Posts Tagged ‘RomPager’

More Routers Vulnerable to RomPager Authentication Bypass

January 27, 2014

As discussed on prior blogs there are more routers that are vulnerable to the RomPager /rom-0 bypass:

D-Link DSL-2520U 1.08 Hardware Version: B1
D-Link DSL-2740R EU_1.13 Hardware Version: A1
AirLive WT-2000ARM 2.11.6.0(RE0.C29)3.7.6.1

While playing around it also seems that the D-Link routers frequently have a password of ‘263297’ making me think it is a default!

Zyxel Prestige 782R Authentication Bypass

January 26, 2014

The Zyxel Prestige 782R router (Shodan search) suffers from the RomPager /rom-0 bypass mentioned on earlier blogs.

If you request the /rom-0 file it does not require authentication. This can be reversed using available tools like the one at http://50.57.229.26/zynos.php. The first string returned is the admin password.

Ultimately this is due to the router using the RomPager server. Can identify from the header:

Server: ZyXEL-RomPager/3.02

ZTE Routers Multiple Vulnerabilities

January 23, 2014

The ZTE ZXV10 W300 router (Shodan search) is really a TP-Link router based on the same interface. According to the manual it has default credentials.

Enter the default user name admin and password admin, and then click the OK button to enter the main page for configuration, as shown in Figure 6.

zte1

It also uses RomPager and is vulnerable to the authentication bypass mentioned in previous blogs. Request the /rom-0 binary and reverse it using this tool. The first string is the admin password. Tested on firmware version W300V1.0.0a_ZRD_CO3.


The ZXDSL 831CII from ZTE does not look like a TP-Link router. It’s either their own code or a different vendors. It suffers from the RomPager /rom-0 bypass though.

Software Version = ZXDSL 831CIIV2.2.1a_Z43_MD
ADSL Firmware Version = FwVer:3.12.8.201_TC3086 HwVer:T14.F7_7.0

Huawei Routers Multiple Vulnerabilities

January 21, 2014

The Huawei EchoLife HG520c router (Shodan search) contains a way to bypass authentication. If you request the /rom-0 file it does not require authentication. This can be reversed using available tools like the one at http://50.57.229.26/zynos.php. The first string returned is the admin password. I tested the following firmware version: 3.10.33.0-1.0.7.0. This also affects the Huawei SmartAX MT880 (Shodan search) running firmware 3.11.2.142, and the MT886 running 3.12.8.20. This is due to use of RomPager as the underlying server.

GET /rom-0 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Host: 1.2.3.4
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Date: Fri, 07 Jan 2000 06:11:11 GMT
Last-Modified: Tue, 07 Jan 1930 06:11:11 GMT
Content-Length: 16384
Server: RomPager/4.07 UPnP/1.0
EXT:

[…]

echolife1

Also the /home_wlan.html page will send the cleartext WPA shared key over HTTP.

TP-Link Routers Multiple Vulnerabilities

January 20, 2014

Multiple TP-Link routers contain several vulnerabilities.

#1 Default Admin Credentials

According to the TD-W8901g manual the web interface has default credentials.

Open a web browser (either of Windows Internet Explorer, Mozilla Firefox, Apple Safari, Google Chrome, Opera or any other web browser), key in 192.168.1.1 in the address bar and press enter. The default username and password are both “admin” (all in lower case)

#2 Authentication Bypass

If you request the /rom-0 file it does not require authentication. This can be reversed using available tools like the one at http://50.57.229.26/zynos.php. The first string returned is the admin password.

I tested the following routers / firmware versions of the TD-W8901g:

TD-W8901g – 3.0.1 Build 100603 Rel.26888
TD-W8901g – 3.0.1 Build 100901 Rel.23594
TD-W8901g – 3.0.0 Build 100702 Rel.26418
TD-W8961ND – 3.0.0 Build 130422 Rel.05843
TD-8817 – 3.0.1 Build 110402 Rel.02846
TD-8840T – 3.0.0 Build 101208 Rel.36427

tplink0

tplink1

There are other vendors that are based on TP-Link affected:

Lnpomcbr3b M-200 A W300V1.0.0a_ZRD_BY1
iball Baton iB-LR6111A 2.0.0 Build 080604 Rel.39621
akeeo amplebit ADSL Router 2.10.7.0(UE3.C2)3.7.7.2.001

Ultimately this is due to the router using the RomPager server. Can identify from the header:

Server: RomPager/4.07 UPnP/1.0

#3 Cleartext User Password Disclosure

By default the router operates over HTTP. Once authenticated as an admin the user account (not a default so it is optional) password will be sent cleartext when navigating the interface. The /basic/home_wan.htm page will make a call to /basic/tc2wanfun.js which contains the password.

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Date: Mon, 20 Jan 2014 02:24:17 GMT
Pragma: no-cache
Expires: Thu, 26 Oct 1995 00:00:00 GMT
Server: RomPager/4.07 UPnP/1.0
EXT:
Content-Length: 23

var pwdppp = “PASSWORD”;