Cross site request forgery vulnerability in Linksys WAG120N


In my previous post i described a vulnerability that would let configure DNS in multiple models of Comtrend routers by clicking an url like this:

http://admin:admin@192.168.1.1/dnscfg.cgi?dnsRefresh=1&dnsPrimary=ip_address_malicious_dns_server&dnsSecondary=ip_address_malicious_dns_server2

I am pretty sure that many models of Comtrend and other manufacturers suffer vulnerabilities of this type. In this post i am going to describe how to attack a router Linksys WAG120N in a similar way.

Continue reading

Poor security in SOHO routers, again. Changing configuration parameters with a click


It is well known by all the poor security of SOHO routers distributed by ISPs. Vulnerabilities, default passwords,… These routers expose inexperienced users to be hacked.

I want to share here a method which I have been playing that would let us to configure some router models when a user clicks a link created by us. I have not read about this method on the internet, sorry if  I am wrong and it’s not new. The method is quite simple. It is usual to find routers with default passwords. And these devices usually offers a HTTP based interface to configure them. And some models accept configuration parameters through the URL.

Continue reading

Debugging BSOD when trying to delete malformed registry key on Windows 8.1


The last days my computer started to crash suddenly, with bug check 0x51 (REGISTRY_ERROR). It was totally random, so i decided to analyze the crash. I decided to write an article about this because, in spite of the fact that it doesn’t seem a security problem, i learnt some interesting things about windows registry.

 

Continue reading

Microsoft Office Compatibility Pack tries to execute path without quotes


A couple of days ago i found a weird behaviour in my computer. When i double-clicked a .docx file, an error message appeared saying c:\Program couldn’t be executed. I don’t know when and why i had an empty file named “c:\Program” on my computer (i had been doing tests with %PROGRAMFILES% envar in my code and i guess the file derived of this).

I investigated a bit about it and it seems to be a bug of the “Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats”. It seems it keeps into a registry key a path to wordconv.exe without quotes, so when svchost.exe tries to execute c:\Program files\Microsoft office\Office12\Wordconv.exe, if c:\Program exists in the machine, it executes c:\Program.

It’s not an important bug and doesnt seem a security problem, because c:\Program is executed in the context of the currently logged user. However i decided to analyze the bug and you can find the analysis in this article.

Continue reading