After digging a little into my wireless router (the above mentioned), I noticed a tiny flaw that could easily be used to bypass the authentication and get access to system administration.
The router actually stores the md5 hash of the password in a variable which, in some situations, can be seen in the source code of the pages that we’re fed. One of the best example would be this one: http://192.168.2.1/login.stm (change 192.168.2.1 with your router’s ip). When you enter your password the script inside will md5 hash it and send it to your router for approval. All we have to do is exchange the hashes and send the real one to be compared to.. guess what, itself . I did this using Opera this way (it handles on-the-fly modifications of pages very well):
1. opened the following page: http://192.168.2.1/login.stm, right clicked on it and then chose Source from the drop-down menu.
2. now take a look at the code; you’ll see a lot of interesting stuff over there (even more interesting if you were looking at http://192.168.2.1/status.stm), but what really matters is the following code:
var password = “c46335eb267e2e1cde5b017acb4cd799″;
if(typeof(bEncPassword) != ‘undefined’)
document.tF.pws.maxLength = 32;
document.tF.pws.value = hex_md5(document.tF.pws.value);
We now have all we need to proceed; just replace “hex_md5(document.tF.pws.value)” with “password” (without quotes) and apply the changes made in the source (upper left corner); we’re now ready for the next step:
3. return to your starting page and simply click Submit. You’ve bypassed the security password and got access to the router.
This is useless if you have direct access to the router and you don’t mind resetting it.
The question are:
- Why would you still do it?
- How would you automate the process?
The information provided here should only be used for educational and social purposes. The author cannot be held responsible under any circumstances. Do not try this on someone else’s hardware. Actually.. don’t try it at all!