#!/zitstif.no-ip.org/

Dabbling about with the command line one day, I thought to myself, “Can’t I append text to a picture and be able, at a later time, read the text from the image?”.

By simply just using ‘>>‘, under Windows and Linux, you can append text to a picture file (like a jpeg for example). Bear in mind that this does change the hash sum of the file. Lastly, I’ve only tested this with jpeg images.

Here’s an example:

We have a file called ‘linux.jpg’ from, http://www.bose.res.in/~kapil/linux.jpg

By simply invoking:

echo "Secret Message:  toor" >> linux.jpg

To find our “Secret Message”, simply invoke the follow:

egrep -a 'Secret' linux.jpg

If you’re using ‘xterm’, your output may look like this:

However, if you’re using something else and your output ‘borks’ your terminal and the output looks completely alien, use the reset command.

You can also do this in Windows as well, but the command would look like this:

type linux.jpg | findstr "Secret"

Website/Company: http://zitstif.no-ip.org
E-mail: zitstif[at]gmail.com

Name: Kyle Young

Device: Netgear RP614v4
Firmware version: v1.1.2_09.01
Firmware release date: November 2009
HTTP service: Boa HTTPd 0.93.15
Exploit release date: Wednesday March 24, 2010

Default router credentials:
username: admin
password: password

Scope: Local/Remote

Vulnerability:

The Netgear RP614v4 is susceptible to an end user making a request for the netgear.cfg file which is located at:

http://[RouterIP]/vgn/jsp/netgear.cfg

This file, is a plain text ASCII file that contains the router’s password at line 216, which looks similar to this:

http_passwd=myvulnerablepassword

You don’t have to authenticate to obtain this file at all.

The qualm with this exploit is that, it works in the LAN that the router is on, or even remotely over a WAN, that is if the remote administration
option is enabled and the default port for this is 8080.

PoC: http://zitstif.no-ip.org/rp614v4/rp614v4exploit.txt

Additional notes:

After discovering this vulnerability, I’ve noticed with other routers that have http based administration, is that you can make requests for config files without authenticating. However, this does not always work and at times the config file is obfuscated.

From my experience, most of the config files for routers are in a binary format and can be viewed with a program like ‘bvi‘. At times, you can view credentials to the device and also PPPoE credentials.

I’m reporting this vulnerability to securityfocus.com, due to the lack of support on Netgear’s end.

For those of you who are into shell scripting, and want to know what in my opinion is the best way to test for whether programs exist or not, pay close attention.

In my humble opinion, the best way to test for the existence of a program, is to test the exit code of the previous command in an if loop.

Firstly, if you run a command that doesn’t exist, the exit code will always be ‘127′. If you don’t want to see the output of the command while testing for it, then just simply redirect all the output to /dev/null .

idontexist &> /dev/null

echo $?

127

Now, a friend suggested using this method for testing for programs in bash:

idontexist &> /dev/null || echo "You don't have 'idontexist'"; exit 1;

There are a few qualms with this. Firstly, depending on the program, if the program does not exit with the exit code of ‘0’, your shell script will then state ‘You don’t have ‘idontexist’ and then exit. However, you might actually have the program! Some programs exit with non-zero exit codes if you pass no arguments to them or even if you pass a ‘-h’ for a help argument to it. Also, since the echo statement is being terminated via the semicolon, ‘exit’ will then be executed. Ergo, this method looks great for just being a one liner, but if I want to test for the existence of a program, and if it doesn’t exist, and then exit with an error message displayed to the user, I highly suggest my following method:

idontexist &> /dev/null;

if [[ "$?" == "127" ]];
 then
     echo "'idontexist' appears to not be installed, check your PATH variable"; exit 1;
fi

More to come…

Xplico Part 1:

Xplico Part 2:

http://www.securitytube.net/Xplico-Network-Forensic-Analysis-Tool-Demo-video.aspx

If you’re curious about a good live Linux forensics distro that even includes this tool, check out:
http://www.deftlinux.net/