##=0D
## VULNERABILITY:=0D
##=0D
##  Belkin Wireless G Plus MIMO Router F5D9230-4=0D
##  Authentication Bypass Vulnerability=0D
##=0D
##=0D
## AUTHOR:=0D
##=0D
##  DarkFig < gmdarkfig (at) gmail (dot) com >=0D
## http://acid-root.new.fr/?0:17=0D 
## #acidroot@irc.wordlnet.com=0D 
##=0D
##=0D
## INTRODUCTION:=0D
##=0D
##  I recently bought this router for my local=0D
##  network (without modem integrated), now I can tell=0D
##  that it was a bad choice. When my ISP disconnects=0D
##  me from internet, in the most case I have to reboot=0D
##  my Modem and the Router in order to reconnect.=0D
##  So I coded a program (which send http packets) to reboot=0D
##  my router, it asks me the router password, and reboots it.=0D
##  One day I wrote a bad password, but it worked. So I=0D
##  decided to make some tests in order to see if there was=0D
##  a vulnerability.=0D
##=0D
##=0D
## DESCRIPTION:=0D
##=0D
##  Apparently when we the router starts, it create a file=0D
##  (without content) named user.conf, then when we go to=0D
##  SaveCfgFile.cgi, the configuration is save to the file=0D
##  user.conf. But the problem is that we can access=0D
##  (and also change) to the file SaveCfgFile.cgi without=0D
##  login.=0D
##=0D
##=0D
## PROOF OF CONCEPT:=0D
## =0D
##  For example we can get the configuration file here:=0D
## http:///SaveCfgFile.cgi=0D 
## =0D
##  pppoe_username=...=0D
##  pppoe_password=...=0D
##  wl0_pskkey=...=0D
##  wl0_key1=...=0D
##  mradius_password=...=0D
##  mradius_secret=...=0D
##  httpd_password=...=0D
##  http_passwd=...=0D
##  pppoe_passwd=...=0D
##=0D
##=0D
##  Tested on the latest firmware for this product=0D
##  (version 3.01.53). =0D
##=0D
##=0D
## PATCH=0D
##  =0D
##  Actually there is no firmware update, but I contacted the=0D
##  author, if they'll release a patch, it will be available here:=0D
## http://web.belkin.com/support/download/download.asp=0D 
##  ?download=F5D9230-4&lang=1&mode==0D
##