Zowopsa zitatu zadziwika mu firmware ya NETGEAR DGN-2200v1 zida zotsatizana, zomwe zimaphatikiza ntchito za modemu ya ADSL, rauta ndi malo opanda zingwe, zomwe zimakulolani kuchita ntchito zilizonse pa intaneti popanda kutsimikizika.
Chiwopsezo choyamba chimayamba chifukwa chakuti kachidindo ka seva ya HTTP ili ndi mphamvu yolumikizira mwachindunji zithunzi, CSS ndi mafayilo ena othandizira, omwe safuna kutsimikizika. Khodiyo ili ndi cheke cha pempholi pogwiritsa ntchito masks a mayina amtundu wamba ndi zowonjezera, zomwe zimakhazikitsidwa pofufuza kachigawo kakang'ono mu URL yonse, kuphatikiza pazopempha. Ngati pali chingwe chaching'ono, tsambalo limaperekedwa popanda kuyang'ana malowedwe a intaneti. Kuwukira kwa zida kumabwera ndikuwonjezera dzina lomwe lili pamndandanda ku pempho; mwachitsanzo, kuti mupeze mawonekedwe a WAN, mutha kutumiza pempho "https://10.0.0.1/WAN_wan.htm?pic.gif" .
Chiwopsezo chachiwiri chimayamba chifukwa chogwiritsa ntchito strcmp poyerekezera dzina lolowera ndi mawu achinsinsi. Mu strcmp, kufananitsa kumachitidwa ndi khalidwe mpaka kusiyana kapena khalidwe lomwe lili ndi zero code lifike, kusonyeza mapeto a mzere. Wowukira atha kuyesa kulosera mawu achinsinsi poyesa otchulidwawo pang'onopang'ono ndikuwunika nthawi mpaka cholakwika chotsimikizika chiwonetsedwe - ngati mtengo wakwera, ndiye kuti wolondola wasankhidwa ndipo mutha kupitiliza kulosera wotsatira. mu chingwe.
Chiwopsezo chachitatu chimakupatsani mwayi wochotsa mawu achinsinsi padambo losungidwa losungidwa, lomwe lingapezeke potengera mwayi pachiwopsezo choyamba (mwachitsanzo, potumiza pempho "http://10.0.0.1:8080/NETGEAR_DGN2200.cfg?pic .gif)". Mawu achinsinsi alipo potaya mu mawonekedwe obisika, koma kubisako kumagwiritsa ntchito algorithm ya DES ndi kiyi yokhazikika "NtgrBak", yomwe imatha kuchotsedwa ku firmware.
Kuti mugwiritse ntchito zofooka, ziyenera kutheka kutumiza pempho ku doko la netiweki pomwe mawonekedwe a intaneti akuyenda (kuchokera pa netiweki yakunja, kuwukira kutha kuchitika, mwachitsanzo, pogwiritsa ntchito njira ya "DNS rebinding"). Mavuto adakhazikitsidwa kale mu firmware update 1.0.0.60.
Source: opennet.ru