how quickly (actually not that fast) it scanned through a small range of IPs here: 75.69.x.x - admin [13/Feb/ 0000] "GET /HNAP1/ HTTP/1.1" 301 185 " "Opera/9.60 (Windows NT 5.1; U; de) Presto/2.1.1" 75.69.x.x - admin [13/Feb/ 0000] "GET /HNAP1/ HTTP/1.1" 404 247 " "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20030306 Camino/0.7" 75.69.x.x - admin [13/Feb/ 0000] "GET /HNAP1/ HTTP/1.1" 301 185 " "Opera/6.x (Linux 2.4.8-26mdk i686; U) [en]" 75.69.x.x - admin [13/Feb/ 0000] "GET /HNAP1/ HTTP/1.1" 404 247 " "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) Apple Web Kit/xxx.x (KHTML like Gecko) Safari/12x.x" I wonder if the port for stage2 is always 193?

For example, we do have some routers conecting to the honeypot that identify themselves as E2500 (Firmware 1.0.03 build 4) Finally our honeypot did capture something that looks like it is responsible for the scanning activity we see: The initial request, as discussed earlier, is: POST /[withheld]HTTP/1.1 Host: [ip of honeypot]:8080 User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_Power PC) Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: of honeypot]:8080/ Authorization: Basic YWRta W46Jmkx Kk BVJDZ4dm NH So it looks like it will try to download a "second stage" from port 193 from the attacking router. L26" file appears to be a lock file to prevent multiple exploitation. From once source I get Connection Refused, from another I get Connection Timed Out although both their port 80's are still reachable.I searched and searched for things I could try to fix it, but what few answers I found either didn't work or assumed too high a level of networking knowledge.I've had other faulty or missing behavior with some other Bonjour-related services like Screen Sharing, too, and I'm about to the point of just shelling out for an Airport Extreme.The list of wireless keyboards above are the units the WD TV Live HD Media and WD TV Live Plus player were tested with, and has been provided by customer request. The WD TV Live HD Media player and WD TV Live Plus should work with most wireless keyboards.Years ago, Air Print worked in my house on my current printer.But before I do that, I ask you wonderful people: Is there anything I can try that doesn't require me to get a degree in networking to understand?

Tags: , ,