ASUS RT-N66U Router - HTTPS Directory traversal and full file access and credential disclosure vuln

2013-06-23 Thread kyle Lovett
Vulnerable product: ASUS RT-N66U when HTTPS WebService via AiCloud is enabled (AC66R and RT-N65U are effected as well, but need more testing) Vulnerabilities: - Linux 2.6.22 - Researched on both 3.0.0.4.270 and 3.0.0.4.354 firmware - Full directory traversal and plain text disclosure of all sensit

Linksys EA - 2700, 3500, 4200, 4500 w/ Lighttpd 1.4.28 Unauthenticated Remote Administration Access

2013-07-02 Thread kyle Lovett
Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 using lighttpd 1.4.28 and Utopia on Linux 2.6.22 Firmware Version: 1.0.14 EA2700 Firmware Version: 1.0.30 EA3500 Firmware Version: 2.0.36 E4200 Firmware Version: 2.0.36 EA4500 Impact: - Major Timeline: - Still awaiting word back fr

Zoom X4/X5 ADSL Modem and Router -Unauthenticated Remote Root Command Execution

2013-07-09 Thread kyle Lovett
Vulnerable Products - Zoom X4 ADSL Modem and Router running Nucleus/4.3 UPnP/1.0Virata-EmWeb/R6_2_0 Server All GS Firmware versions Zoom X5 ADSL Modem and Router running Nucleus/4.3 UPnP/1.0Virata-EmWeb/R6_2_0 Server All GS Firmware versions Note: A similar vulnerability was reported several year

Full Disclosure ASUS Wireless Routers Ten Models - Multiple Vulnerabilities on AiCloud enabled units

2013-07-14 Thread kyle Lovett
Note: In June I released a partial disclosure for just the RT-N66U on the issue of directory traversal. I have only heard back from ASUS a twice on the issue, and I understand they are working on a fix. However, no serious attempt to our knowledge has been made to warn their customers in the meanti

Western Digital My Net N600, N750, N900 and N900C - Plain text disclosure of administrative credentials

2013-07-19 Thread kyle Lovett
Vulnerable Products - WD My Net N600 HD Dual Band Router Wireless N WiFi Router Accelerate HD WD My Net N750 HD Dual Band Router Wireless N WiFi Router Accelerate HD Linux 2.6.3 Kernel All firmware including the latest Ver. 1.04.16 WD My Net N900 HD Dual Band Router Wireless N WiFi Router Accelera

Full Disclosure - WD My Net N600, N750, N900, N900C - Plain Text Disclosure of Admin Credentials

2013-07-22 Thread kyle Lovett
Vulnerable Products - WD My Net N600 HD Dual Band Router Wireless N WiFi Router Accelerate HD WD My Net N750 HD Dual Band Router Wireless N WiFi Router Accelerate HD Linux 2.6.3 Kernel Firmware Ver. 1.03.xx 1.04.xx Firmware unaffected Ver 1.01.xx WD My Net N900 HD Dual Band Router Wireless N WiFi

Update: Linksys EA2700, EA3500, E4200v2, EA4500 Unspecified unauthenticated remote access

2013-08-15 Thread kyle Lovett
- Vulnerabilities: An unspecified bug can cause an unsafe/undocumented TCP port to open allowing for: - Unauthenticated remote access to all pages of the router administration GUI, bypassing any credential prompts under ce

Full Disclosure - Multiple vulnerabilities in five Zoom ADSL Modem/Routers

2013-09-02 Thread kyle Lovett
Five models of the Zoom Telephonics ADSL Modem/Router line suffer from multiple critical vulnerabilities, almost all being of a remote access attack vector. Models affected: Zoom X3 ADSL Modem/Router Zoom X4 ADSL Modem/Router Zoom X5 ADSL Modem/Router Zoom ADSL Bridge Modem Model 5715 (1 vulnerabi

ASUS AiCloud Enabled Routers 12 Models - Authentication bypass and Sensitive file/path disclosure

2014-02-10 Thread kyle Lovett
ASUS routers, which are enabled with the AiCloud service (SSL ports), are vulnerable to bypass of authentication and sensitive file disclosure. This vulnerability has been observed in all firmware versions, though the latest version increases the complexity of the attack. By sending a special craft

ASUS RT Series Routers FTP Service - Default anonymous access

2014-02-13 Thread kyle Lovett
/Networking/RTAC68U/#support http://www.idg.no/pcworld/article281004.ece http://www.thinkbroadband.com/news/6229-new-asus-router-firmware-to-fix-ftp-security-issue.html http://www.pcworld.com/article/2087180/asus-simplifies-router-configuration-to-protect-external-hard-drives.html Research Contact - Kyle

Re: ASUS RT Series Routers FTP Service - Default anonymous access

2014-02-13 Thread kyle Lovett
Correction: I meant to say 2013, not 2012. I apologize for the error. On Wed, Feb 12, 2014 at 4:29 PM, kyle Lovett wrote: > Five ASUS RT series routers suffer from a vendor vulnerability that > default FTP service to anonymous access, full read/write permissions. > The service,

Full Disclosure - Linksys EA2700, EA3500, E4200 and EA4500 - Authentication Bypass to Administrative Console

2014-02-17 Thread kyle Lovett
il an official fix is out or vulnerability of the router has been ruled out. Research Contacts: Kyle Lovett and Matt Claunch Discovered - July 2013 Updated - February 2014

D-Link DAP-1320 Wireless Range Extender Directory Traversal and XSS Vulnerabilities

2014-04-17 Thread kyle Lovett
D-Link's DAP-1320 Wireless Range Extender suffers from both a directory traversal and a XSS vulnerability on all firmware versions. (current v. 1.20B07) - Directory Traversal CWE-22:

Full Disclosure - DIR-652/DIR-835/DIR-855L/DGL-5500/DHP-1565 - Clear Text Password/XSS/Information Disclosure

2014-05-22 Thread kyle Lovett
These items were reported to D-Link on April 20th, and to US Cert on April 21. D-Link does have patches available for all affected models, and it is highly recommended to update the device's firmware as soon as possible. Vendor Links: http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10025 http://securityadvisories.dlink.com/security/ Research Contact - Kyle Lovett May 21, 2014

Easy Hosting Control Panel (EHCP) - Multiple Vulnerabilities

2016-03-30 Thread kyle Lovett
gui interface mechanisms does an OK job locking down the masked url front end web calls it makes, the entire backend files which are being called, can be directly accessed, bypassing the need to use the GUI interface. Research Contact: Kyle Lovett March 29, 2016

Wordpress Plugin Social-Stream - Exposure of Twitter API Secret Key and Token

2017-05-26 Thread kyle Lovett
- Timeline: Vendor notified on 04/01/2017 Fix Complete on 04/06/2017 Disclosure Public 05/21/2017 Contact: Kyle Lovett krlov...@gmail.com --

ASUSTOR NAS ADM - 3.1.0 Remote Command Execution, SQL Injections

2018-08-14 Thread kyle Lovett
URL http://:8001/portal/ username/password nvradmin:nvradmin An attacker can determine installed applications and attack default credentials that are not changed upon NAS initialization, which enables them to compromise end user data or gain root access on the appliance.