Western Digital My Net Password Disclosure

🗓️ 01 Aug 2013 00:00:00Reported by Kyle LovettType

packetstorm🔗 packetstormsecurity.com👁 28 Views

WD My Net routers password disclosure, affects N600, N750, N900, and N900C series with specific firmware versions, allows extraction of admin password, needs no authentication, requires UPnP and remote admin access enabled, vendor unresponsive

Reporter	Title	Published	Views	Family All 13
0day.today	Western Digital My Net Wireless Routers - Password Disclosure	3 Aug 201300:00	–	zdt
CVE	CVE-2013-5006	31 Jul 201301:00	–	cve
Cvelist	CVE-2013-5006	31 Jul 201301:00	–	cvelist
Exploit DB	Western Digital My Net Wireless Routers - Password Disclosure	2 Aug 201300:00	–	exploitdb
EUVD	EUVD-2013-4848	7 Oct 202500:30	–	euvd
exploitpack	Western Digital My Net Wireless Routers - Password Disclosure	2 Aug 201300:00	–	exploitpack
NVD	CVE-2013-5006	31 Jul 201313:20	–	nvd
OpenVAS	Western Digital My Net Devices Information Disclosure Vulnerability	5 Aug 201300:00	–	openvas
Prion	Code injection	31 Jul 201313:20	–	prion
securityvulns	Update: Full Disclosure - WD My Net N600, N750, N900, N900C - Plain Text Disclosure of Admin Credentials	12 Aug 201300:00	–	securityvulns

`Vulnerable Systems:  
Western Digital My Net Series Wireless Routers:  
N600 Firmware 1.03.12  
N600 Firmware 1.04.16  
  
N750 Firmware 1.03.12  
N750 Firmware 1.04.16  
  
N900 Firmware 1.05.12  
N900 Firmware 1.06.18  
N900 Firmware 1.06.28  
  
N900C Firmware 1.05.12  
N900C Firmware 1.06.18  
N900C Firmware 1.06.28  
  
CVE 2013-5006  
CWE-256 Plaintext Storage of a Password  
CVSS Base Score 4.3  
CVSS Impact Subscore 2.9  
Cvss Expoit Score 8.6  
(AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:UR/CDP:H/TD:H/CR:H/IR:H/AR:H)  
  
Proof of concept:  
curl -s http://<IP>:8080/main_internet.php? | egrep -i 'var pass'  
  
which will give an output similar to this ex:  
var pass="";  
  
Details:  
By sending a specially crafted command to the affected routers, the clear text password for the admin account can be extracted, with no authentication required to access the page where it is stored.  
  
During the initial setup of these four routers with the affected firmware, the admin password is stored in clear text on the main_internet.php? source code page as the value for 'var pass'. For this bug to exploitable from a remote network attack, UPnP and remote administrative access (port 8080 is set by default) must be enabled.  
  
The vendor has not responded to any inquiries concerning the bug.  
  
External Sources:  
OSVDB - http://www.osvdb.org/show/osvdb/95519  
CVE-Mitre - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5006  
IBM xforce - http://xforce.iss.net/xforce/xfdb/85903  
Bugtraq/SecList - http://www.securityfocus.com/archive/1/527433  
Security Database - http://www.security-database.com/detail.php?alert=CVE-2013-5006  
  
Vendor's Network Router Product Pages:  
http://www.wdc.com/en/products/network/routers/  
http://support.wdc.com/download/notes/My_Net_N900C_FW_Release_Notes_1.07.16.pdf?v=9564  
http://support.wdc.com/download/notes/My_Net_N900_FW_Release_Notes_1.07.16.pdf?v=7436  
http://support.wdc.com/download/notes/My_Net_N750_FW_Release_Notes_1_04_16.pdf?v=6879  
http://support.wdc.com/download/notes/My_Net_N600_FW_Release_Notes_1_04_16.pdf?v=4950  
  
Additional Notes/Fixes/Workarounds:  
  
Firmware notes: N900 and N900C with firmware 1.07.16 released on 05/2013 fixes the bug. It is advised that users with the N900 or N900C upgrade to 1.07.16. Earlier firmware releases of 1.02.02, 1.03.11 and 1.04.08 are unaffected.  
  
N600 and N750 with the earlier firmware 1.01.04 and 1.01.20 are unaffected by this bug. Firmware 1.02.08 was not tested. The 'workaround' for these two model routers, which will only stop network side attacks, is for the end user to disable remote administrative access capabilities.  
  
Discovered - 07-02-2013  
Updated - 07-31-2013  
Research Contact - K Lovett  
Affiliation - SUSnet  
`

01 Aug 2013 00:00Current

6.5Medium risk

Vulners AI Score6.5

EPSS0.08274