Tuesday, January 21, 2020

[SMC Networks] HTTP Response Header Injection & Open Redirect

SMC Networks is an American Based Company, founded in 1972. The company develops network interface cards (NICs), stackable, dual speed hubs and ethernet switches, now venturing into the world of IoT.

The SMC Networks D3G0804W Router is described as :

" A multimedia Gateway that delivers video, and data for applications such as Home Security and Automation, and IPTV distribution. The Gateway is a versatile and robust all-in-one solutions that makeit ideal for homes and businesses to connect their local-area network (LAN) to the Internet."
--SMC Networks D3G0804W user manual.

To access this device, the default credentials are admin:password  

HTTP Response Header Injection

On the WiFi Configuration Page when you save the settings of a Wifi Network is generated a POST HTTP Request, if you are authenticated or not and you have the structure of the HTTP Request, you could inject arbitrary headers and even split the HTTP Response using CRLF characters (%0a%0d) in the subUrl POST parameter

The HTTP Response of the server represented in the following picture talks by it self. We got our arbitrary headers injected and also the response splitted

Open Redirect

In the page "error_message_pop.asp" exist the posibility to redirect someone to the desired URL using the nextUrl parameter

The image above, shows the GET HTTP Request needed to perform the redirection. In the following picture we have that the parameters of the URL are passed to a Request javascript custom Object, and then separated in individual variables (retMsg and nextUrl), if the retMsg is empty, then it pass directly to the redirection, passing the nextUrl to window.location

 If we test on the URL on a browser we get the following:

The tested model of the device was D3G0804W-35.2.5-LAT_GA



0 comentarios:

Post a Comment